Fortinet white logo
Fortinet white logo

FortiGate-6000 Administration Guide

Configuring a FortiGate-6000 to operate in FIPS-CC mode

Configuring a FortiGate-6000 to operate in FIPS-CC mode

If the version of FortiOS running on your FortiGate 6000F supports FIPS-CC mode, you can use the config system fips-cc command to switch your FortiGate 6000F to operate in FIPS-CC mode.

When you enter this command on most FortiGate models, the FortiGate restarts, generates a new set of encryption keys, runs a set of startup and conditional self-tests, and then starts up operating in FIPS-CC mode.

The FortiGate 6000F follows the same process except that first the management board and then all of the FPCs each generate their own sets of keys and then run their own set of startup and conditional self tests.

To make sure the conversion goes smoothly, you should make sure all of the FPCs are synchronized with the management board before switching to FIPS-CC mode. From the management board CLI, you can run the diagnose load-balance status command to confirm that the Status Message for all FPCs is Running.

diagnose load-balance status 
==========================================================================
MBD SN: F6KF31T018900143
  Primary FPC Blade: slot-1

     Slot  1: FPC6KFT018901327
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  2: FPC6KFT018901372
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  3: FPC6KFT018901346
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPC6KFT018901574
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  5: FPC6KFT018901345
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  6: FPC6KFT018901556
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
Note

If one or more FPCs are not running or are not synchronized you may need to wait a bit longer for the FPC to start up and become synchronized. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions.

If all of the FPCs are running and synchronized, you can enter the config system fips-cc command from the management board CLI. If you are logged into the management board CLI using a console connection, messages similar to the following appear as the management board completes its self tests and then waits for the FPCs to complete their self-tests:

FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running TLS1.1-KDF test... passed
Running TLS1.2-KDF test... passed
Running SSH-KDF test... passed
Running IKEv1-KDF test... passed
Running IKEv2-KDF test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Motherboard Self-tests passed
Please wait for FPC self-tests to complete

As each FPC completes its self-tests, the FPC sends the results (pass or fail) to the management board. Each FPC also records log messages with the self- test results. Until all of the FPCs have reported successfully passing their self-tests, the front panel interfaces remain down.

This may take a few minutes. When all of the FPCs pass their self-tests, the following message appears on the management board console connection:

FPC self-tests have completed

The login prompt appears and you can log into the management board CLI. The front panel interfaces come up as well.

You can use the get system status command to verify that the FortiGate 6000F is operating in FIPS-CC mode.

get system status
.
.
.
FIPS-CC mode: enable 
.
.
.

Troubleshooting FortiGate 6000F self tests

Since the management board and all of the FPCs have to pass their self-tests, converting a FortiGate 6000F to FIPS-CC mode may take longer than expected and may be more prone to temporary failure than expected.

All FPCs must pass their self-tests before the self-test timer expires. So if the timer is set to 1440 seconds, the management board will wait up to 1440 seconds to receive self-test pass messages from all of the FPCs. If the self test timer expires before all of the FPCs pass their self-tests, the FortiGate 6000F keeps running but all interfaces remain shut down.

The self-test timer gives you time to check the status of the FPCs and troubleshoot and resolve any problems that may prevent them from starting up or passing their self-tests.

Fortinet recommends that once the management board passes its self tests, run the diagnose load-balance status command to confirm that the Status Message for all FPCs is Running.

diagnose load-balance status 
==========================================================================
MBD SN: F6KF31T018900143
  Primary FPC Blade: slot-1

     Slot  1: FPC6KFT018901327
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  2: FPC6KFT018901372
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  3: FPC6KFT018901346
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPC6KFT018901574
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  5: FPC6KFT018901345
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  6: FPC6KFT018901556
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

If the FortiGate 6000F has just started up, some of the FPCs may not be in the running state because they are still starting up. Try running the diagnose load-balance status command a few more times to see if all of the FPCs transition to the running state.

If an FPC continues to not be in the running state, you can try manually restarting it. You can also use the information in Troubleshooting an FPC failure to do further investigation.

If an FPC fails its self-test, the management board console may display a message similar to the following (which indicates that the FPC in slot 2 experienced a self-test failure):

Self-test failure: FPC 0000002

The FPC may self-correct and re-try and pass the self-test without any intervention. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions.

Configuring a FortiGate-6000 to operate in FIPS-CC mode

Configuring a FortiGate-6000 to operate in FIPS-CC mode

If the version of FortiOS running on your FortiGate 6000F supports FIPS-CC mode, you can use the config system fips-cc command to switch your FortiGate 6000F to operate in FIPS-CC mode.

When you enter this command on most FortiGate models, the FortiGate restarts, generates a new set of encryption keys, runs a set of startup and conditional self-tests, and then starts up operating in FIPS-CC mode.

The FortiGate 6000F follows the same process except that first the management board and then all of the FPCs each generate their own sets of keys and then run their own set of startup and conditional self tests.

To make sure the conversion goes smoothly, you should make sure all of the FPCs are synchronized with the management board before switching to FIPS-CC mode. From the management board CLI, you can run the diagnose load-balance status command to confirm that the Status Message for all FPCs is Running.

diagnose load-balance status 
==========================================================================
MBD SN: F6KF31T018900143
  Primary FPC Blade: slot-1

     Slot  1: FPC6KFT018901327
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  2: FPC6KFT018901372
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  3: FPC6KFT018901346
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPC6KFT018901574
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  5: FPC6KFT018901345
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  6: FPC6KFT018901556
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
Note

If one or more FPCs are not running or are not synchronized you may need to wait a bit longer for the FPC to start up and become synchronized. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions.

If all of the FPCs are running and synchronized, you can enter the config system fips-cc command from the management board CLI. If you are logged into the management board CLI using a console connection, messages similar to the following appear as the management board completes its self tests and then waits for the FPCs to complete their self-tests:

FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running TLS1.1-KDF test... passed
Running TLS1.2-KDF test... passed
Running SSH-KDF test... passed
Running IKEv1-KDF test... passed
Running IKEv2-KDF test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Motherboard Self-tests passed
Please wait for FPC self-tests to complete

As each FPC completes its self-tests, the FPC sends the results (pass or fail) to the management board. Each FPC also records log messages with the self- test results. Until all of the FPCs have reported successfully passing their self-tests, the front panel interfaces remain down.

This may take a few minutes. When all of the FPCs pass their self-tests, the following message appears on the management board console connection:

FPC self-tests have completed

The login prompt appears and you can log into the management board CLI. The front panel interfaces come up as well.

You can use the get system status command to verify that the FortiGate 6000F is operating in FIPS-CC mode.

get system status
.
.
.
FIPS-CC mode: enable 
.
.
.

Troubleshooting FortiGate 6000F self tests

Since the management board and all of the FPCs have to pass their self-tests, converting a FortiGate 6000F to FIPS-CC mode may take longer than expected and may be more prone to temporary failure than expected.

All FPCs must pass their self-tests before the self-test timer expires. So if the timer is set to 1440 seconds, the management board will wait up to 1440 seconds to receive self-test pass messages from all of the FPCs. If the self test timer expires before all of the FPCs pass their self-tests, the FortiGate 6000F keeps running but all interfaces remain shut down.

The self-test timer gives you time to check the status of the FPCs and troubleshoot and resolve any problems that may prevent them from starting up or passing their self-tests.

Fortinet recommends that once the management board passes its self tests, run the diagnose load-balance status command to confirm that the Status Message for all FPCs is Running.

diagnose load-balance status 
==========================================================================
MBD SN: F6KF31T018900143
  Primary FPC Blade: slot-1

     Slot  1: FPC6KFT018901327
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  2: FPC6KFT018901372
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  3: FPC6KFT018901346
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  4: FPC6KFT018901574
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  5: FPC6KFT018901345
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"
     Slot  6: FPC6KFT018901556
       Status:Working   Function:Active 
       Link:      Base: Up          Fabric: Up  
       Heartbeat: Management: Good   Data: Good  
       Status Message:"Running"

If the FortiGate 6000F has just started up, some of the FPCs may not be in the running state because they are still starting up. Try running the diagnose load-balance status command a few more times to see if all of the FPCs transition to the running state.

If an FPC continues to not be in the running state, you can try manually restarting it. You can also use the information in Troubleshooting an FPC failure to do further investigation.

If an FPC fails its self-test, the management board console may display a message similar to the following (which indicates that the FPC in slot 2 experienced a self-test failure):

Self-test failure: FPC 0000002

The FPC may self-correct and re-try and pass the self-test without any intervention. You could also try manually restarting the FPC or check Troubleshooting an FPC failure for other suggestions.