Created on 08-02-2022 09:59 AM Edited on 07-26-2023 10:53 PM By Jean-Philippe_P
Description | This article describes how a FortiSwitch that does not support FIPS can be managed by a FortiGate in FIPS mode. |
Scope | FortiGate in FIPS mode (FortiOS 7.0.0 and later) and FortiSwitch in non-FIPS mode. |
Solution |
FortiGates in FIPS-CC mode will impose restrictions in different settings, especially related to supported algorithms for secure communication channels.
Not all FortiSwitch models support FIPS mode, and even the models that do support, may not be operating with FIPS mode enabled.
If the FortiSwitch does not support FIPS or it is not configured for FIPS, it will show offline in FortiGate after authorizing it. To resolve the issue, the following setting needs to be disabled so the negotiation of the CAPWAP tunnel happens without any issue.
config switch-controller global
IMPORTANT: The fips-enforce option was first introduced in FortiOS 7.0, which means it was not present in FortiOS 6.4 or earlier. When upgrading firmware on the FortiGate from an older version to FortiOS 7.0.0 or later (with FIPS-enabled), there may be a disruption to FortiSwitch connectivity depending on the model of FortiSwitches in the environment. If this occurs, then it is recommended to set fips-enforce disable after the upgrade to FortiOS 7.0 or later. The FortiGate should also attempt to auto-enable FIPS on connected FortiSwitches, assuming both the model and the firmware support it.
Notably, FIPS 140-2 support was added to FortiSwitchOS as of version 7.0.0, so older FortiSwitch firmware on supported models may still require fips-enforce disable (at least until a firmware upgrade is performed, see: Introduction Release notes FortiSwitch 7.0.0)
Finally, the FortiSwitchOS Feature Matrix on the Fortinet Document Library site details which FortiSwitch models support FIPS 140-2 (Level 2) support for a given firmware version: FortiSwitchOS Feature Matrix. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.