Fortinet Document Library

Version:


Table of Contents

New Features

6.4.0
Download PDF
Copy Link

Add FIPS cipher mode for AWS and Azure FortiGate VMs 6.4.3

In fips-ciphers mode, only a restricted set of ciphers are allowed for features requiring encryption such as SSH, IPsec, IKE/IPsec, SSL VPN, and HTTPS. Other unsecure protocols such as Telnet, TFTP and HTTP access to the cloud FortiGate-VM are not allowed.

Note

Before enabling fips-ciphers mode, remove any existing IPsec configurations.

To enable FIPS cipher mode:
config system fips-cc
    set status fips-ciphers
end

The following behavior occurs when FIPS cipher mode is enabled:

  • A license, image, configuration, and so on can be restored from an FTP server.

  • The following options are available:

    SSH algorithms

    • aes128-gcm@openssh.com

    • aes256-gcm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-512

    IKE/IPsec phase1 proposals

    • aes128gcm-prfsha256

    • aes128gcm-prfsha384

    • aes128gcm-prfsha512

    • aes256gcm-prfsha256

    • aes256gcm-prfsha384

    • aes256gcm-prfsha512

    IKE/IPsec phase2 proposals

    • aes128gcm

    • aes256gcm

    IKE/IPsec DH groups

    • Default = 19, or any three from 14 - 21, 27 - 32

    HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

    DH group:

    • RFC3526/Oakley group 14 (2048 bits)

    HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-ECDSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

  • The FortiCare license is validated.

  • FortiGuard databases and engines are updated.

  • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.

  • A factory reset is required to disable fips-ciphers mode.

Add FIPS cipher mode for AWS and Azure FortiGate VMs 6.4.3

In fips-ciphers mode, only a restricted set of ciphers are allowed for features requiring encryption such as SSH, IPsec, IKE/IPsec, SSL VPN, and HTTPS. Other unsecure protocols such as Telnet, TFTP and HTTP access to the cloud FortiGate-VM are not allowed.

Note

Before enabling fips-ciphers mode, remove any existing IPsec configurations.

To enable FIPS cipher mode:
config system fips-cc
    set status fips-ciphers
end

The following behavior occurs when FIPS cipher mode is enabled:

  • A license, image, configuration, and so on can be restored from an FTP server.

  • The following options are available:

    SSH algorithms

    • aes128-gcm@openssh.com

    • aes256-gcm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-512

    IKE/IPsec phase1 proposals

    • aes128gcm-prfsha256

    • aes128gcm-prfsha384

    • aes128gcm-prfsha512

    • aes256gcm-prfsha256

    • aes256gcm-prfsha384

    • aes256gcm-prfsha512

    IKE/IPsec phase2 proposals

    • aes128gcm

    • aes256gcm

    IKE/IPsec DH groups

    • Default = 19, or any three from 14 - 21, 27 - 32

    HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

    DH group:

    • RFC3526/Oakley group 14 (2048 bits)

    HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-ECDSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

  • The FortiCare license is validated.

  • FortiGuard databases and engines are updated.

  • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.

  • A factory reset is required to disable fips-ciphers mode.