Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.0.17 Administration Guide
    7.0.17
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    BIOS-level signature and file integrity checking

    BIOS-level signature and file integrity checking

    The BIOS-level signature and integrity checking includes several checks that occur during different stages.

    Stage

    Checks

    BIOS-level signature and integrity check during file upload

    Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during file upload while FortiOS is running.

    BIOS-level signature and integrity check during the boot process

    Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during the boot process before the kernel is mounted.

    BIOS-level file integrity check during bootup as files are mounted

    Signed hashes of important files related to the kernel, filesystems and AV/IPS engines and executables are verified during bootup as they are mounted and loaded into user space.

    Each FortiOS GA firmware image, AV engine file, and IPS engine file are dually-signed by the Fortinet CA and a third-party CA.

    Signature checking occurs when the FortiOS firmware, AV, and IPS engine files are uploaded. This allows the FortiGate to either warn users of potential risks involved with uploading an unauthenticated file, or block the file upload depending on the BIOS security level.

    During the boot process before the kernel is loaded, the BIOS also verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

    Once the signature check passes, important files are extracted, mounted and loaded into user space during the bootup. All the important files are verified against their signed hashes to validate the integrity of the files before they can be mounted or loaded into user space. The hash file containing hashes of all executables and shared libraries is also verified to ensure the integrity of the file before the individual hashes are loaded into memory.

    When the system is started, real-time protection kicks in. See Real-time file system integrity checking for more details.

    BIOS-level signature and integrity check on firmware images

    The outcome of the signature and integrity check during file upload and boot process depends on the security level configured in BIOS and the certificate authority that signed the file.

    The following table summarizes the use cases and the potential outcome based on the security level.

    Use case

    Certificate signed by

    Outcome based on security level

    Fortinet CA

    Third-party CA

    Level High

    Level Low

    GA-Certified

    (GA firmware, Beta firmware, Top3 final builds)

    Yes

    Yes

    Accept

    Accept

    Non-GA certified

    (Special builds: Top3 and NPI quick builds)

    Yes

    No

    Warning

    Accept

    Interim and Dev builds, or unknown build

    No

    Yes or No

    Reject

    Warning

    The security levels on the BIOS are:

    FortiOS level Behavior
    High FortiOS and BIOS only accept certified images.

    Low

    FortiOS and BIOS only accept certified images without a warning and un-certified images with a warning

    On FortiGates without supported BIOS security levels, the device acts like security level High. For example, on a FortiGate-VM that does not have BIOS, the security level is defaulted to level High.

    Platforms with old BIOS versions will support security levels 0, 1, and 2, while FortiOS will support levels High and Low. BIOS level 2 will correspond to the behaviors in Level High, and BIOS level 0 and 1 will correspond to behaviors in Level Low.

    Note

    Security levels can be verified using the command get system status.

    Examples of BIOS-level signature and integrity check during file upload

    The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

    For more information, see the Firmware section and Manual updates.

    Upgrading on a device with BIOS security levels

    The following use cases are applicable when upgrading firmware on a FortiGate with BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page.

    Security Level Use case Behavior
    High Load certified GA image in TFTP in boot menu FortiGate boots up without warning messages.
    High Restore certified GA image in CLI FortiGate boots up without warning messages.
    High Load certified non-GA image in TFTP in boot menu

    FortiGate boots up with a warning message: 

    Warning: Non GA FOS image!
    High Restore certified non-GA image in CLI

    FortiGate displays a warning upon upload: 

    Warning: This firmware image is no GA certified!

    FortiGate boots up with a warning message: 

    Warning: Non GA FOS image!
    High Load un-certified interim image in TFTP in boot menu

    The upload is blocked.

    A warning is displayed:

    Checking image…  This firmware image is not certified!
Aborting firmware installation. Please power cycle. System halted.
    High Restore un-certified interim image in CLI

    The upload is blocked.

    A warning is displayed:

    Image verification failed!
…
    Low Load certified GA or non-GA image in TFTP in boot menu FortiGate boots up without warning messages.
    Low Restore certified GA or non-GA image in CLI FortiGate boots up without warning messages.
    Low Load un-certified interim image in TFTP in boot menu

    FortiGate outputs a warning message, but the upload is allowed to proceed:

    Warning: Image decode failed. Try to continue under security level 1…
    OK
This firmware image is not certified!
Save as Default firmware/Backup firmware/Run image without saving [D/B/R]?

    After boot up:

    System file integrity init check failed!
    Low Restore un-certified interim image in CLI

    FortiGate outputs a warning message, but the upload is allowed to proceed:

    Image verification failed!
...
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)

    During boot up:

    Warning: FOS is not authenticated! Continue booting under security level 1...
Initializing firewall...

    After boot up:

    System file integrity init check failed!

    Upgrading on a device without BIOS security levels

    The following use cases are applicable when upgrading firmware and AV files on a FortiGate without BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page, and AV files are upgraded using the System > FortiGuard page. A FortiGate 60E is used in these examples and acts like it has security level 1.

    When upgrading from 7.0.11 to 7.0.12 with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image.

    When upgrading from 7.0.11 to 7.0.12 with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. A warning dialog is displayed indicating that This firmware failed signature validation, but the user can click Continue to use the firmware.

    When running 7.0.12 and uploading an unsigned AV engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

    BIOS-level file integrity check on important file-system and object files

    During bootup, the kernel is required to verify the signed hashes of important file-system and object files. This prevents unauthorized changes to file-systems to be mounted and other unauthorized objects to be loaded into user space on bootup.

    This verification does not depend on the security level of the device. The verification will always run when the firmware image type is a GA, SA, Beta, or Top3 image. If the signed hash verification fails, the system will halt during bootup.

    Example

    Upon detection of an altered IPS library file upon bootup, the system will halt as follows:

    FortiGate-60E (18:03-01.27.2017)
    Ver:05000012
    Serial number: FGT60ETK1804xxxx
    CPU: 1000MHz
    Total RAM: 2 GB
    Initializing boot device...
    Initializing MAC... nplite#0
    Please wait for OS to boot, or press any key to display configuration menu......
    Booting OS...
    Reading boot image... 2891501 bytes.
    Initializing firewall...
    fos_ima: System Integrity check failed....
    CPU3: stopping
    CPU1: stopping
    CPU0: stopping
    Note

    The exact display in the CLI may vary depending on the device model, security level, or reasons for the failed verification.
    Previous
    Next

    BIOS-level signature and file integrity checking

    BIOS-level signature and file integrity checking

    The BIOS-level signature and integrity checking includes several checks that occur during different stages.

    Stage

    Checks

    BIOS-level signature and integrity check during file upload

    Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during file upload while FortiOS is running.

    BIOS-level signature and integrity check during the boot process

    Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during the boot process before the kernel is mounted.

    BIOS-level file integrity check during bootup as files are mounted

    Signed hashes of important files related to the kernel, filesystems and AV/IPS engines and executables are verified during bootup as they are mounted and loaded into user space.

    Each FortiOS GA firmware image, AV engine file, and IPS engine file are dually-signed by the Fortinet CA and a third-party CA.

    Signature checking occurs when the FortiOS firmware, AV, and IPS engine files are uploaded. This allows the FortiGate to either warn users of potential risks involved with uploading an unauthenticated file, or block the file upload depending on the BIOS security level.

    During the boot process before the kernel is loaded, the BIOS also verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

    Once the signature check passes, important files are extracted, mounted and loaded into user space during the bootup. All the important files are verified against their signed hashes to validate the integrity of the files before they can be mounted or loaded into user space. The hash file containing hashes of all executables and shared libraries is also verified to ensure the integrity of the file before the individual hashes are loaded into memory.

    When the system is started, real-time protection kicks in. See Real-time file system integrity checking for more details.

    BIOS-level signature and integrity check on firmware images

    The outcome of the signature and integrity check during file upload and boot process depends on the security level configured in BIOS and the certificate authority that signed the file.

    The following table summarizes the use cases and the potential outcome based on the security level.

    Use case

    Certificate signed by

    Outcome based on security level

    Fortinet CA

    Third-party CA

    Level High

    Level Low

    GA-Certified

    (GA firmware, Beta firmware, Top3 final builds)

    Yes

    Yes

    Accept

    Accept

    Non-GA certified

    (Special builds: Top3 and NPI quick builds)

    Yes

    No

    Warning

    Accept

    Interim and Dev builds, or unknown build

    No

    Yes or No

    Reject

    Warning

    The security levels on the BIOS are:

    FortiOS level Behavior
    High FortiOS and BIOS only accept certified images.

    Low

    FortiOS and BIOS only accept certified images without a warning and un-certified images with a warning

    On FortiGates without supported BIOS security levels, the device acts like security level High. For example, on a FortiGate-VM that does not have BIOS, the security level is defaulted to level High.

    Platforms with old BIOS versions will support security levels 0, 1, and 2, while FortiOS will support levels High and Low. BIOS level 2 will correspond to the behaviors in Level High, and BIOS level 0 and 1 will correspond to behaviors in Level Low.

    Note

    Security levels can be verified using the command get system status.

    Examples of BIOS-level signature and integrity check during file upload

    The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

    For more information, see the Firmware section and Manual updates.

    Upgrading on a device with BIOS security levels

    The following use cases are applicable when upgrading firmware on a FortiGate with BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page.

    Security Level Use case Behavior
    High Load certified GA image in TFTP in boot menu FortiGate boots up without warning messages.
    High Restore certified GA image in CLI FortiGate boots up without warning messages.
    High Load certified non-GA image in TFTP in boot menu

    FortiGate boots up with a warning message: 

    Warning: Non GA FOS image!
    High Restore certified non-GA image in CLI

    FortiGate displays a warning upon upload: 

    Warning: This firmware image is no GA certified!

    FortiGate boots up with a warning message: 

    Warning: Non GA FOS image!
    High Load un-certified interim image in TFTP in boot menu

    The upload is blocked.

    A warning is displayed:

    Checking image…  This firmware image is not certified!
Aborting firmware installation. Please power cycle. System halted.
    High Restore un-certified interim image in CLI

    The upload is blocked.

    A warning is displayed:

    Image verification failed!
…
    Low Load certified GA or non-GA image in TFTP in boot menu FortiGate boots up without warning messages.
    Low Restore certified GA or non-GA image in CLI FortiGate boots up without warning messages.
    Low Load un-certified interim image in TFTP in boot menu

    FortiGate outputs a warning message, but the upload is allowed to proceed:

    Warning: Image decode failed. Try to continue under security level 1…
    OK
This firmware image is not certified!
Save as Default firmware/Backup firmware/Run image without saving [D/B/R]?

    After boot up:

    System file integrity init check failed!
    Low Restore un-certified interim image in CLI

    FortiGate outputs a warning message, but the upload is allowed to proceed:

    Image verification failed!
...
Please continue only if you understand and are willing to accept the risks.
Do you want to continue? (y/n)

    During boot up:

    Warning: FOS is not authenticated! Continue booting under security level 1...
Initializing firewall...

    After boot up:

    System file integrity init check failed!

    Upgrading on a device without BIOS security levels

    The following use cases are applicable when upgrading firmware and AV files on a FortiGate without BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page, and AV files are upgraded using the System > FortiGuard page. A FortiGate 60E is used in these examples and acts like it has security level 1.

    When upgrading from 7.0.11 to 7.0.12 with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image.

    When upgrading from 7.0.11 to 7.0.12 with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. A warning dialog is displayed indicating that This firmware failed signature validation, but the user can click Continue to use the firmware.

    When running 7.0.12 and uploading an unsigned AV engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

    BIOS-level file integrity check on important file-system and object files

    During bootup, the kernel is required to verify the signed hashes of important file-system and object files. This prevents unauthorized changes to file-systems to be mounted and other unauthorized objects to be loaded into user space on bootup.

    This verification does not depend on the security level of the device. The verification will always run when the firmware image type is a GA, SA, Beta, or Top3 image. If the signed hash verification fails, the system will halt during bootup.

    Example

    Upon detection of an altered IPS library file upon bootup, the system will halt as follows:

    FortiGate-60E (18:03-01.27.2017)
    Ver:05000012
    Serial number: FGT60ETK1804xxxx
    CPU: 1000MHz
    Total RAM: 2 GB
    Initializing boot device...
    Initializing MAC... nplite#0
    Please wait for OS to boot, or press any key to display configuration menu......
    Booting OS...
    Reading boot image... 2891501 bytes.
    Initializing firewall...
    fos_ima: System Integrity check failed....
    CPU3: stopping
    CPU1: stopping
    CPU0: stopping
    Note

    The exact display in the CLI may vary depending on the device model, security level, or reasons for the failed verification.
    Previous
    Next