Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎08-10-2024 04:54 AM Edited on ‎06-04-2025 11:29 PM By Staff

Article Id 331707

Technical Tip: OSPF Message Digest Authentication is unsupported when in FIPS-CC Mode (FortiOS 7.0 only)

Description

This article describes a Known Issue when attempting to enable OSPF Message Digest Authentication in v7.0 only when FIPS-CC mode is enabled (the issue does not affect non-FIPS mode FortiGates).
Scope FortiGate v7.0, FIPS-CC.
Solution

In FortiOS 7.0.1 and later, support was added for RFC 5709 (OSPFv2 HMAC-SHA Cryptographic Authentication) so that the FortiGate could support HMAC-SHA authentication for OSPF in addition to the existing MD5 message-digest scheme.

 

While this does work fine in standard FortiOS, it has been found that it is not possible to enable OSPF Authentication when FIPS-CC mode is enabled. More specifically, the set authentication option will only show none or text as available options and not message-digest, so it will not be possible to set an OSPF authentication scheme:

 

Standard v7.0:

 

config router ospf

    config ospf-interface

        edit <name>

            set authentication [none | text | message-digest]

end

 

FIPS-mode v7.0:

 

config router ospf

    config ospf-interface

        edit <name>

            set authentication [none | text]

end

 

With that in mind, this issue has been identified as per Issue #921821 and is resolved in v7.2.6 GA, v7.4.1 GA, and all later versions. Notably, it is not resolved for v7.0 at the time of this writing, and this is unlikely to change since this is a major change and v7.0 is unlikely to be re-certified for FIPS.

 

Note:

While the OSPF Authentication feature is available in the resolved FortiOS versions, the list of available authentication schemes is reduced when FIPS mode is enabled compared to non-FIPS FortiGates. Notably, md5 and hmac-sha1 are not available:

 

FortiGate # config router key-chain

 

FortiGate (key-chain) # edit test
new entry 'test' added

 

FortiGate (test) # config key

FortiGate (key) # edit 1
new entry '1' added

 

FortiGate (1) # set algorithm
md5 MD5. <-- Not available in FIPS mode.
hmac-sha1 HMAC-SHA1. <-- Not available in FIPS mode.
hmac-sha256 HMAC-SHA256. <-- Available in FIPS mode.
hmac-sha384 HMAC-SHA384.  <-- Available in FIPS mode.
hmac-sha512 HMAC-SHA512.  <-- Available in FIPS mode.

 

At this time, admins with FIPS-enabled FortiGates who need OSPF authentication (and whose OSPF use cases support hmac-sha256hmac-sha384, and/or hmac-sha512) can upgrade to the aforementioned FortiOS 7.2/7.4 versions (or any later revision). As a reminder, FIPS mode works on both the FIPS-certified builds (like FIPS-CC-70-16) and the General Availability (GA) builds of FortiOS (see the related documents links below).

 

Additionally, Fortinet is in the process of certifying v7.2 and v7.4 for FIPS 140-3 and NDcPP, but at the time of this writing (2024-08-08), the certification process is still ongoing, so certified builds are not available for these major FortiOS versions.

 

Related documents:

OSPF HMAC-SHA authentication 7.0.1

Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled

 

Labels:
1384
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.