Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lrpage
New Contributor

enable fips-cc

We just purchased an new fortigate 60e and 80e. Both came preinstalled with 5.4.3

The first thing i want/need to do is enable fips-cc.  Looked it up in the CLI guide and found

 

system/fips-cc CLI Syntax config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable}   Great i have all that i need config system fips-cc   no issues but the only command that does anything after that is set entropy-token {enable | disable | dynamic}   i cannot actually enable fips if i try set status enable i get   command parse error before 'status' command fail. return code -61   I have enabled fips on a 300d running 5.2.x a few years ago and again on a 200d about 6 months ago (also running 5.2.x)   not sure what to do next

 

 

18 REPLIES 18
emnoc
Esteemed Contributor III

Can you  change the  fortiOS version?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bommi
Contributor III

Hi,

 

I only found FortiOS 5.2.7 to be fips certified.

 

The documentation says that FortiOS 5.4.2 is in evaluation for an fips certification:

http://help.fortinet.com/...FOS/Certifications.htm

The lowest FortiOS version for the E-Series is 5.4.0, so you cant use them if fips certification is required.

 

Regards

bommi

NSE 4/5/7

NSE 4/5/7
lrpage
New Contributor

Right now fips certification is not needed.  But i would like to have fips enabled because at some point in the future it will be required.  Easier to enable now than later.

lrpage
New Contributor

they came preinstalled with 5.4.3  i upgraded one to 5.4.5

i cannot back rev to 5.2 because they are the E models and they do not have a 5.2 for those.

I have not tried 5.6 yet

ipns
New Contributor III

Didn't you forget

edit <name_str>

Kind Regards, 

IPNS

Kind Regards, IPNS
lrpage
New Contributor

after

config system fips-cc

I tried

edit

regardless of what i type in after edit i get

unknown action 0

 

bommi
Contributor III

From my understanding you need an fips-cc enabled build of fortios to be able to use this commands.

 

Regards

bommi

NSE 4/5/7

NSE 4/5/7
lrpage
New Contributor

I agree it needs to be a fips enabled fortios to enable fips. 

And that is my frustration

http://docs.fortinet.com/...rtigate-cli-ref-54.pdf page 508 describes the cli for it

 

basically the manual for my version of the software gives very clear instructions of what i need to do.  If I could find a document that says except for these versions or these models then I would let it go.  But all I can find is instructions on how to do this. 

 

and yes the link is for 4.5.1 and on one unit I did down grade to 4.5.1 just to see if it worked.

emnoc
Esteemed Contributor III

That correct  you need a FIPS-enabled image, login into   fortinet support FIPS_CC certified images and find one if available for that hardware.

 

 

http://socpuppet.blogspot...igate-firewall-by.html

 

 

and read the following ( search for fortinet )

 

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

 

 

remember not all FGT are FIPS certified since it cost FTNT to get that endorsement

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors