In CMMC Compliance with FortiGate Firewalls – Part 1, we discussed CMMC compliance, FIPS, and how to obtain certified FIPS firmware from Fortinet. In this article we will discuss how to enable FIPS mode on the firewall and do the initial configuration.
It is important to note that FIPS-CC mode can be enabled on all FortiOS versions (which enables FIPS-compliant behavior), but only a subset of firmware is certified for FIPS-CC. Even when using certified builds, FIPS-CC mode is disabled by default after installing the firmware. Additionally, FIPS-CC mode can only be activated/configured using a serial console connection.
Steps to enable FIPS-CC mode:
- Log in to the CLI through the console port. Use the default admin account or another account with the superadmin access profile.
Enter the following commands:
show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end
end
- After that, a prompt will appear asking to set a new administrator password for the “admin” account.
Please enter admin administrator password:
New password must conform to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-alphanumeric
- After that, the CLI displays the following message warning:
Warning: most configuration will be lost, do you want to continue? (y/n)
- Type Y, then hit Enter to confirm. The FortiGate will restart and will run in FIPS-CC mode afterward.
- Once rebooted, all network interfaces have been disabled. It is necessary to bring each interface up from the CLI and enable admin access as necessary.
config system interface
edit internal
set status up
set ip <ip_address> <netmask>
set allowaccess ping https
end
After the LAN or internal interface is active and https is allowed, management and configuration can be done from the Web UI. On a side note, with FIPS mode enabled, firewall rules, security profiles, and other settings are disable by default and need to be configured from scratch.
If you have any other questions about CMMC compliance, FIPS mode, or FortiGate firewalls please contact Sikich. You can also check out the following references from the FortiGate community:
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Getting-Started-with-FIPS-CC-enabled/ta-p/270426
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.
