Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

    FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

    AWS, Azure, OCI, and GCP FortiGate-VMs support FIPS cipher mode. You must remove all VPN configurations before you can enable FIPS CC mode.

    FIPS cipher mode only allows a restricted set of ciphers for features that require encryption, such as SSH, IPsec and SSL VPN, and HTTPS. You cannot use insecure protocols such as Telnet, TFTP, and HTTP to access the FortiGate-VM.

    You must perform a factory reset to disable fips-ciphers mode.

    To enable fips-cipher mode:
    config system fips-cc
    set status fips-ciphers
end
Warning: entering fips-ciphers mode. To exit this mode, factory reset is required.
Do you want to continue? (y/n) y

    The following behavior occurs when you enable FIPS cipher mode:

    • You can restore a license, image, configuration, and so on from an FTP server.

    • The following options are available:

      SSH algorithms

      • aes128-gcm@openssh.com

      • aes256-gcm@openssh.com

      • hmac-sha2-256

      • hmac-sha2-512

      IKE/IPsec phase1 proposals

      • aes128-sha256
      • aes128-sha256
      • aes128-sha384
      • aes128-sha384
      • aes128-sha512
      • aes128-sha512
      • aes128gcm-prfsha256
      • aes128gcm-prfsha256
      • aes128gcm-prfsha384
      • aes128gcm-prfsha384
      • aes128gcm-prfsha512
      • aes128gcm-prfsha512
      • aes256-sha256
      • aes256-sha256
      • aes256-sha384
      • aes256-sha384
      • aes256-sha512
      • aes256-sha512
      • aes256gcm-prfsha256
      • aes256gcm-prfsha256
      • aes256gcm-prfsha384
      • aes256gcm-prfsha384
      • aes256gcm-prfsha512
      • aes256gcm-prfsha512

      IKE/IPsec phase2 proposals

      • aes128-sha256
      • aes128-sha256
      • aes128-sha384
      • aes128-sha384
      • aes128-sha512
      • aes128-sha512
      • aes128gcm
      • aes128gcm
      • aes256-sha256
      • aes256-sha256
      • aes256-sha384
      • aes256-sha384
      • aes256-sha512
      • aes256-sha512
      • aes256gcm
      • aes256gcm

      IKE/IPsec DH groups

      • Default = 19, or any three from 14 - 21, 27 - 32

      HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

      PFS:

      • TLS_AES_256_GCM_SHA384

      • ECDHE-RSA-AES256-GCM-SHA384

      • DHE-RSA-AES256-GCM-SHA384

      • TLS_AES_128_GCM_SHA256

      • ECDHE-RSA-AES128-GCM-SHA256

      • DHE-RSA-AES128-GCM-SHA256

      Elliptic curves:

      • prime256v1

      • secp384r1

      • secp521r1

      DH group:

      • RFC3526/Oakley group 14 (2048 bits)

      HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

      PFS:

      • TLS_AES_256_GCM_SHA384

      • ECDHE-ECDSA-AES256-GCM-SHA384

      • TLS_AES_128_GCM_SHA256

      • ECDHE-ECDSA-AES128-GCM-SHA256

      Elliptic curves:

      • prime256v1

      • secp384r1

      • secp521r1

    • The FortiCare license is validated.

    • FortiGuard databases and engines are updated.

    • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.

    Previous
    Next

    FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

    FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

    AWS, Azure, OCI, and GCP FortiGate-VMs support FIPS cipher mode. You must remove all VPN configurations before you can enable FIPS CC mode.

    FIPS cipher mode only allows a restricted set of ciphers for features that require encryption, such as SSH, IPsec and SSL VPN, and HTTPS. You cannot use insecure protocols such as Telnet, TFTP, and HTTP to access the FortiGate-VM.

    You must perform a factory reset to disable fips-ciphers mode.

    To enable fips-cipher mode:
    config system fips-cc
    set status fips-ciphers
end
Warning: entering fips-ciphers mode. To exit this mode, factory reset is required.
Do you want to continue? (y/n) y

    The following behavior occurs when you enable FIPS cipher mode:

    • You can restore a license, image, configuration, and so on from an FTP server.

    • The following options are available:

      SSH algorithms

      • aes128-gcm@openssh.com

      • aes256-gcm@openssh.com

      • hmac-sha2-256

      • hmac-sha2-512

      IKE/IPsec phase1 proposals

      • aes128-sha256
      • aes128-sha256
      • aes128-sha384
      • aes128-sha384
      • aes128-sha512
      • aes128-sha512
      • aes128gcm-prfsha256
      • aes128gcm-prfsha256
      • aes128gcm-prfsha384
      • aes128gcm-prfsha384
      • aes128gcm-prfsha512
      • aes128gcm-prfsha512
      • aes256-sha256
      • aes256-sha256
      • aes256-sha384
      • aes256-sha384
      • aes256-sha512
      • aes256-sha512
      • aes256gcm-prfsha256
      • aes256gcm-prfsha256
      • aes256gcm-prfsha384
      • aes256gcm-prfsha384
      • aes256gcm-prfsha512
      • aes256gcm-prfsha512

      IKE/IPsec phase2 proposals

      • aes128-sha256
      • aes128-sha256
      • aes128-sha384
      • aes128-sha384
      • aes128-sha512
      • aes128-sha512
      • aes128gcm
      • aes128gcm
      • aes256-sha256
      • aes256-sha256
      • aes256-sha384
      • aes256-sha384
      • aes256-sha512
      • aes256-sha512
      • aes256gcm
      • aes256gcm

      IKE/IPsec DH groups

      • Default = 19, or any three from 14 - 21, 27 - 32

      HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

      PFS:

      • TLS_AES_256_GCM_SHA384

      • ECDHE-RSA-AES256-GCM-SHA384

      • DHE-RSA-AES256-GCM-SHA384

      • TLS_AES_128_GCM_SHA256

      • ECDHE-RSA-AES128-GCM-SHA256

      • DHE-RSA-AES128-GCM-SHA256

      Elliptic curves:

      • prime256v1

      • secp384r1

      • secp521r1

      DH group:

      • RFC3526/Oakley group 14 (2048 bits)

      HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

      PFS:

      • TLS_AES_256_GCM_SHA384

      • ECDHE-ECDSA-AES256-GCM-SHA384

      • TLS_AES_128_GCM_SHA256

      • ECDHE-ECDSA-AES128-GCM-SHA256

      Elliptic curves:

      • prime256v1

      • secp384r1

      • secp521r1

    • The FortiCare license is validated.

    • FortiGuard databases and engines are updated.

    • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.

    Previous
    Next