UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The FortiGate devices must use FIPS-validated Keyed-Hash Message Authentication Code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications.


Overview

Finding ID Version Rule ID IA Controls Severity
V-234211 FGFW-ND-000260 SV-234211r879784_rule High
Description
Unapproved mechanisms that are used for authentication to the cryptographic module are not verified and therefore cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised. Nonlocal maintenance and diagnostic activities are those activities conducted by individuals communicating through a network, either an external network (e.g., the internet) or an internal network. Currently, HMAC is the only FIPS-approved algorithm for generating and verifying message/data authentication codes in accordance with FIPS 198-1. Products that are FIPS 140-2 validated will have an HMAC that meets specification; however, the option must be configured for use as the only message authentication code used for authentication to cryptographic modules. Separate requirements for configuring applications and protocols used by each application (e.g., SNMPv3, SSHv2, NTP, HTTPS, and other protocols and applications that require server/client authentication) are required to implement this requirement. Where SSH is used, the SSHv2 protocol suite is required because it includes Layer 7 protocols such as SCP and SFTP, which can be used for secure file transfers.
STIG Date
Fortinet FortiGate Firewall NDM Security Technical Implementation Guide 2023-06-01

Details

Check Text ( C-37396r611820_chk )
Log in to the FortiGate GUI with Super-Admin privilege.

1. Click Network, Interfaces.
2. Click the interface designated for device management traffic.
3. On Administrative Access, verify HTTPS and SSH are selected, and HTTP is not.

If HTTPS and SSH are not selected for administrative access, or HTTP is selected, this is a finding.

or

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# show full-configuration system interface port{Management Port Integer #} | grep -i allowaccess

The output should include:
set allowaccess ping https ssh

If the allowaccess parameter does not include https and ssh, this is a finding. If the allowaccess parameter includes http, this is a finding.
Fix Text (F-37361r611821_fix)
Log in to the FortiGate GUI with Super-Admin privilege.

1. Click Network, Interfaces
2. Click the interface designated for device management traffic and pick Edit.
3. On Administrative Access, select HTTPS and SSH. Deselect HTTP.
4. Click OK.

or

1. Open a CLI console, via SSH or available from the GUI.
2. Run the following command:
# config system interface
# edit port{Management Port Integer #}
# set allowaccess ping https ssh
# end

Note: When adding or removing a protocol, the entire list of protocols must be typed again. For example, in an existing access list of HTTPS and SSH, if HTTP needs to be added, use the following CLI command:
# set allowaccess https ssh ping http