NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - FortiGateā„¢ UTM appliances running FortiOSā„¢ 5.0 Patch Release 10

Certificate Date:  2016.01.13

Validation Report Number:  CCEVS-VR-VID10642-2016

Product Type:    Firewall
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall Version 1.0
  Protection Profile for Network Devices Version 1.1

CC Testing Lab:  CGI IT Security Labs

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

FortiGate is designed to provide next-generation firewall services ensuring network protection for Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) networks.   The TOE is capable of robust filtering based on information contained in IPv4, IPv6, ICMPv4, ICMPv6, TCP and UDP headers as specified by their respective RFC’s.   Additionally the TOE is capable of content inspection of FTP and H.323 protocols to work with the dynamic nature of these protocols.

Evaluated Configuration

Desktop Hardware Models









1U Hardware Models










2U Hardware Models










3U Hardware Models





FortiGate 5000 series Hardware Models

FortiGate-5020 (2 Blade Slots)

FortiGate-5060 (6 Blade Slots)

FortiGate-5140B (14 Blade Slots)






Security Evaluation Summary

The evaluation was performed in accordance with the CCEVS processes and scheme along with the requirements as defined within the Network Device Protection Profile and Traffic Filter Firewall Extended Package. The evaluation was performed in accordance with the methodology defined Common Criteria Version 3.1 Revision 4 (September 2012), Part 2 extended and Part 3 conformant. In addition, the TOE is conformant to the Network Devices Protection Profile (NDPP) v1.1 (June 8, 2013) with Errata #3 (3 November 2014) as well as the NDPP Extended Package Stateful Traffic Filter Firewall v1.0 (December 19, 2011).

The product, identified as “FortiGate™ UTM appliances running FortiOS™ 5.0 Patch Release 10,” was the Target of Evaluation and the results of this analysis are documented within the Assurance Activity Report. The evaluation was completed in January of 2016.

Environmental Strengths

Security Audit:

The TOE is capable of generating and securely transmitting Security Audit logs to a remote, trusted FortiAnalyzer server for further processing and review.  The TOE will generate auditable events as specified in the NDPP which may help indicate a number of potential security concerns including resonance, password guessing and tampering with the trusted paths and channels.   For all auditable events the TOE will associate a user (either IP address or with administrative credentials) to the session and use this identifier for all logging to the audit server. The TOE can generate audit logs for a variety of security events.  These include basic events such as hits against firewall rules and will include information which is tracked by the TOE and exported for later analysis and review via a trusted channel.  This information includes information such as source, destination, port and protocol as required by the Firewall EP.

Cryptographic Support:

The TOE’s cryptographic modules are FIPS PUB 140-2 validated and meet Security Level 1 overall. In addition, several devices have received Security Level 2 overall. The certificates for these specific devices can be found in Page 48 of the Security Target.  The TOE is capable of generating cryptographic keys using a NIST SP 800-90B compliant random bit generator seeded with a minimum of 256 bits of entropy by the dedicated hardware based noise source.   These keys are created, managed and destroyed to provide cryptographic services to the network.   The TOE is also capable of importing cryptographic keys and certificates from outside the TOE boundary. Cryptographic keys as well as other CSPs are zeroized by the FIPS compliant modules when no longer required and the TOE offers a function to zeroize this data on demand.

User Data Protection:

The TOE ensures that no information from previously processed information flows is transferred to subsequent information flows. This applies both to information that is input to the TOE from an external source and to information (e.g., padding bits) that might be added by the TOE during processing of the information from the external source. For instance, packets that are not the required length uses a series of repeating byte patterns to meet the packet length. This ensure that no data reuse occurs during packet processing. The removal of any previous residual information is done through the zeroization of data when the memory structure is initially created and strict bounds checking on the data prior to it being assigned in memory.

Identification and Authentication:

All administration requires authentication by user identification and password mechanism. Administration may either be performed locally using the Local Console CLI or remotely using the Network Web-Based GUI.    When authenticating to the TOE it supports complex configurable password rules and supports complex character sets.   Any individual attempting to log on for an interactive session will be shown a warning message that they must accept prior to being presented with a prompt to attempt their authentication.

Security Management:

The TOE provides remote and local administrative interfaces that permit the administrative to configure and manage the TOE. In the evaluated configuration the TOE is connected to two or more networks and remote administration request data flows from a Network Management Station to the TOE. On the TOE hardware model in each configuration there is also a Local Console, located within the physically secured area described within the NDPP and consists of a physical serial interface to the TOE. An administrator account is associated with an access profile, which determines the permissions of the individual administrator.

Protection of the TSF:

Inter-TSF communications are protected to ensure availability, confidentiality and detection of modification.  This is accomplished through the usage of cryptographic communications for any and all communications with remote IT entities, other components of the TOE and remote administrators.   By default detection of modification and audit logging is enabled on TLS connections. The TOE prevents the reading of all administrator passwords, pre-shared keys, symmetric keys and private keys through encrypting them with AES-128 prior to storing them into the TOE configuration file.   Certificates cannot be viewed through any interface once loaded into the TOE. The TOE maintains its own timestamp which is free from outside interference.  This timestamp is used for the purposes of generating audit logs and other time-sensitive operations on the TOE including cryptographic key regeneration intervals.

TOE Access:

The TOE is capable of terminating both local and remote administrative sessions upon detection of administrator inactivity.   The TOE is also capable of terminating a remote session upon request from a remote administrator. The TOE provides administrators with a configurable warning banner prior to initiating any interactive session with the administrator.

Trusted Path/Channels:

A cryptographically protected trusted communications channel is required for all communications with the FortiAnalyzer audit server.    For the purposes of auditing the TOE is capable of securing its audit server communications via TLS.  The usage of this secure channel ensures that the TOE will protect the credentials contained in the authentication request from disclosure and raise an audit log entry should the TOE detect modification in transit.   The TOE or the remote peer may initiate this cryptographically protected channel. The TOE will ensure that cryptographically protected sessions to the HTTPS GUI are used to establish a trusted path between the TOE and the trusted remote administrator.   This path will be used for both the initial administrator authentication and all remote administration requests and is terminated upon session timeout or explicit request from the administrator.

Stateful Traffic Filtering:

The TOE implements a stateful firewall which is compliant with the NDPP EP for stateful firewall inspection.  Each packet that arrives on an interface is subject to the enforcement of the stateful traffic filtering.  This filtering verifies if the connection is part of an established session or if it is a new connection.  If the security attributes of the incoming connection request match those already present for an entry in the state table of the TOE the information flow is automatically allowed.   Otherwise this is considered a new connection attempt.

The TOE can create firewall rules based on a number of security attributes located in the header information of traffic arriving on a specific interface.  Rules can be created based on a number of traffic protocols including the RFC’s for ICMPv4, ICMPv6, IPv4, IPv6, TCP and UDP.   Attributes of these protocols such as IP address, transport protocol, type, code and port can be used to provide more granular access control policies.   The TOE also supports advanced protocols including FTP and H.323 which have non-static ports during their negotiation.  The TOE is capable of inspecting this traffic to understand what is expected during these information flows.

Vendor Information

Fortinet, Inc.
Alan Kaye
Site Map              Contact Us              Home