Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎01-20-2026 11:17 PM

Article Id 427318

Technical Tip: Key considerations when upgrading FIPS FortiGates from FIPS 140-2 (v7.0 and earlier) to FIPS 140-3 (v7.2, v7.4, and later)

Description

This article discusses the relatively recent changes to FIPS-CC mode on the FortiGate when transitioning from FortiOS v7.0 and earlier to v7.2, v7.4, and later.
Scope FortiGate, FIPS-CC.
Solution

As a primer, Fortinet produces a specialty branch of firmware that is certified for usage in environments requiring Federal Information Processing Standards (FIPS) compliance. While all FortiOS firmware versions can enable FIPS-CC mode, only this specialty firmware is considered to be fully certified and compliant (see also: Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled).

 

At the time of this writing (January 2026), FortiOS v7.0 had previously completed certification for the FIPS 140-2 standard (published in 2001), whereas FortiOS v7.2 and v7.4 are in the process of completing certification for FIPS 140-3 (published in 2019). This newer standard brings with it tighter restrictions with regard to acceptable cryptography, and so administrators should anticipate changes in behavior when upgrading FIPS-enabled FortiGates to newer major/minor versions.

 

As a general recommendation, consider setting up a lab environment with the same FortiGate model and FIPS FortiOS configuration as found in the production environment. From there, upgrade the lab unit to the new firmware and check for any potential incompatibilities that need to be accounted for before the main production unit(s) are upgraded. Configurations that were acceptable with FIPS 140-2/FortiOS v7.0 may become non-compliant after upgrading to FIPS 140-3/FortiOS v7.2 and later.

 

For more information, refer to the Related Documents section below. This list will be updated over time to contain links to any significant differences in behavior observed on the FortiGate when comparing FortiOS versions built around the older FIPS 140-2 vs. versions that are built with the newer FIPS 140-3 standard in mind, and it will also contain links to other FIPS-related documentation from Fortinet.

 

Related articles:

Technical Tip: FortiOS FIPS Resource List

Technical Tip: FortiGate FIPS-CC mode no longer supports standard RADIUS, use RADSEC instead (Expec...

Technical Tip: FortiGate FIPS-CC mode no longer supports DH Groups 1, 2, or 5 for IPsec, causes ike...
110
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.