Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wccca_is
New Contributor

Fortigate 1801F FIPS - what options do i have?

We're towards the end of a new building project. The network is up and mostly ready to go with x2 FG 1801F in HA config. We contracted out with a 3rd party to acquire the hardware and design the network for us (before I started working in my current role). We need to retain our CJIS standing, so our equipment needs to be FIPS compliant and pass an upcoming audit (which i've never done before). Here's our issue - i've been researching enabling FIPS mode on our firewalls now that we have a solid config working on them, but i'm not seeing them listed on any of the FIPS documentation as certified models. Does that mean, if we were to try to enable FIPS mode that it would fail and/or not work? Or would it work and we'd find ourselves not fully in compliance? I'm trying to figure out our best options for being FIPS compliant given the situation.

 

As a related side-note: has anyone ever manually changed their configs and settings to be FIPS compliant without enabling the FIPS mode? At this point i'm willing to do anything to make this work.

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello wccca_is,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

I have found a KB article which explain how to enable FIPS-CC mode:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

 

Could you please tell me if it helps?

 

Regards,

Anthony-Fortinet Community Team.
wccca_is
New Contributor

Hey Anthoney,

 

Thanks for reaching back out! 

 

I read through that KB article. This line is interesting: "Enable on non-FIPS-CC certified version but it does not guarantee compliance." That's obviously stated right after giving a link to the Fortigate firmware, with no mention of whether or not devices that aren't on the FIPS hardware list can even enable FIPS mode. i guess that's my main question: can i enable FIPS mode on the 1801F Fortigates even though they aren't listed on the FIPS hardware list?

 

I'm going to assume from the lack of replies regarding this topic that there probably isn't an easy way to be FIPS compliant without the FIPS mode. We might just be out of luck at this point. 

Yurisk
Valued Contributor

Not from personal experience, but as I understand, FIPS compliance is for a specific model with a particular firmware. So, for starters, you would need to load FIPS-CC compliant FortiOS (6.0, 6.2) image, not just general image,  for this model of the Fortigate, which for 1800F does not exist yet. I tried enabling FIPS mode on a test Fortigate, just for laughs, FGT80E, with a regular FortiOS, not FIPS image, and while it accepted the command config fips-cc set  (should be   set status enable actually, but was not available), it changed nothing (not advisable to try on FGT 1800F, bricking is always an option). 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
wccca_is
New Contributor

yeah, that's my fear with trying it on the 1801F models we have; i'd hate to brick them now that they're functional. Running the FIPS certified FortiOS version isn't an issue for us, it's more so whether or not the 1801F will even accept enabling the FIPS mode. And if it won't, I'm going to need to figure out how to manually get the firewall as compliant as I can without the FIPS mode.

Is there a detailed list of what gets changed when FIPS mode is enabled? I've read the documentation about what FIPS mode generally changes, but i haven't seen any detailed list of what settings would need to get adjusted to do it manually.