Description
This article addresses some misconceptions regarding upgrading firmware on FortiGates when FIPS-CC mode is enabled, as well as the firmware branches that are available to install on the FortiGate for FIPS-related purposes.
Scope
FortiGates running in FIPS-CC mode and using FIPS Certified/CVE-Patched firmware.
Solution
First, Fortinet has two main types of firmware available for the FortiGate about FIPS-CC:
- General Availability (GA) firmware, which is standard and used on all mainstream FortiGates, and
- FIPS Certified firmware, which are specialty build that is specifically validated and certified for usage.
Additionally, the FIPS Certified firmware includes a closely-related subtype of firmware, that being:
- FIPS CVE-Patched firmware, which was introduced in FortiOS v6.4, v7.0, and later, provides FIPS clients with options for maintaining compliance while also resolving known vulnerabilities on the FortiGate.
- For context, FIPS firmware builds in FortiOS v6.2 and earlier were generally only certified and released once or twice in the lifetime of the branch.
While administrators can generally enable FIPS-CC mode while running standard GA firmware, this functionality is not guaranteed to be fully FIPS compliant. Instead, administrators can and should run either Certified or CVE-Patched firmware instead to ensure FIPS compliance.
Notes regarding FIPS CVE-Patched builds:
- CVE-Patched builds build on top of the original Certified firmware branch as a base and apply the necessary changes required to resolve major firmware vulnerabilities. This may include upgrading to a newer version of the GA firmware as a starting base, as well as backporting fixes for known vulnerabilities.
- As described in the ReadMe files, FIPS firmware builds for the FortiGate use a versioning system that is separate from the underlying GA firmware used as a base.
For example, FIPS-CC-70-23 is the latest CVE-Patched build available for the 7.0 FIPS branch, but it uses FortiOS v7.0.12 GA as the underlying firmware base (before the FIPS-related modifications are added). - While these builds are fully FIPS compliant in the same way as the Certified builds and are entirely appropriate for production usage, they do not undergo a re-certification process. This is because the FIPS certification process requires a very significant time investment that is not feasible for new firmware builds aimed at timely resolution of vulnerabilities.
FIPS Certified and CVE-Patched builds can be found on the Firmware Images section of the Fortinet Support site, generally under a directory labelled 'FIPS-CC-Certified', as well as under sub-directories labelled 'CVE-Patched'. For example, the following is the directory path for one of the newest FIPS CVE-Patched builds for FortiOS v7.0:
/FortiGate/v7.00/7.0/FIPS-CC-Certified/7.0.7-FIPS-CC/CVE-Patched/b9633-FIPS-CC-70-23
Each FIPS build (Certified and CVE-Patched) will include a ReadMe PDF at the bottom of the download directory that contains more information on the firmware, including what vulnerabilities are resolved and what firmware versions are able to upgrade to this build. Make sure to review this ReadMe whenever a firmware upgrade is planned for FortiGates running the FIPS specialty firmware.
For additional information regarding the Fortinet modules that have been certified as part of NIST's Cryptographic Module Validation Program (CMVP) (including FortiOS versions and certified FortiGate models), refer to the following link: Cryptographic Module Validation Program.
Upgrading FIPS Certified/CVE-Patched firmware on the FortiGate:
In FortiOS v6.2 and earlier, the process of upgrading FIPS-enabled FortiGates was similar to those running GA firmware, in that the Fortinet Upgrade Path Tool was used to chart the various firmware upgrade steps required to get from the starting firmware to the target firmware. For example, when upgrading a FortiGate-60E from the FIPS-CC certified build of v6.2.3 to the certified build for v6.2.7, the suggested path would have been v6.2.3 (FIPS-CC certified b5548) -> v6.2.5 (GA b1142) -> v6.2.7 (FIPS-CC certified b5067).
However, with the introduction of CVE-Patched builds, the upgrade recommendations have changed somewhat. Below are the recommended methods to follow when upgrading FIPS firmware for FortiOS v6.4/v7.x.
When upgrading from one Certified/CVE-Patched build to another on the same firmware major version, it is possible to simply perform a direct upgrade. For example, it is possible to upgrade directly from the original Certified FIPS-CC-70-6 to the latest FIPS-CC-70-23 (both on FortiOS v7.0).
When upgrading from one Certified/CVE-Patched build to another on a newer firmware major version, it is recommended to upgrade to each of the Certified versions available on the next available major version, then, when the target major version is reached, upgrade directly to the latest CVE-Patched build on that same major version. This logic is also described in the ReadMe files for the FortiOS FIPS firmware:
For example, consider the case of an administrator who is running the v7.0-based FIPS-CC-70-19 CVE-Patched build and wants to upgrade to the latest v7.4-based CVE-Patched build of FIPS-CC-74-3 (at the time of this writing). To do this, the administrator would use the following upgrade pattern:
FIPS-CC-70-19 (7.0 CVE-Patched) -> FIPS-CC-72-4 (7.2 Certified/Candidate) -> FIPS-CC-74-2 (7.4 Certified/Candidate) -> FIPS-CC-74-3 (7.4 CVE-Patched)
Note regarding 'Candidate' builds:
At the time of this writing (January 2026), FortiOS v7.2 and v7.4 have been submitted for certification but have not yet been fully-processed. Due to the certification backlog, Fortinet has opted to release the v7.2 and v7.4 FIPS firmware as 'Candidate' firmware, rather than labelling it as Certified. This firmware is currently identical to what has been submitted to governmental bodies for certification, and barring any unexpected rejections, it will be transitioned into Certified firmware once completed. See also: Technical Tip: Extended Support for v7.0 FIPS-CC Certified/CVE-Patched Firmware.
Related articles:
Technical Tip: FortiOS FIPS Resource List
