NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Fortinet FortiMail 6.0

Certificate Date:  2019.01.17

Validation Report Number:  CCEVS-VR-VID10899-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

FortiMail appliances are specialized email security systems that provide multi-layered protection against blended threats comprised of spam, viruses, worms and spyware. FortiMail’s inbound filtering engine blocks spam and malware before it can clog networks and affect users. FortiMail’s dynamic and static user-blocking provides granular control over all email policies and users. Secure content delivery is enforced with FortiMail’s Identity-Based Encryption (IBE), S/MIME, or TLS email encryption options. FortiMail’s predefined or customized dictionaries prevent accidental and intentional loss of confidential data.

Administration of the system may be performed locally through the Command Line Interface (CLI) using an administrator console or remotely via a network management station through the FortiMail Web-based manager (using HTTPS). The administrator accesses the CLI via terminal emulation software (e.g. Hyperterm) on a computer co-located with the appliance.  This computer is connected to the appliance via a serial cable.  Access to the FortiMail administrative functions including audit data is restricted to authenticated Administrators.  Administrator authentication is performed by the appliance.

FortiMail supports two high availability modes. Config-only mode provides load balancing and allows up to 25 FortiMail units to share a common configuration, but operate as separate FortiMail units. In Active-passive mode a second (passive) FortiMail unit can be configured as a failover device if the primary (active) FortiMail unit fails. All data from the active unit, except for the Bayesian database, is duplicated to the passive unit.

FortiMail supports three modes of operation: gateway mode, transparent mode and server mode. Gateway mode and transparent mode are within the scope of this evaluation. In all modes, the FortiMail system provides antivirus, antispam, content filtering, email routing and email archiving functionality with only minor changes to existing networks.  These features are not within the scope of this evaluation.

When operating in gateway mode, FortiMail acts as a Mail Transfer Agent (MTA), also known as an email gateway or relay. The FortiMail system receives email messages, scans for viruses and spam, then relays email to its destination email server for delivery. External MTAs connect to the FortiMail system, rather than directly to the protected email server.  When operating in gateway mode, all of the system's interfaces are on different IP subnets and the FortiMail acts as a router for SMTP/SMTPS traffic. MTA was not covered within the scope of this evaluation.

When operating in transparent mode, all of the system's interfaces are on the same IP subnet and the FortiMail unit effectively acts as a bridge.  In transparent mode, the FortiMail system must be physically inline between the protected email server and all SMTP clients — unlike gateway mode.  Email clients cannot be configured to route email directly to the FortiMail system, so it must be physically placed where it can intercept the connection.

Fortinet Entropy Token (delivered as part of the TOE) is a USB-based cryptographic support processor that is an option for FortiMail, and is required in the evaluated configuration.  For this TOE, Fortinet Entropy Token is used as an entropy source only.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FortiMail 6.0 is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices v2.0 (NDcPP) + Errata 20180314.  The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in January, 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.

Protected Communications:

 The TOE protects the integrity and confidentiality of communications as follows:

o   TLS connectivity with the following entities:

Audit Server (with device level authentication)

- Web Browser (on a management workstation)

Secure Administration:

The TOE enables secure local and remote management of its security functions, including:

o   Local console CLI administration

o   Remote GUI administration via HTTPS/TLS

o   Administrator authentication using a local database or via X.509 certificates to the remote GUI

o   Timed user lockout after multiple failed authentication attempts

o   Password complexity enforcement

o   Role Based Access Control - the TOE supports several types of administrative user roles. Collectively these sub-roles comprise the “Security Administrator”

o   Configurable banners to be displayed at login

o   Timeouts to terminate administrative sessions after a set period of inactivity

o   Protection of secret keys and passwords


Trusted Update:

The TOE ensures the authenticity and integrity of software updates through digital signatures and requires administrative intervention prior to the software updates being installed.

Security Audit:

The TOE keeps local and remote audit records of security relevant events. The TOE internally maintains the date and time which can be set manually. 


 The TOE performs a suite of self-tests to ensure the correct operation and enforcement of its security functions.

Cryptographic Operations:

The TOE provides cryptographic support for the services described in the table below. The Fortinet FortiMail appliance leverages the ‘Fortinet FortiMail SSL Cryptographic Library Version 6.0’ and ‘Fortinet FortiMail RNG Cryptographic Library Version 6.0’ for cryptographic algorithms.


Cryptographic Method

Use within the TOE

TLS Establishment

Used to establish initial TLS session.

Signature Services

Used in TLS session establishment.

Used in secure software update.

SP 800-56A Key Agreement

Used in TLS session establishment.

Key Generation

Used in TLS session establishment.

Diffie-Hellman Group 14

Used in TLS session establishment.

SP 800-90 DRBG

Used in TLS session establishment.


Used in secure software update


Used to provide TLS traffic integrity verification


Used to encrypt TLS traffic


Vendor Information

Fortinet, Inc.
Alan Kaye
Site Map              Contact Us              Home