Fortinet black logo

CLI Reference

system fips-cc

system fips-cc

Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

Syntax

config system fips-cc

set status {enable | disable | fips-ciphers}

set entropy-token {dynamic | enable | disable}

set reseed-interval <reseed-interval_int>

set ssl-client-restrict {enable | disable}

end

Variable Description Default

status {enable | disable | fips-ciphers}

Select enable or disable to turn on and off the FIPS operation mode. fips-ciphers is a special kind of FIPS mode.

fips-ciphers mode

The fips-ciphers mode is only supported by FortiWeb-VMs on AWS and Azure. In fips-ciphers mode, FortiWeb has the following limitations:

  1. For the business traffic going through FortiWeb, both HTTP and HTTPS protocols are allowed, but TLS 1.0 and TLS 1.1 are not supported for HTTPS traffic. Only the following SSL ciphers are allowed:
  2. For TLS1.3

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256

For TLS1.2

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • For the traffic to FortiWeb's CLI and GUI, HTTP and Telnet are not allowed. Only HTTPS and SSH are allowed. The supported SSL ciphers for HTTPS traffic are the same as listed above.
    The supported ciphers for SSH traffic include:
    • diffie-hellman-group-exchange-sha256
    • ssh-rsa
    • hmac-sha2-256
    • hmac-sha2-512
    • aes128-gcm@openssh.com
    • aes256-gcm@openssh.com
  • shell mode is disable in fips-ciphers mode.
  • To ensure a truly fips-ciphers configuration, it's recommended to start with a clean install or do a factory reset first.

    Once fips-ciphers mode is enabled, disabling this mode would be done by a factory reset.

    disable

    entropy-token {dynamic | enable | disable}

    Use the entropy token to seed the RNG in FIPS-CC mode.
    • When the status is enabled, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
    • When the status is disabled, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
    • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

    disable

    reseed-interval <reseed-interval_int>

    Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

    1440

    ssl-client-restrict {enable | disable}

    Enable/disable ciphers restriction. disable

    system fips-cc

    Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

    Syntax

    config system fips-cc

    set status {enable | disable | fips-ciphers}

    set entropy-token {dynamic | enable | disable}

    set reseed-interval <reseed-interval_int>

    set ssl-client-restrict {enable | disable}

    end

    Variable Description Default

    status {enable | disable | fips-ciphers}

    Select enable or disable to turn on and off the FIPS operation mode. fips-ciphers is a special kind of FIPS mode.

    fips-ciphers mode

    The fips-ciphers mode is only supported by FortiWeb-VMs on AWS and Azure. In fips-ciphers mode, FortiWeb has the following limitations:

    1. For the business traffic going through FortiWeb, both HTTP and HTTPS protocols are allowed, but TLS 1.0 and TLS 1.1 are not supported for HTTPS traffic. Only the following SSL ciphers are allowed:
    2. For TLS1.3

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256

    For TLS1.2

    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-GCM-SHA256
  • For the traffic to FortiWeb's CLI and GUI, HTTP and Telnet are not allowed. Only HTTPS and SSH are allowed. The supported SSL ciphers for HTTPS traffic are the same as listed above.
    The supported ciphers for SSH traffic include:
    • diffie-hellman-group-exchange-sha256
    • ssh-rsa
    • hmac-sha2-256
    • hmac-sha2-512
    • aes128-gcm@openssh.com
    • aes256-gcm@openssh.com
  • shell mode is disable in fips-ciphers mode.
  • To ensure a truly fips-ciphers configuration, it's recommended to start with a clean install or do a factory reset first.

    Once fips-ciphers mode is enabled, disabling this mode would be done by a factory reset.

    disable

    entropy-token {dynamic | enable | disable}

    Use the entropy token to seed the RNG in FIPS-CC mode.
    • When the status is enabled, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
    • When the status is disabled, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
    • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

    disable

    reseed-interval <reseed-interval_int>

    Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

    1440

    ssl-client-restrict {enable | disable}

    Enable/disable ciphers restriction. disable