Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joshiamarpreet
New Contributor III

FIPS Mode FortiOS 7.0.0 and Above

Dear All,

We want to enable FIPS mode in FortiOS 7 version and above.

As per details available till now, we found FIPS-CC mode which gets enabled in FortiOS 6.2 and below;

post loading FIPS-CC firmware over the box and enabling it in CLI.

 

In FortiOS 7 and above, we do see config system fips-cc but enabling the mode is disabled.

 

Please confirm if Fortinet does not compliant now with FIPS standards or if it does, then what are the steps to enable it?

 

joshiamarpreet - Still Hungry | Still Foolish
joshiamarpreet - Still Hungry | Still Foolish
1 Solution
joshiamarpreet
New Contributor III

So, Fortinet is still working on latest versions for FIPS-CC mode firmware images and will take time for new OS to come.

Confirmed with TAC.

joshiamarpreet - Still Hungry | Still Foolish

View solution in original post

joshiamarpreet - Still Hungry | Still Foolish
4 REPLIES 4
vdralio
Staff
Staff

Hi @joshiamarpreet ,

 

Yes, you can use FIPS also for FortiOS 7.x.x

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

 

Please be aware that if you enable or disable FIPS-CC mode, all of the existing configurations are lost.

Backup first: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/702257/configuration-backups

Then use the next guides to enable the feature:

https://docs.fortinet.com/document/fortimail/6.2.0/cli-reference/785841/fips
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/97620/system-fips-cc
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/118620/config-system-fips-cc
Then you would need to upload the backup to the FG:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-load-convert-a-FortiGate-configurat...

If you want to disable you will need to restore the firmware default configuration using factoryreset.

 

Best Regards,

Vasil

joshiamarpreet
New Contributor III

Dear @vdralio

Following link we referred already, it says only certain models/ version are FIPS-CC certified by OEM. 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

joshiamarpreet_0-1660923214693.png

On firewall it is not enabling FIPS mode in factory installed default OS.

 

joshiamarpreet_1-1660923604304.png

 

Also if we search firmware images page over https://support.fortinet.com, FIPS-CC images are available till version 6.2 only.

joshiamarpreet_2-1660926074335.png

 

Please guide on how to enable it on ver 7.x.x and above. Is TAC required to intervene and provide some custom image for us?

 

 

 

 

 

joshiamarpreet - Still Hungry | Still Foolish
joshiamarpreet - Still Hungry | Still Foolish
vdralio

Dear @joshiamarpreet ,

 

I will suggest then continuing with the Support ticket there you can get more information regarding the request and also help you with the settings you need.

 

Best Regards,

Vasil Dralio

joshiamarpreet
New Contributor III

So, Fortinet is still working on latest versions for FIPS-CC mode firmware images and will take time for new OS to come.

Confirmed with TAC.

joshiamarpreet - Still Hungry | Still Foolish
joshiamarpreet - Still Hungry | Still Foolish
Labels
Top Kudoed Authors