Fortinet black logo

CLI Reference

system fips-cc

system fips-cc

Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

Syntax

config system fips-cc

set status {enable | disable}

set entropy-token {dynamic | enable | disable}

set reseed-interval <reseed-interval_int>

set ssl-client-restrict {enable | disable}

end

Variable Description Default

status {enable | disable}

Enable/disable FIPS operation mode. This can be done only by the console.

disable

entropy-token {dynamic | enable | disable}

Use the entropy token to seed the RNG in FIPS-CC mode.
  • When the status is enable, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
  • When the status is disable, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
  • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

disable

reseed-interval <reseed-interval_int>

Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

1440

ssl-client-restrict {enable | disable}

Enable/disable ciphers restriction. disable

system fips-cc

Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

Syntax

config system fips-cc

set status {enable | disable}

set entropy-token {dynamic | enable | disable}

set reseed-interval <reseed-interval_int>

set ssl-client-restrict {enable | disable}

end

Variable Description Default

status {enable | disable}

Enable/disable FIPS operation mode. This can be done only by the console.

disable

entropy-token {dynamic | enable | disable}

Use the entropy token to seed the RNG in FIPS-CC mode.
  • When the status is enable, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
  • When the status is disable, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
  • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

disable

reseed-interval <reseed-interval_int>

Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

1440

ssl-client-restrict {enable | disable}

Enable/disable ciphers restriction. disable