Fortinet white logo
Fortinet white logo

Administration Guide

BIOS-level signature and file integrity checking

BIOS-level signature and file integrity checking

The BIOS-level signature and integrity checking includes several checks that occur during different stages.

Stage

Checks

BIOS-level signature and integrity check during file upload

Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during file upload while FortiOS is running.

BIOS-level signature and integrity check during the boot process

Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during the boot process before the kernel is mounted.

BIOS-level file integrity check during bootup as files are mounted

Signed hashes of important files related to the kernel, filesystems and AV/IPS engines and executables are verified during bootup as they are mounted and loaded into user space.

Each FortiOS GA firmware image, AV engine file, and IPS engine file are dually-signed by the Fortinet CA and a third-party CA.

Signature checking occurs when the FortiOS firmware, AV, and IPS engine files are uploaded. This allows the FortiGate to either warn users of potential risks involved with uploading an unauthenticated file, or block the file upload depending on the BIOS security level.

During the boot process before the kernel is loaded, the BIOS also verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

Once the signature check passes, important files are extracted, mounted and loaded into user space during the bootup. All the important files are verified against their signed hashes to validate the integrity of the files before they can be mounted or loaded into user space. The hash file containing hashes of all executables and shared libraries is also verified to ensure the integrity of the file before the individual hashes are loaded into memory.

When the system is started, real-time protection kicks in. See Real-time file system integrity checking for more details.

BIOS-level signature and integrity check on firmware images

The outcome of the signature and integrity check during file upload and boot process depends on the security level configured in BIOS and the certificate authority that signed the file.

The following table summarizes the use cases and the potential outcome based on the security level.

Use case

Certificate signed by

Outcome based on security level

Fortinet CA

Third-party CA

Level 2

Level 1

Level 0

GA-Certified

(GA firmware, Beta firmware, Top3 final builds)

Yes

Yes

Accept

Accept

Accept

Non-GA certified

(Special builds: Top3 and NPI quick builds)

Yes

No

Warning

Accept

Accept

Interim and Dev builds, or unknown build

No

Yes or No

Reject

Warning

Accept

The security levels on the BIOS are:

  • Level 2: in order to operate normally, FortiOS requires all file signatures to match their secure checksums as indicated on both Fortinet and third-party CA signed certificates.

    • If a file has a Fortinet CA signed certificate but no third-party signed certificates, then FortiOS can still run but displays a warning in the GUI and CLI.

    • If a file has no valid certificate signed by the Fortinet CA, then FortiOS is not allowed to run.

  • Level 1: in order to operate normally, FortiOS only requires all file signatures to match their secure checksums as indicated on the Fortinet CA signed certificate.

    • If a file has no valid certificate signed by the Fortinet CA, then FortiOS can still run but displays a warning in the GUI and CLI.

  • Level 0 (not recommended): FortiOS does not perform code verification.

On FortiGates without supported BIOS security levels, the device acts like security level 2. For example, on a FortiGate-VM that does not have BIOS, the security level is defaulted to level 2.

To verify the BIOS security level:
# get system status
Version: FortiGate-101F v7.0.12,build0523,230606 (GA.M)Security Level: 2
Firmware Signature: certified

The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

For more information, see the Firmware section and Manual updates.

Examples of BIOS-level signature and integrity check during file upload

The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

For more information, see the Firmware section and Manual updates.

Upgrading on a device with BIOS security levels

The following use cases are applicable when upgrading firmware on a FortiGate with BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page. In the following examples, the FortiOS version is upgraded from 7.0.11 to 7.0.12 and interim build numbers are used to demonstrate the functionality of this feature on a FortiGate 101F.

Level 2

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. The following CLI output shows the messages displayed when a FortiGate is upgraded.

FortiGate_101F (global) # get system status
Version: FortiGate-101F v7.0.11,build0489,230314 (GA.M)
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
…
FortiGate_101F (global) # Image verification OK!
Firmware upgrade in progress ...

Done.

The system is going down NOW !!

Please stand by while rebooting the system.
Restarting system.
…

System is starting...

The config file may contain errors.
Please see details by the command 'diagnose debug config-error-log read'.

FortiGate_101F login: admin
Password:
Welcome!
			
FortiGate_101F (global) # get system status
Version: FortiGate-101F v7.0.12,build0523,230606 (GA.M)
Security Level: 2
Firmware Signature: certified

When upgrading with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and rejects the image. A notification is displayed that This firmware image didn't pass the signature verification.

When uploading a dually-signed IPS engine file on the System > FortiGuard page, FortiOS verifies the certificates and accepts the file. A notification is displayed (Successfully upgraded database).

When uploading an unsigned IPS engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and rejects the file. A notification is displayed that the device Failed to upgrade database.

Level 1

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. No warning is displayed during the upgrade, or while the system is running in 7.0.12.

When upgrading with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. The upgrade will still occur. However, during the upgrade process, a warning dialog is displayed indicating that This firmware failed signature validation. The user can click Continue to upgrade the firmware.

When the user logs in to the FortiGate running 7.0.12, a warning dialog is displayed indicating that the Installed Firmware is Not Signed by Fortinet. The user can click I Understand The Risk to log in.

When the FortiGate is running unsigned firmware, warnings appear in the GUI and CLI.

  • Top banner: the unsigned firmware version is highlighted in red. Hovering over the unsigned firmware version displays a tooltip that the Installed firmware is not signed by Fortinet.

  • Dashboard > Status > System Information widget: the unsigned firmware version is highlighted in red. Hovering over the unsigned firmware version displays a tooltip that the Installed firmware is not signed by Fortinet.

  • Enter the following in the CLI to verify the firmware status:

    # get system status
    Version: FortiGate-VM64 v7.0.12,build0515,230509 (interim)
    Security Level: 1
    Firmware Signature: un-certified
    Virus-DB: 91.03113(2023-05-09 15:26)

When running uploading an unsigned IPS engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

Level 0

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. No verification is performed.

When upgrading with an unsigned firmware image in the GUI, FortiOS does not verify the certificates. No warnings are displayed that the firmware is unverified.

Upgrading on a device without BIOS security levels

The following use cases are applicable when upgrading firmware and AV files on a FortiGate without BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page, and AV files are upgraded using the System > FortiGuard page. A FortiGate 60E is used in these examples and acts like it has security level 1.

When upgrading from 7.0.11 to 7.0.12 with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image.

When upgrading from 7.0.11 to 7.0.12 with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. A warning dialog is displayed indicating that This firmware failed signature validation, but the user can click Continue to use the firmware.

When running 7.0.12 and uploading an unsigned AV engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

BIOS-level file integrity check on important file-system and object files

During bootup, the kernel is required to verify the signed hashes of important file-system and object files. This prevents unauthorized changes to file-systems to be mounted and other unauthorized objects to be loaded into user space on bootup.

This verification does not depend on the security level of the device. The verification will always run when the firmware image type is a GA, SA, Beta, or Top3 image. If the signed hash verification fails, the system will halt during bootup.

Example

Upon detection of an altered IPS library file upon bootup, the system will halt as follows:

FortiGate-60E (18:03-01.27.2017)
Ver:05000012
Serial number: FGT60ETK1804xxxx
CPU: 1000MHz
Total RAM: 2 GB
Initializing boot device...
Initializing MAC... nplite#0
Please wait for OS to boot, or press any key to display configuration menu......
Booting OS...
Reading boot image... 2891501 bytes.
Initializing firewall...
fos_ima: System Integrity check failed....
CPU3: stopping
CPU1: stopping
CPU0: stopping
Note

The exact display in the CLI may vary depending on the device model, security level, or reasons for the failed verification.

BIOS-level signature and file integrity checking

BIOS-level signature and file integrity checking

The BIOS-level signature and integrity checking includes several checks that occur during different stages.

Stage

Checks

BIOS-level signature and integrity check during file upload

Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during file upload while FortiOS is running.

BIOS-level signature and integrity check during the boot process

Dually-signed images such as the firmware image, AV engine file and IPS engine file are verified during the boot process before the kernel is mounted.

BIOS-level file integrity check during bootup as files are mounted

Signed hashes of important files related to the kernel, filesystems and AV/IPS engines and executables are verified during bootup as they are mounted and loaded into user space.

Each FortiOS GA firmware image, AV engine file, and IPS engine file are dually-signed by the Fortinet CA and a third-party CA.

Signature checking occurs when the FortiOS firmware, AV, and IPS engine files are uploaded. This allows the FortiGate to either warn users of potential risks involved with uploading an unauthenticated file, or block the file upload depending on the BIOS security level.

During the boot process before the kernel is loaded, the BIOS also verifies that each file matches their secure hash as indicated by their certificates. Users are warned when there is a failed integrity check, and the system may be prevented from booting depending on the severity and the BIOS security level.

Once the signature check passes, important files are extracted, mounted and loaded into user space during the bootup. All the important files are verified against their signed hashes to validate the integrity of the files before they can be mounted or loaded into user space. The hash file containing hashes of all executables and shared libraries is also verified to ensure the integrity of the file before the individual hashes are loaded into memory.

When the system is started, real-time protection kicks in. See Real-time file system integrity checking for more details.

BIOS-level signature and integrity check on firmware images

The outcome of the signature and integrity check during file upload and boot process depends on the security level configured in BIOS and the certificate authority that signed the file.

The following table summarizes the use cases and the potential outcome based on the security level.

Use case

Certificate signed by

Outcome based on security level

Fortinet CA

Third-party CA

Level 2

Level 1

Level 0

GA-Certified

(GA firmware, Beta firmware, Top3 final builds)

Yes

Yes

Accept

Accept

Accept

Non-GA certified

(Special builds: Top3 and NPI quick builds)

Yes

No

Warning

Accept

Accept

Interim and Dev builds, or unknown build

No

Yes or No

Reject

Warning

Accept

The security levels on the BIOS are:

  • Level 2: in order to operate normally, FortiOS requires all file signatures to match their secure checksums as indicated on both Fortinet and third-party CA signed certificates.

    • If a file has a Fortinet CA signed certificate but no third-party signed certificates, then FortiOS can still run but displays a warning in the GUI and CLI.

    • If a file has no valid certificate signed by the Fortinet CA, then FortiOS is not allowed to run.

  • Level 1: in order to operate normally, FortiOS only requires all file signatures to match their secure checksums as indicated on the Fortinet CA signed certificate.

    • If a file has no valid certificate signed by the Fortinet CA, then FortiOS can still run but displays a warning in the GUI and CLI.

  • Level 0 (not recommended): FortiOS does not perform code verification.

On FortiGates without supported BIOS security levels, the device acts like security level 2. For example, on a FortiGate-VM that does not have BIOS, the security level is defaulted to level 2.

To verify the BIOS security level:
# get system status
Version: FortiGate-101F v7.0.12,build0523,230606 (GA.M)Security Level: 2
Firmware Signature: certified

The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

For more information, see the Firmware section and Manual updates.

Examples of BIOS-level signature and integrity check during file upload

The following examples outline the different use cases when upgrading firmware and AV files on a FortiGate model that supports BIOS security levels, and a FortiGate model that does not support BIOS security levels.

For more information, see the Firmware section and Manual updates.

Upgrading on a device with BIOS security levels

The following use cases are applicable when upgrading firmware on a FortiGate with BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page. In the following examples, the FortiOS version is upgraded from 7.0.11 to 7.0.12 and interim build numbers are used to demonstrate the functionality of this feature on a FortiGate 101F.

Level 2

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. The following CLI output shows the messages displayed when a FortiGate is upgraded.

FortiGate_101F (global) # get system status
Version: FortiGate-101F v7.0.11,build0489,230314 (GA.M)
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
…
FortiGate_101F (global) # Image verification OK!
Firmware upgrade in progress ...

Done.

The system is going down NOW !!

Please stand by while rebooting the system.
Restarting system.
…

System is starting...

The config file may contain errors.
Please see details by the command 'diagnose debug config-error-log read'.

FortiGate_101F login: admin
Password:
Welcome!
			
FortiGate_101F (global) # get system status
Version: FortiGate-101F v7.0.12,build0523,230606 (GA.M)
Security Level: 2
Firmware Signature: certified

When upgrading with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and rejects the image. A notification is displayed that This firmware image didn't pass the signature verification.

When uploading a dually-signed IPS engine file on the System > FortiGuard page, FortiOS verifies the certificates and accepts the file. A notification is displayed (Successfully upgraded database).

When uploading an unsigned IPS engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and rejects the file. A notification is displayed that the device Failed to upgrade database.

Level 1

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. No warning is displayed during the upgrade, or while the system is running in 7.0.12.

When upgrading with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. The upgrade will still occur. However, during the upgrade process, a warning dialog is displayed indicating that This firmware failed signature validation. The user can click Continue to upgrade the firmware.

When the user logs in to the FortiGate running 7.0.12, a warning dialog is displayed indicating that the Installed Firmware is Not Signed by Fortinet. The user can click I Understand The Risk to log in.

When the FortiGate is running unsigned firmware, warnings appear in the GUI and CLI.

  • Top banner: the unsigned firmware version is highlighted in red. Hovering over the unsigned firmware version displays a tooltip that the Installed firmware is not signed by Fortinet.

  • Dashboard > Status > System Information widget: the unsigned firmware version is highlighted in red. Hovering over the unsigned firmware version displays a tooltip that the Installed firmware is not signed by Fortinet.

  • Enter the following in the CLI to verify the firmware status:

    # get system status
    Version: FortiGate-VM64 v7.0.12,build0515,230509 (interim)
    Security Level: 1
    Firmware Signature: un-certified
    Virus-DB: 91.03113(2023-05-09 15:26)

When running uploading an unsigned IPS engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

Level 0

When upgrading with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image. No verification is performed.

When upgrading with an unsigned firmware image in the GUI, FortiOS does not verify the certificates. No warnings are displayed that the firmware is unverified.

Upgrading on a device without BIOS security levels

The following use cases are applicable when upgrading firmware and AV files on a FortiGate without BIOS security levels. Firmware is upgraded using the System > Fabric Management or System > Firmware page, and AV files are upgraded using the System > FortiGuard page. A FortiGate 60E is used in these examples and acts like it has security level 1.

When upgrading from 7.0.11 to 7.0.12 with a dually-signed firmware image, FortiOS verifies the certificates and accepts the image.

When upgrading from 7.0.11 to 7.0.12 with an unsigned firmware image in the GUI, FortiOS is unable to verify the certificates and the image fails verification. A warning dialog is displayed indicating that This firmware failed signature validation, but the user can click Continue to use the firmware.

When running 7.0.12 and uploading an unsigned AV engine file on the System > FortiGuard page, FortiOS is unable to verify the certificates and the file fails verification. A warning dialog is displayed indicating that This package file has no signature for validation, but the user can click OK to use the file.

BIOS-level file integrity check on important file-system and object files

During bootup, the kernel is required to verify the signed hashes of important file-system and object files. This prevents unauthorized changes to file-systems to be mounted and other unauthorized objects to be loaded into user space on bootup.

This verification does not depend on the security level of the device. The verification will always run when the firmware image type is a GA, SA, Beta, or Top3 image. If the signed hash verification fails, the system will halt during bootup.

Example

Upon detection of an altered IPS library file upon bootup, the system will halt as follows:

FortiGate-60E (18:03-01.27.2017)
Ver:05000012
Serial number: FGT60ETK1804xxxx
CPU: 1000MHz
Total RAM: 2 GB
Initializing boot device...
Initializing MAC... nplite#0
Please wait for OS to boot, or press any key to display configuration menu......
Booting OS...
Reading boot image... 2891501 bytes.
Initializing firewall...
fos_ima: System Integrity check failed....
CPU3: stopping
CPU1: stopping
CPU0: stopping
Note

The exact display in the CLI may vary depending on the device model, security level, or reasons for the failed verification.