Configuring a FortiGate-6000 to operate in FIPS-CC mode
If the version of FortiOS running on your FortiGate 6000F supports FIPS-CC mode, you can use the config system fips-cc
command to switch your FortiGate 6000F to operate in FIPS-CC mode.
When you enter this command on most FortiGate models, the FortiGate restarts, generates a new set of encryption keys, runs a set of startup and conditional self-tests, and then starts up operating in FIPS-CC mode.
The FortiGate 6000F follows the same process except that first the management board and then all of the FPCs each generate their own sets of keys and then run their own set of startup and conditional self tests.
To make sure the conversion goes smoothly, you should make sure all of the FPCs are synchronized with the management board before switching to FIPS-CC mode. From the management board CLI, you can run the diagnose load-balance status
command to confirm that the Status Message
for all FPCs is Running
.
diagnose load-balance status ========================================================================== MBD SN: F6KF31T018900143 Primary FPC Blade: slot-1 Slot 1: FPC6KFT018901327 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 2: FPC6KFT018901372 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 3: FPC6KFT018901346 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPC6KFT018901574 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 5: FPC6KFT018901345 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 6: FPC6KFT018901556 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running"
If one or more FPCs are not running or are not synchronized you may need to wait a bit longer for the FPC to start up and become synchronized. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions. |
If all of the FPCs are running and synchronized, you can enter the config system fips-cc
command from the management board CLI. If you are logged into the management board CLI using a console connection, messages similar to the following appear as the management board completes its self tests and then waits for the FPCs to complete their self-tests:
FIPS-CC mode: Starting self-tests. Running Configuration/VPN Bypass test... passed Running AES test... passed Running SHA1 HMAC test... passed Running SHA256 HMAC test... passed Running SHA384/512 HMAC test... passed Running RSA test... passed Running ECDSA test... passed Running TLS1.1-KDF test... passed Running TLS1.2-KDF test... passed Running SSH-KDF test... passed Running IKEv1-KDF test... passed Running IKEv2-KDF test... passed Running Primitive-Z test... passed Running Firmware integrity test... passed Running RBG-instantiate test... passed Running RBG-reseed test... passed Running RBG-generate test... passed Motherboard Self-tests passed Please wait for FPC self-tests to complete
As each FPC completes its self-tests, the FPC sends the results (pass or fail) to the management board. Each FPC also records log messages with the self- test results. Until all of the FPCs have reported successfully passing their self-tests, the front panel interfaces remain down.
This may take a few minutes. When all of the FPCs pass their self-tests, the following message appears on the management board console connection:
FPC self-tests have completed
The login prompt appears and you can log into the management board CLI. The front panel interfaces come up as well.
You can use the get system status
command to verify that the FortiGate 6000F is operating in FIPS-CC mode.
get system status . . . FIPS-CC mode: enable . . .
Troubleshooting FortiGate 6000F self tests
Since the management board and all of the FPCs have to pass their self-tests, converting a FortiGate 6000F to FIPS-CC mode may take longer than expected and may be more prone to temporary failure than expected.
All FPCs must pass their self-tests before the self-test timer expires. So if the timer is set to 1440 seconds, the management board will wait up to 1440 seconds to receive self-test pass messages from all of the FPCs. If the self test timer expires before all of the FPCs pass their self-tests, the FortiGate 6000F keeps running but all interfaces remain shut down.
The self-test timer gives you time to check the status of the FPCs and troubleshoot and resolve any problems that may prevent them from starting up or passing their self-tests.
Fortinet recommends that once the management board passes its self tests, run the diagnose load-balance status
command to confirm that the Status Message
for all FPCs is Running
.
diagnose load-balance status ========================================================================== MBD SN: F6KF31T018900143 Primary FPC Blade: slot-1 Slot 1: FPC6KFT018901327 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 2: FPC6KFT018901372 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 3: FPC6KFT018901346 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 4: FPC6KFT018901574 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 5: FPC6KFT018901345 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running" Slot 6: FPC6KFT018901556 Status:Working Function:Active Link: Base: Up Fabric: Up Heartbeat: Management: Good Data: Good Status Message:"Running"
If the FortiGate 6000F has just started up, some of the FPCs may not be in the running state because they are still starting up. Try running the diagnose load-balance status
command a few more times to see if all of the FPCs transition to the running state.
If an FPC continues to not be in the running state, you can try manually restarting it. You can also use the information in Troubleshooting an FPC failure to do further investigation.
If an FPC fails its self-test, the management board console may display a message similar to the following (which indicates that the FPC in slot 2 experienced a self-test failure):
Self-test failure: FPC 0000002
The FPC may self-correct and re-try and pass the self-test without any intervention. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions.