Fortinet white logo
Fortinet white logo

Administration Guide

FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

AWS, Azure, OCI, and GCP FortiGate-VMs support FIPS cipher mode. You must remove all VPN configurations before you can enable FIPS CC mode.

FIPS cipher mode only allows a restricted set of ciphers for features that require encryption, such as SSH, IPsec and SSL VPN, and HTTPS. You cannot use insecure protocols such as Telnet, TFTP, and HTTP to access the FortiGate-VM.

You must perform a factory reset to disable fips-ciphers mode.

To enable fips-cipher mode:
config system fips-cc
    set status fips-ciphers
end
Warning: entering fips-ciphers mode. To exit this mode, factory reset is required.
Do you want to continue? (y/n) y

FIPS-CC cipher mode is silently enabled when configured via cloud-init.

The following behavior occurs when you enable FIPS cipher mode:

  • You can restore a license, image, configuration, and so on from an FTP server.

  • The following options are available:

    SSH algorithms

    • aes128-gcm@openssh.com

    • aes256-gcm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-512

    IKE/IPsec phase1 proposals

    • aes128-sha256
    • aes128-sha256
    • aes128-sha384
    • aes128-sha384
    • aes128-sha512
    • aes128-sha512
    • aes128gcm-prfsha256
    • aes128gcm-prfsha256
    • aes128gcm-prfsha384
    • aes128gcm-prfsha384
    • aes128gcm-prfsha512
    • aes128gcm-prfsha512
    • aes256-sha256
    • aes256-sha256
    • aes256-sha384
    • aes256-sha384
    • aes256-sha512
    • aes256-sha512
    • aes256gcm-prfsha256
    • aes256gcm-prfsha256
    • aes256gcm-prfsha384
    • aes256gcm-prfsha384
    • aes256gcm-prfsha512
    • aes256gcm-prfsha512

    IKE/IPsec phase2 proposals

    • aes128-sha256
    • aes128-sha256
    • aes128-sha384
    • aes128-sha384
    • aes128-sha512
    • aes128-sha512
    • aes128gcm
    • aes128gcm
    • aes256-sha256
    • aes256-sha256
    • aes256-sha384
    • aes256-sha384
    • aes256-sha512
    • aes256-sha512
    • aes256gcm
    • aes256gcm

    IKE/IPsec DH groups

    • Default = 19, or any three from 14 - 21, 27 - 32

    HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

    DH group:

    • RFC3526/Oakley group 14 (2048 bits)

    HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-ECDSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

  • The FortiCare license is validated.

  • FortiGuard databases and engines are updated.

  • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.

FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

AWS, Azure, OCI, and GCP FortiGate-VMs support FIPS cipher mode. You must remove all VPN configurations before you can enable FIPS CC mode.

FIPS cipher mode only allows a restricted set of ciphers for features that require encryption, such as SSH, IPsec and SSL VPN, and HTTPS. You cannot use insecure protocols such as Telnet, TFTP, and HTTP to access the FortiGate-VM.

You must perform a factory reset to disable fips-ciphers mode.

To enable fips-cipher mode:
config system fips-cc
    set status fips-ciphers
end
Warning: entering fips-ciphers mode. To exit this mode, factory reset is required.
Do you want to continue? (y/n) y

FIPS-CC cipher mode is silently enabled when configured via cloud-init.

The following behavior occurs when you enable FIPS cipher mode:

  • You can restore a license, image, configuration, and so on from an FTP server.

  • The following options are available:

    SSH algorithms

    • aes128-gcm@openssh.com

    • aes256-gcm@openssh.com

    • hmac-sha2-256

    • hmac-sha2-512

    IKE/IPsec phase1 proposals

    • aes128-sha256
    • aes128-sha256
    • aes128-sha384
    • aes128-sha384
    • aes128-sha512
    • aes128-sha512
    • aes128gcm-prfsha256
    • aes128gcm-prfsha256
    • aes128gcm-prfsha384
    • aes128gcm-prfsha384
    • aes128gcm-prfsha512
    • aes128gcm-prfsha512
    • aes256-sha256
    • aes256-sha256
    • aes256-sha384
    • aes256-sha384
    • aes256-sha512
    • aes256-sha512
    • aes256gcm-prfsha256
    • aes256gcm-prfsha256
    • aes256gcm-prfsha384
    • aes256gcm-prfsha384
    • aes256gcm-prfsha512
    • aes256gcm-prfsha512

    IKE/IPsec phase2 proposals

    • aes128-sha256
    • aes128-sha256
    • aes128-sha384
    • aes128-sha384
    • aes128-sha512
    • aes128-sha512
    • aes128gcm
    • aes128gcm
    • aes256-sha256
    • aes256-sha256
    • aes256-sha384
    • aes256-sha384
    • aes256-sha512
    • aes256-sha512
    • aes256gcm
    • aes256gcm

    IKE/IPsec DH groups

    • Default = 19, or any three from 14 - 21, 27 - 32

    HTTPS for admin and SSL VPN (with RSA server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-RSA-AES256-GCM-SHA384

    • DHE-RSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-RSA-AES128-GCM-SHA256

    • DHE-RSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

    DH group:

    • RFC3526/Oakley group 14 (2048 bits)

    HTTPS for admin and SSL VPN (with ECC server certificate) TLS suites

    PFS:

    • TLS_AES_256_GCM_SHA384

    • ECDHE-ECDSA-AES256-GCM-SHA384

    • TLS_AES_128_GCM_SHA256

    • ECDHE-ECDSA-AES128-GCM-SHA256

    Elliptic curves:

    • prime256v1

    • secp384r1

    • secp521r1

  • The FortiCare license is validated.

  • FortiGuard databases and engines are updated.

  • The DH-RSA-AES128-GCM-SHA256 and DH-RSA-AES256-GCM-SHA384 ciphers are not supported.