Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lrpage
New Contributor

enable fips-cc

We just purchased an new fortigate 60e and 80e. Both came preinstalled with 5.4.3

The first thing i want/need to do is enable fips-cc.  Looked it up in the CLI guide and found

 

system/fips-cc CLI Syntax config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable}   Great i have all that i need config system fips-cc   no issues but the only command that does anything after that is set entropy-token {enable | disable | dynamic}   i cannot actually enable fips if i try set status enable i get   command parse error before 'status' command fail. return code -61   I have enabled fips on a 300d running 5.2.x a few years ago and again on a 200d about 6 months ago (also running 5.2.x)   not sure what to do next

 

 

18 REPLIES 18
bommi
Contributor III

The problem is that he uses fortigate 60E and 80E firewalls, so the lowest fortios release is 5.4.0.

But there is no fips release for 5.4.x and 5.6.x, the latest fips release is 5.2.7.

 

The documentation says that an fips enabled release based on fortios 5.4.2 is planned:

http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortiOS-HTML5-v2/InsideFOS/Certifications.htm

 

Regards

bommi

NSE 4/5/7

NSE 4/5/7
emnoc
Esteemed Contributor III

Than he needs to wait or contact Sales or Support.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ipns
New Contributor III

What does the full configuration show under fips-cc?

Kind Regards, 

IPNS

Kind Regards, IPNS
lrpage
New Contributor

Learned today that have to use console cable.  SSh or HTTPS will not allow you to enable fips.  Will need serial cable

Having a copy of the fortiexplorer ready to go will help a lot to reconfigure

bommi
Contributor III

With that information I found it in the documentation :D

Do you had success enabling the fips mode on 5.4 or 5.6?

NSE 4/5/7

NSE 4/5/7
lrpage
New Contributor

i do not have anything running 5.6

But i do have two new fortigate 300d.  One with downgraded to 5.2.7 and the other factory default at 5.4.4.  Both setup fips-cc without issue.  I doubt the 5.4.4 is considered certified.  But it is enabled

emnoc
Esteemed Contributor III

But it is enabled

 

 

Can you do a cli   get sys status    ? I belive  5.4.4 is still pending approval  btw.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
lrpage
New Contributor

when i do a get sys status says

fips-cc mode: enable

 

and all the things i expect from fips mode is happening, everything is disabled by default, password policy is enforced, the lower levels of encryption are disabled.  Works as it should.

 

 

emnoc
Esteemed Contributor III

What version of FortiOS code ( version model )

 

e.g

 

get system  status  | grep ersion

get system  status  | grep FIPS

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors