We're towards the end of a new building project. The network is up and mostly ready to go with x2 FG 1801F in HA config. We contracted out with a 3rd party to acquire the hardware and design the network for us (before I started working in my current role). We need to retain our CJIS standing, so our equipment needs to be FIPS compliant and pass an upcoming audit (which i've never done before). Here's our issue - i've been researching enabling FIPS mode on our firewalls now that we have a solid config working on them, but i'm not seeing them listed on any of the FIPS documentation as certified models. Does that mean, if we were to try to enable FIPS mode that it would fail and/or not work? Or would it work and we'd find ourselves not fully in compliance? I'm trying to figure out our best options for being FIPS compliant given the situation.
As a related side-note: has anyone ever manually changed their configs and settings to be FIPS compliant without enabling the FIPS mode? At this point i'm willing to do anything to make this work.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello wccca_is,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Hello,
I have found a KB article which explain how to enable FIPS-CC mode:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629
Could you please tell me if it helps?
Regards,
Hey Anthoney,
Thanks for reaching back out!
I read through that KB article. This line is interesting: "Enable on non-FIPS-CC certified version but it does not guarantee compliance." That's obviously stated right after giving a link to the Fortigate firmware, with no mention of whether or not devices that aren't on the FIPS hardware list can even enable FIPS mode. i guess that's my main question: can i enable FIPS mode on the 1801F Fortigates even though they aren't listed on the FIPS hardware list?
I'm going to assume from the lack of replies regarding this topic that there probably isn't an easy way to be FIPS compliant without the FIPS mode. We might just be out of luck at this point.
Not from personal experience, but as I understand, FIPS compliance is for a specific model with a particular firmware. So, for starters, you would need to load FIPS-CC compliant FortiOS (6.0, 6.2) image, not just general image, for this model of the Fortigate, which for 1800F does not exist yet. I tried enabling FIPS mode on a test Fortigate, just for laughs, FGT80E, with a regular FortiOS, not FIPS image, and while it accepted the command config fips-cc / set (should be set status enable actually, but was not available), it changed nothing (not advisable to try on FGT 1800F, bricking is always an option).
yeah, that's my fear with trying it on the 1801F models we have; i'd hate to brick them now that they're functional. Running the FIPS certified FortiOS version isn't an issue for us, it's more so whether or not the 1801F will even accept enabling the FIPS mode. And if it won't, I'm going to need to figure out how to manually get the firewall as compliant as I can without the FIPS mode.
Is there a detailed list of what gets changed when FIPS mode is enabled? I've read the documentation about what FIPS mode generally changes, but i haven't seen any detailed list of what settings would need to get adjusted to do it manually.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.