Add FIPS cipher mode for AWS and Azure FortiGate VMs 6.4.3
In fips-ciphers
mode, only a restricted set of ciphers are allowed for features requiring encryption such as SSH, IPsec, IKE/IPsec, SSL VPN, and HTTPS. Other unsecure protocols such as Telnet, TFTP and HTTP access to the cloud FortiGate-VM are not allowed.
Before enabling |
To enable FIPS cipher mode:
config system fips-cc set status fips-ciphers end
The following behavior occurs when FIPS cipher mode is enabled:
-
A license, image, configuration, and so on can be restored from an FTP server.
-
The following options are available:
SSH algorithms
aes128-gcm@openssh.com
aes256-gcm@openssh.com
hmac-sha2-256
hmac-sha2-512
IKE/IPsec phase1 proposals
aes128gcm-prfsha256
aes128gcm-prfsha384
aes128gcm-prfsha512
aes256gcm-prfsha256
aes256gcm-prfsha384
aes256gcm-prfsha512
IKE/IPsec phase2 proposals
aes128gcm
aes256gcm
IKE/IPsec DH groups
Default = 19, or any three from 14 - 21, 27 - 32
HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites
PFS:
TLS_AES_256_GCM_SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
TLS_AES_128_GCM_SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
Elliptic curves:
prime256v1
secp384r1
secp521r1
DH group:
RFC3526/Oakley group 14 (2048 bits)
HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites
PFS:
TLS_AES_256_GCM_SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
TLS_AES_128_GCM_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
Elliptic curves:
prime256v1
secp384r1
secp521r1
-
The FortiCare license is validated.
-
FortiGuard databases and engines are updated.
-
The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.
-
A factory reset is required to disable
fips-ciphers
mode.