This article aims to address some misconceptions regarding upgrading firmware on FortiGates when FIPS-CC mode is enabled.
FortiGates operating with FIPS-CC enabled.
As a primer, Fortinet has two types of firmware available with regards to FIPS-CC: General Availability (GA) firmware, which is standard and used on all mainstream FortiGates, and Certified firmware, which are specialty builds that are specifically validated and certified for usage.
The following external link goes to the NIST Cryptographic Module Validation Program (CMVP) search page where one can see the various certificates registered to Fortinet (largely in relation to FIPS140-2 and Common Criteria):
FIPS-CC can be enabled on any GA firmware version, though Fortinet does make the Certified firmware files separately available on the Fortinet Support site for download.
In general, upgrading FortiGates with FIPS-CC enabled is no different than upgrading non-FIPS FortiGates.
Administrators are recommended to continue to follow the supported path specified by the Fortinet Upgrade Path Tool when upgrading their FIPS-enabled FortiGates, making sure to substitute in the FIPS-CC Certified version of firmware if needed.
GA firmware builds can be used as stepping stones when upgrading from one Certified firmware build to another, and they can also be used as the end-target firmware if the administrator does not specifically require a Certified firmware for their use-case.
The following shows the example upgrade path for a FortiGate-60E upgrading from the FIPS-CC certified build of FortiOS 6.2.3 to the certified build for FortiOS 6.2.7:
6.2.3 (FIPS-CC certified b5548) -> 6.2.5 (GA b1142) -> 6.2.7 (FIPS-CC certified b5067)