|
FortiGates in FIPS-CC mode will impose restrictions in different settings, especially related to supported algorithms for secure communication channels.
Not all FortiSwitch models support FIPS mode, and even the models that do support, may not be operating with FIPS mode enabled.
When FIPS mode is enabled in a FortiGate, the below setting is enabled by default.
config switch-controller global
set fips-enforce enable
end
If the FortiSwitch does not support FIPS or it is not configured for FIPS, it will show offline in FortiGate after authorizing it.
To resolve the issue, the following setting needs to be disabled so the negotiation of the CAPWAP tunnel happens without any issue.
config switch-controller global
set fips-enforce disable
end
IMPORTANT: The fips-enforce option was first introduced in FortiOS 7.0, which means it was not present in FortiOS 6.4 or earlier. When upgrading firmware on the FortiGate from an older version to FortiOS 7.0.0 or later (with FIPS-enabled), there may be a disruption to FortiSwitch connectivity depending on the model of FortiSwitches in the environment. If this occurs, then it is recommended to set fips-enforce disable after the upgrade to FortiOS 7.0 or later. The FortiGate should also attempt to auto-enable FIPS on connected FortiSwitches, assuming both the model and the firmware support it.
Notably, FIPS 140-2 support was added to FortiSwitchOS as of version 7.0.0, so older FortiSwitch firmware on supported models may still require fips-enforce disable (at least until a firmware upgrade is performed, see: Introduction Release notes FortiSwitch 7.0.0)
Finally, the FortiSwitchOS Feature Matrix on the Fortinet Document Library site details which FortiSwitch models support FIPS 140-2 (Level 2) support for a given firmware version: FortiSwitchOS Feature Matrix.
|
