- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
enable fips-cc
We just purchased an new fortigate 60e and 80e. Both came preinstalled with 5.4.3
The first thing i want/need to do is enable fips-cc. Looked it up in the CLI guide and found
system/fips-cc CLI Syntax config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable} Great i have all that i need config system fips-cc no issues but the only command that does anything after that is set entropy-token {enable | disable | dynamic} i cannot actually enable fips if i try set status enable i get command parse error before 'status' command fail. return code -61 I have enabled fips on a 300d running 5.2.x a few years ago and again on a 200d about 6 months ago (also running 5.2.x) not sure what to do next
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you change the fortiOS version?
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I only found FortiOS 5.2.7 to be fips certified.
The documentation says that FortiOS 5.4.2 is in evaluation for an fips certification:
http://help.fortinet.com/...FOS/Certifications.htm
The lowest FortiOS version for the E-Series is 5.4.0, so you cant use them if fips certification is required.
Regards
bommi
NSE 4/5/7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right now fips certification is not needed. But i would like to have fips enabled because at some point in the future it will be required. Easier to enable now than later.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
they came preinstalled with 5.4.3 i upgraded one to 5.4.5
i cannot back rev to 5.2 because they are the E models and they do not have a 5.2 for those.
I have not tried 5.6 yet
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Didn't you forget
edit <name_str>
Kind Regards,
IPNS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after
config system fips-cc
I tried
edit
regardless of what i type in after edit i get
unknown action 0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From my understanding you need an fips-cc enabled build of fortios to be able to use this commands.
Regards
bommi
NSE 4/5/7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree it needs to be a fips enabled fortios to enable fips.
And that is my frustration
http://docs.fortinet.com/...rtigate-cli-ref-54.pdf page 508 describes the cli for it
basically the manual for my version of the software gives very clear instructions of what i need to do. If I could find a document that says except for these versions or these models then I would let it go. But all I can find is instructions on how to do this.
and yes the link is for 4.5.1 and on one unit I did down grade to 4.5.1 just to see if it worked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That correct you need a FIPS-enabled image, login into fortinet support FIPS_CC certified images and find one if available for that hardware.
http://socpuppet.blogspot...igate-firewall-by.html
and read the following ( search for fortinet )
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
remember not all FGT are FIPS certified since it cost FTNT to get that endorsement
PCNSE
NSE
StrongSwan