This article describesa Known Issue when attempting to enable OSPF Message Digest Authentication in FortiOS 7.0 only when FIPS-CC mode is enabled (the issue does not affect non-FIPS mode FortiGates).
Scope
FortiOS 7.0, FIPS-CC.
Solution
In FortiOS 7.0.1 and later, support was added for RFC 5709 (OSPFv2 HMAC-SHA Cryptographic Authentication) so that the FortiGate could support HMAC-SHA authentication for OSPF in addition to the existing MD5 message-digest scheme.
While this does work fine in standard FortiOS, it has been found that it is not possible to enable OSPF Authentication when FIPS-CC mode is enabled. More specifically, the set authentication option will only show none or text as available options and not message-digest, so it will not be possible to set an OSPF authentication scheme:
Standard FortiOS 7.0:
config router ospf config ospf-interface edit <name> set authentication [none | text | message-digest] end
FIPS-mode FortiOS 7.0:
config router ospf config ospf-interface edit <name> set authentication [none | text] end
With that in mind, this issue has been identified as per Issue #921821 and is resolved in FortiOS 7.2.6 GA, FortiOS 7.4.1 GA, and all later. Notably, it is not resolved for FortiOS 7.0 at the time of this writing, and this is unlikely to change since this is a major change and FortiOS 7.0 is unlikely to be re-certified for FIPS.
Note: While the OSPF Authentication feature is available in the resolved FortiOS versions, the list of available authentication schemes is reduced when FIPS mode is enabled compared to non-FIPS FortiGates. Notably, md5 and hmac-sha1 are not available:
FortiGate # config router key-chain FortiGate (key-chain) # edit test new entry 'test' added FortiGate (test) # config key FortiGate (key) # edit 1 new entry '1' added FortiGate (1) # set algorithm md5 MD5. <-- Not available in FIPS mode. hmac-sha1 HMAC-SHA1. <-- Not available in FIPS mode. hmac-sha256 HMAC-SHA256. <-- Available in FIPS mode. hmac-sha384 HMAC-SHA384. <-- Available in FIPS mode. hmac-sha512 HMAC-SHA512. <-- Available in FIPS mode.
At this time, admins with FIPS-enabled FortiGates who need OSPF authentication (and whose OSPF use cases support hmac-sha256, hmac-sha384, and/or hmac-sha512) can upgrade to the aforementioned FortiOS 7.2/7.4 versions (or any later revision). As a reminder, FIPS mode works on both the FIPS-certified builds (like FIPS-CC-70-16) and the General Availability (GA) builds of FortiOS (see the related documents links below).
Additionally, Fortinet is in the process of certifying FortiOS 7.2 and 7.4 for FIPS 140-3 and NDcPP, but at the time of this writing (2024-08-08) the certification process is still ongoing, so certified builds are not available for these major FortiOS versions.