Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 6.4.2 CLI Reference
    6.4.2
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    system fips-cc

    system fips-cc

    Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

    Syntax

    config system fips-cc

    set status {enable | disable | fips-ciphers}

    set entropy-token {dynamic | enable | disable}

    set reseed-interval <reseed-interval_int>

    set ssl-client-restrict {enable | disable}

    end

    Variable Description Default

    status {enable | disable | fips-ciphers}

    Select enable or disable to turn on and off the FIPS operation mode. fips-ciphers is a special kind of FIPS mode.

    fips-ciphers mode

    The fips-ciphers mode is only supported by FortiWeb-VMs on AWS and Azure. In fips-ciphers mode, FortiWeb has the following limitations:

    1. For the business traffic going through FortiWeb, both HTTP and HTTPS protocols are allowed, but TLS 1.0 and TLS 1.1 are not supported for HTTPS traffic. Only the following SSL ciphers are allowed:

      2. For TLS1.3

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256

    For TLS1.2

    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-GCM-SHA256
  • For the traffic to FortiWeb's CLI and GUI, HTTP and Telnet are not allowed. Only HTTPS and SSH are allowed. The supported SSL ciphers for HTTPS traffic are the same as listed above.
    The supported ciphers for SSH traffic include:
    • diffie-hellman-group-exchange-sha256
    • ssh-rsa
    • hmac-sha2-256
    • hmac-sha2-512
    • aes128-gcm@openssh.com
    • aes256-gcm@openssh.com
  • shell mode is disable in fips-ciphers mode.

    • To ensure a truly fips-ciphers configuration, it's recommended to start with a clean install or do a factory reset first.

    Once fips-ciphers mode is enabled, disabling this mode would be done by a factory reset.

    disable

    entropy-token {dynamic | enable | disable}

    		 Use the entropy token to seed the RNG in FIPS-CC mode.
    • When the status is enabled, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
    • When the status is disabled, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
    • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

    		 disable

    reseed-interval <reseed-interval_int>

    		 Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

    1440

    ssl-client-restrict {enable | disable}

    		 Enable/disable ciphers restriction. disable
    Previous
    Next

    system fips-cc

    system fips-cc

    Use this command to enable and configure Federal Information Processing Standards (FIPS) and Common Criteria (CC) compliant mode.

    Syntax

    config system fips-cc

    set status {enable | disable | fips-ciphers}

    set entropy-token {dynamic | enable | disable}

    set reseed-interval <reseed-interval_int>

    set ssl-client-restrict {enable | disable}

    end

    Variable Description Default

    status {enable | disable | fips-ciphers}

    Select enable or disable to turn on and off the FIPS operation mode. fips-ciphers is a special kind of FIPS mode.

    fips-ciphers mode

    The fips-ciphers mode is only supported by FortiWeb-VMs on AWS and Azure. In fips-ciphers mode, FortiWeb has the following limitations:

    1. For the business traffic going through FortiWeb, both HTTP and HTTPS protocols are allowed, but TLS 1.0 and TLS 1.1 are not supported for HTTPS traffic. Only the following SSL ciphers are allowed:

      2. For TLS1.3

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256

    For TLS1.2

    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-GCM-SHA256
  • For the traffic to FortiWeb's CLI and GUI, HTTP and Telnet are not allowed. Only HTTPS and SSH are allowed. The supported SSL ciphers for HTTPS traffic are the same as listed above.
    The supported ciphers for SSH traffic include:
    • diffie-hellman-group-exchange-sha256
    • ssh-rsa
    • hmac-sha2-256
    • hmac-sha2-512
    • aes128-gcm@openssh.com
    • aes256-gcm@openssh.com
  • shell mode is disable in fips-ciphers mode.

    • To ensure a truly fips-ciphers configuration, it's recommended to start with a clean install or do a factory reset first.

    Once fips-ciphers mode is enabled, disabling this mode would be done by a factory reset.

    disable

    entropy-token {dynamic | enable | disable}

    		 Use the entropy token to seed the RNG in FIPS-CC mode.
    • When the status is enabled, the entropy token is used to seed or reseed the RNG, and it must be inserted to FortiWeb.
    • When the status is disabled, the entropy token is not used to seed or reseed the RNG, but the old method will be used to seed or reseed the RNG.
    • When the status is dynamic, it means when entropy token is present, the entropy token will be used to seed or reseed the RNG; if the token is not present, the old method will be used to seed or reseed the RNG.

    		 disable

    reseed-interval <reseed-interval_int>

    		 Set the interval to reseed the RNG. The valid range is 0–1440 minutes.

    1440

    ssl-client-restrict {enable | disable}

    		 Enable/disable ciphers restriction. disable
    Previous
    Next