We just purchased an new fortigate 60e and 80e. Both came preinstalled with 5.4.3
The first thing i want/need to do is enable fips-cc. Looked it up in the CLI guide and found
system/fips-cc CLI Syntax config system fips-cc edit <name_str> set status {enable | disable} set entropy-token {enable | disable | dynamic} set error-flag {error-mode | exit-ready} set error-cause {none | memory | disk | syslog} set self-test-period <integer> set key-generation-self-test {enable | disable} Great i have all that i need config system fips-cc no issues but the only command that does anything after that is set entropy-token {enable | disable | dynamic} i cannot actually enable fips if i try set status enable i get command parse error before 'status' command fail. return code -61 I have enabled fips on a 300d running 5.2.x a few years ago and again on a 200d about 6 months ago (also running 5.2.x) not sure what to do next
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The problem is that he uses fortigate 60E and 80E firewalls, so the lowest fortios release is 5.4.0.
But there is no fips release for 5.4.x and 5.6.x, the latest fips release is 5.2.7.
The documentation says that an fips enabled release based on fortios 5.4.2 is planned:
http://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortiOS-HTML5-v2/InsideFOS/Certifications.htm
Regards
bommi
NSE 4/5/7
Than he needs to wait or contact Sales or Support.
Ken
PCNSE
NSE
StrongSwan
What does the full configuration show under fips-cc?
Kind Regards,
IPNS
Learned today that have to use console cable. SSh or HTTPS will not allow you to enable fips. Will need serial cable
Having a copy of the fortiexplorer ready to go will help a lot to reconfigure
With that information I found it in the documentation :D
Do you had success enabling the fips mode on 5.4 or 5.6?
NSE 4/5/7
i do not have anything running 5.6
But i do have two new fortigate 300d. One with downgraded to 5.2.7 and the other factory default at 5.4.4. Both setup fips-cc without issue. I doubt the 5.4.4 is considered certified. But it is enabled
But it is enabled
Can you do a cli get sys status ? I belive 5.4.4 is still pending approval btw.
PCNSE
NSE
StrongSwan
when i do a get sys status says
fips-cc mode: enable
and all the things i expect from fips mode is happening, everything is disabled by default, password policy is enforced, the lower levels of encryption are disabled. Works as it should.
What version of FortiOS code ( version model )
e.g
get system status | grep ersion
get system status | grep FIPS
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.