Fortinet black logo

CLI Reference

fips

fips

Use this command to set the Federal Information Processing Standards (FIPS) status. FIPS mode is an enhanced security option for some FortiAnalyzer models. Installation of FIPS firmware is required only if the unit was not ordered with this firmware pre-installed.

Syntax

config system fips

set status enable

set entropy-token {enable | disable | dynamic}

set re-seed-interval <integer>

end

Variable

Description

status enable

Enable the FIPS-CC mode of operation.

Note: enable option is available only when the device is not in FIPS mode.

entropy-token {enable | disable | dynamic}

Configure support for the FortiTRNG entropy token when switching to FIPS mode:

  • enable: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted.
  • disable: The current entropy implementation is used to seed the Random Number Generator (RNG) (default).
  • dynamic: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.

re-seed-interval <integer>

The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).

fips

Use this command to set the Federal Information Processing Standards (FIPS) status. FIPS mode is an enhanced security option for some FortiAnalyzer models. Installation of FIPS firmware is required only if the unit was not ordered with this firmware pre-installed.

Syntax

config system fips

set status enable

set entropy-token {enable | disable | dynamic}

set re-seed-interval <integer>

end

Variable

Description

status enable

Enable the FIPS-CC mode of operation.

Note: enable option is available only when the device is not in FIPS mode.

entropy-token {enable | disable | dynamic}

Configure support for the FortiTRNG entropy token when switching to FIPS mode:

  • enable: The token must be present during boot up and reseeding. If the token is not present, the boot up or reseeding is interrupted until the token is inserted.
  • disable: The current entropy implementation is used to seed the Random Number Generator (RNG) (default).
  • dynamic: The token is used to seed or reseed the RNG if it is present. If the token is not present, the boot process is not blocked and the old entropy implementation is used.

re-seed-interval <integer>

The amount of time between RNG reseeding, in minutes (0 - 1440, default = 1440).