Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sprashant
Staff
Staff

Created on ‎08-17-2025 08:58 AM Edited on ‎09-03-2025 09:36 PM By Community Manager

Article Id 406542

Technical Tip: Understanding FIPS 140-2 Compliance for FortiGate, FIPS-CC and Special Build

Description This article describes the requirements for FIPS 140-2 compliance on FortiGate devices. It explains how to determine if a FortiGate device meets FIPS 140-2 standards and the importance of using NIST-approved encryption and authentication algorithms. Also, explains the difference between the FIPS Special build and FIPS-CC Build.
Scope FortiGate
Solution

To determine if a FortiGate device meets FIPS 140-2 standards, check if the device is listed under valid FIPS 140-2 CMVP ( Cryptographic Module Validation Program). Find the certificate number on the National Institute of Standards and Technology (NIST) website. Searching for 'Fortinet' under 'vendor' will provide all of the listed details.

 

For example, the FortiGate 100F has a FIPS 140-2 validated cryptographic module under the Cryptographic Module Validation Program (see NIST Certificate #4611).

 

In addition to having a valid FIPS 140-2 certificate, use NIST-approved encryption and authentication algorithms, such as AES256 and SHA384.

 

Standard Build + FIPS-CC Mode:

 

FIPS-CC mode can only be activated/configured using a serial console connection (it is not possible to enable it when connected via the Web GUI or SSH).

 

config system fips-cc

  set status enable

end

 

Related article:

Technical Tip: How to enable FIPS-CC mode

 

Special Build:

 

Make sure to use a FIPS-CC certified build of FortiOS, such as FortiOS v7.0.12, which has a FIPS-CC certified build available.

Find it under support.fortinet.com -> Downloads -> Firmware Images -> FortiGate -> v7.00 -> 7.0 -> FIPS-CC-Certified -> 7.0.7-FIPS-CC -> CVE-Patched -> Followed by the necessary file needed.

 

Follow these steps to ensure that a FortiGate device meets FIPS 140-2 standards and is compliant with CMMC requirements.

 

Note: Special Build vs. Standard Build + FIPS-CC Mode:

  • FIPS-CC Special Build – Contains only validated crypto code and FIPS-safe features. This is the exact build that is submitted for certification and is required for strict compliance audits.
  • Standard Build +  'fips-cc-mode': Full FortiOS feature set, with non-FIPS algorithms disabled at runtime when FIPS-CC mode is enabled. This is often sufficient for internal security policy but may not meet external audit requirements.

 

Bottom-line:

If the goal is 'formal FIPS compliance for audits' (e.g., CMMC, FedRAMP), run the FIPS-CC special build. For internal security posture, enabling FIPS-CC mode on a standard build is generally acceptable.

 

For more information, review the complete list in Technical Tip: FortiOS FIPS Resource List
326
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.