Description
This article aims to address some misconceptions regarding upgrading firmware on FortiGates when FIPS-CC mode is enabled.
Scope
FortiGates operating with FIPS-CC enabled.
Solution
As a primer, Fortinet has two types of firmware available with regards to FIPS-CC: General Availability (GA) firmware, which is standard and used on all mainstream FortiGates, and Certified firmware, which are specialty builds that are specifically validated and certified for usage.
Note:
From v6.4/7.0 there are now CVE-Patched builds of firmware. These take the FIPS Certified versions as a base and then apply the minimal changes required to resolve major firmware vulnerabilities. While they do follow all of the same rules/restrictions as the Certified builds (thus making them equally compliant) they do not undergo a re-certification process.
CVE-Patched builds can be found within the same directories as the FIPS Certified firmware on the Fortinet Support site's Firmware Images section (example: '/FortiGate/v7.00/7.0/FIPS-CC-Certified/7.0.7-FIPS-CC/CVE-Patched/b9223-FIPS-CC-70-16'). For more information, refer to the ReadMe PDF that is available within each CVE-Patched build's directory.
The following external link goes to the NIST Cryptographic Module Validation Program (CMVP) search page where one can see the various certificates registered to Fortinet (largely concerning FIPS140-2 and Common Criteria): https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?Sear...
FIPS-CC can be enabled on any GA firmware version, though Fortinet does make the Certified firmware files separately available on the Fortinet Support site for download.
In general, upgrading FortiGates with FIPS-CC enabled is no different than upgrading non-FIPS FortiGates.
Administrators are recommended to continue to follow the supported path specified by the Fortinet Upgrade Path Tool when upgrading their FIPS-enabled FortiGates, making sure to substitute in the FIPS-CC Certified version of firmware if needed.
GA firmware builds can be used as stepping stones when upgrading from one Certified firmware build to another, and they can also be used as the end-target firmware if the administrator does not specifically require a Certified firmware for their use-case.
When upgrading to GA firmware, the FIPS-mode will remain intact.
The following shows the example upgrade path for a FortiGate-60E upgrading from the FIPS-CC certified build of FortiOS 6.2.3 to the certified build for FortiOS 6.2.7:
6.2.3 (FIPS-CC certified b5548) -> 6.2.5 (GA b1142) -> 6.2.7 (FIPS-CC certified b5067)
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.