Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
joshiamarpreet
New Contributor II

FIPS Mode FortiOS 7.0.0 and Above

Dear All,

We want to enable FIPS mode in FortiOS 7 version and above.

As per details available till now, we found FIPS-CC mode which gets enabled in FortiOS 6.2 and below;

post loading FIPS-CC firmware over the box and enabling it in CLI.

 

In FortiOS 7 and above, we do see config system fips-cc but enabling the mode is disabled.

 

Please confirm if Fortinet does not compliant now with FIPS standards or if it does, then what are the steps to enable it?

 

joshiamarpreet - Still Hungry | Still Foolish
3 REPLIES 3
vdralio
Staff
Staff

Hi @joshiamarpreet ,

 

Yes, you can use FIPS also for FortiOS 7.x.x

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

 

Please be aware that if you enable or disable FIPS-CC mode, all of the existing configurations are lost.

Backup first: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/702257/configuration-backups

Then use the next guides to enable the feature:

https://docs.fortinet.com/document/fortimail/6.2.0/cli-reference/785841/fips
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/97620/system-fips-cc
https://docs.fortinet.com/document/fortigate/7.0.6/cli-reference/118620/config-system-fips-cc
Then you would need to upload the backup to the FG:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-load-convert-a-FortiGate-configurat...

If you want to disable you will need to restore the firmware default configuration using factoryreset.

 

Best Regards,

Vasil

joshiamarpreet
New Contributor II

Dear @vdralio

Following link we referred already, it says only certain models/ version are FIPS-CC certified by OEM. 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

joshiamarpreet_0-1660923214693.png

On firewall it is not enabling FIPS mode in factory installed default OS.

 

joshiamarpreet_1-1660923604304.png

 

Also if we search firmware images page over https://support.fortinet.com, FIPS-CC images are available till version 6.2 only.

joshiamarpreet_2-1660926074335.png

 

Please guide on how to enable it on ver 7.x.x and above. Is TAC required to intervene and provide some custom image for us?

 

 

 

 

 

joshiamarpreet - Still Hungry | Still Foolish
vdralio

Dear @joshiamarpreet ,

 

I will suggest then continuing with the Support ticket there you can get more information regarding the request and also help you with the settings you need.

 

Best Regards,

Vasil Dralio