https://www.sikich.com

CMMC Compliance with FortiGate Firewalls – Part 2

Joe Gehrke

Sep 19 2025

2 min read

In CMMC Compliance with FortiGate Firewalls – Part 1, we discussed CMMC compliance, FIPS, and how to obtain certified FIPS firmware from Fortinet. In this article we will discuss how to enable FIPS mode on the firewall and do the initial configuration.

It is important to note that FIPS-CC mode can be enabled on all FortiOS versions (which enables FIPS-compliant behavior), but only a subset of firmware is certified for FIPS-CC. Even when using certified builds, FIPS-CC mode is disabled by default after installing the firmware. Additionally, FIPS-CC mode can only be activated/configured using a serial console connection.

Steps to enable FIPS-CC mode:

Log in to the CLI through the console port. Use the default admin account or another account with the superadmin access profile.

Enter the following commands:

show full-configuration config system fips-cc set status enable set entropy-token enable end end

After that, a prompt will appear asking to set a new administrator password for the “admin” account.

Please enter admin administrator password: New password must conform to the password policy enforced on this device: minimum-length=8; must contain upper-case-letter lower-case-letter number non-alphanumeric

After that, the CLI displays the following message warning:

Warning: most configuration will be lost, do you want to continue? (y/n)

Type Y, then hit Enter to confirm. The FortiGate will restart and will run in FIPS-CC mode afterward.

Once rebooted, all network interfaces have been disabled. It is necessary to bring each interface up from the CLI and enable admin access as necessary.

config system interface edit internal set status up set ip <ip_address> <netmask> set allowaccess ping https end

After the LAN or internal interface is active and https is allowed, management and configuration can be done from the Web UI. On a side note, with FIPS mode enabled, firewall rules, security profiles, and other settings are disable by default and need to be configured from scratch.

If you have any other questions about CMMC compliance, FIPS mode, or FortiGate firewalls please contact Sikich. You can also check out the following references from the FortiGate community:

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Joe Gehrke

Joe has over 13 years of experience working in the IT industry. He started my career in a small computer repair shop and continued to evolve his skills to take on new responsibilities as a Help Desk Administrator, Systems Administrator, and at his current role as a Senior Network Consultant in Sikich’s Network Operation’s Center. He has certifications from VMware, Microsoft, and SonicWall.