Fortinet FortiManager® 7.2 Security Target Evaluation Assurance Level (EAL): EAL4+ Doc No: 02-729-972412-20250423 Version: 1.2 23 April 2025 Fortinet, Incorporated 909 Kifer Road Sunnyvale, California, USA 94086 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page i of iii CONTENTS 1 SECURITY TARGET INTRODUCTION ............................................ 1 1.1 DOCUMENT ORGANIZATION ........................................................... 1 1.2 SECURITY TARGET REFERENCE....................................................... 2 1.3 TOE REFERENCE........................................................................... 2 1.4 TOE OVERVIEW............................................................................ 2 TOE Environment............................................................................3 1.5 TOE DESCRIPTION........................................................................ 3 Physical Scope ...............................................................................3 Logical Scope.................................................................................5 Functionality Excluded from the Evaluated Configuration......................7 Disabled Features ...........................................................................7 Vendor Affirmed Hardware...............................................................7 2 CONFORMANCE CLAIMS ............................................................. 8 2.1 COMMON CRITERIA CONFORMANCE CLAIM ....................................... 8 2.2 PROTECTION PROFILE CLAIM.......................................................... 8 2.3 ASSURANCE PACKAGE CLAIM ......................................................... 8 2.4 CONFORMANCE RATIONALE ........................................................... 8 3 SECURITY PROBLEM DEFINITION............................................... 9 3.1 THREATS..................................................................................... 9 3.2 ORGANIZATIONAL SECURITY POLICIES............................................ 9 3.3 ASSUMPTIONS ........................................................................... 10 4 SECURITY OBJECTIVES ............................................................ 11 4.1 SECURITY OBJECTIVES FOR THE TOE............................................. 11 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT.......... 12 4.3 SECURITY OBJECTIVES RATIONALE ............................................... 12 Security Objectives Rationale Related to Threats............................... 13 Security Objectives Rationale Related to OSPs .................................. 15 Security Objectives Rationale Related to Assumptions........................ 17 5 EXTENDED COMPONENTS DEFINITION ..................................... 19 5.1 SECURITY FUNCTIONAL REQUIREMENTS ........................................ 19 5.2 SECURITY ASSURANCE REQUIREMENTS ......................................... 19 6 SECURITY REQUIREMENTS....................................................... 20 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page i of iii 6.1 CONVENTIONS........................................................................... 20 6.2 SECURITY FUNCTIONAL REQUIREMENTS ........................................ 20 Security Audit (FAU) ..................................................................... 22 Cryptographic Support (FCS).......................................................... 24 User Data Protection (FDP) ............................................................ 26 Identification and Authentication (FIA) ............................................ 26 Security Management (FMT) .......................................................... 27 Protection of the TSF (FPT) ............................................................ 28 TOE Access (FTA) ......................................................................... 28 Trusted Path/Channels (FTP).......................................................... 29 6.3 SECURITY ASSURANCE REQUIREMENTS ......................................... 30 6.4 SECURITY REQUIREMENTS RATIONALE .......................................... 31 Security Functional Requirements Rationale ..................................... 31 SFR Rationale Related to Security Objectives.................................... 32 Dependency Rationale................................................................... 35 Security Assurance Requirements Rationale ..................................... 37 7 TOE SUMMARY SPECIFICATION................................................ 38 7.1 SECURITY AUDIT........................................................................ 38 7.2 CRYPTOGRAPHIC SUPPORT .......................................................... 38 7.3 USER DATA PROTECTION............................................................. 38 7.4 IDENTIFICATION AND AUTHENTICATION ........................................ 39 7.5 SECURITY MANAGEMENT ............................................................. 39 7.6 PROTECTION OF THE TSF............................................................. 40 7.7 TOE ACCESS...............................................................................40 7.8 TRUSTED PATH / CHANNELS......................................................... 40 Trusted Path ................................................................................ 40 Trusted Channel ........................................................................... 41 8 TERMINOLOGY AND ACRONYMS ............................................... 42 8.1 TERMINOLOGY ........................................................................... 42 8.2 ACRONYMS................................................................................ 43 9 ANNEX A – FORTIMANAGER MODELS AND GUIDES.................... 45 Fortinet FortiManager® 7.0.5 Security Target Version: 1.2 Date: 23 April 2025 Page iii of iii LIST OF TABLES Table 1 – Non-TOE Hardware/Firmware/Software ......................................... 3 Table 2 – TOE Hardware Models ................................................................ 3 Table 3 – Logical Scope of the TOE............................................................. 6 Table 4 – Vendor Affirmed Hardware .......................................................... 7 Table 5 – Security Threats........................................................................ 9 Table 6 – Organizational Security Policies.................................................... 9 Table 7 – Assumptions ........................................................................... 10 Table 8 – Security Objectives for the TOE.................................................. 11 Table 9 – Security Objectives for the Operational Environment...................... 12 Table 10 – Mapping Between Objectives, Threats, OSPs, and Assumptions...... 12 Table 11 – Summary of Security Functional Requirements............................ 21 Table 12 – Auditable Events.................................................................... 23 Table 13 – Cryptographic Operation ......................................................... 25 Table 14 – Security Assurance Requirements ............................................. 31 Table 15 – Mapping of SFRs to Security Objectives ..................................... 32 Table 16 – Functional Requirement Dependencies....................................... 37 Table 17 – Terminology.......................................................................... 42 Table 18 – Acronyms ............................................................................. 44 Table 19 – FortiManager Quick Start Guides .............................................. 45 LIST OF FIGURES Figure 1 – FortiManager Deployment Diagram.............................................. 4 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 1 of 45 1 SECURITY TARGET INTRODUCTION This Security Target (ST) defines the scope of the evaluation in terms of the assumptions made, the intended environment for the Target of Evaluation (TOE), the Information Technology (IT) security functional and assurance requirements to be met, and the level of confidence Evaluation Assurance Level (EAL) to which it is asserted that the TOE satisfies its IT security requirements. This document forms the baseline for the Common Criteria (CC) evaluation. 1.1 DOCUMENT ORGANIZATION Section 1, ST Introduction, provides the Security Target reference, the TOE reference, the TOE overview and the TOE description. Section 2, Conformance Claims, describes how the ST conforms to the Common Criteria and Packages. The ST does not conform to a Protection Profile. Section 3, Security Problem Definition, describes the expected environment in which the TOE is to be used. This section defines the set of threats that are relevant to the secure operation of the TOE, Organizational Security Policies (OSPs) with which the TOE must comply, and secure usage assumptions applicable to this analysis. Section 4, Security Objectives, defines the set of security objectives to be satisfied by the TOE and by the TOE operating environment in response to the problem defined by the security problem definition. Section 5, Extended Components Definition, defines the extended components which are then detailed in Section 6. Section 6, Security Requirements, specifies the security functional and assurance requirements that must be satisfied by the TOE and the IT environment. Section 7, TOE Summary Specification, describes the security functions that are included in the TOE to enable it to meet the IT security functional requirements. Section 8, Terminology and Acronyms, defines the acronyms and terminology used in this ST. Section 9, Annex A, identifies the TOE models and guidance. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 2 of 45 1.2 SECURITY TARGET REFERENCE ST Title: Fortinet FortiManager® 7.2 Security Target ST Version: 1.2 ST Date: 23 April 2025 1.3 TOE REFERENCE TOE Identification: Fortinet FortiManager® 7.2.9 (Build # 6297) TOE Developer: Fortinet, Inc. TOE Type: Network Management Device 1.4 TOE OVERVIEW The TOE is the Fortinet FortiManager® 7.2.9 running in stand-alone 'FIPS/CC mode'. The TOE provides network management to one or more Fortinet network security devices. Authorized administrators can configure and manage devices using functions that include verification and update of firmware and license information. Administrators can create and modify policies and objects and push them to the devices. The TOE is able to manually retrieve up-to-date antivirus and intrusion prevention signatures to push to the managed devices. The TOE is capable of grouping devices into administrative domains (ADOMs), which simplifies the application of policies, distribution of content security and firmware updates for large implementations. ADOMs are implemented in the evaluated configuration. The TOE has extensive logging capabilities which include the logging of administrative actions and logging the use of trusted cryptographic channels. The TOE is a hardware/software TOE. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 3 of 45 TOE Environment The following components are required for operation of the TOE in the evaluated configuration. Component Operating System Hardware Management Workstation Windows 11 using a supported web browser and terminal application General purpose computing hardware Managed Devices FortiGate v7.2.91 FortiAnalyzer v7.2.92 Fortinet FortiWiFi 60F Fortinet FortiAnalyzer 300G Table 1 – Non-TOE Hardware/Firmware/Software Note 1: FortiManager supports connectivity with FortiGate and FortiWiFi versions (6.4.0 -> 6.4.15, 7.0.0 - > 7.0.17, 7.2.0 -> 7.2.10) Note 2: FortiManager supports connectivity with FortiAnalyzer versions (6.4.0 -> 6.4.15, 7.0.0 -> 7.0.13, 7.2.0 -> 7.2.10) 1.5 TOE DESCRIPTION Physical Scope The FortiManager 7.2 firmware is deployed on a stand-alone FortiManager appliance. Model CPU/Entropy Source FMG-200G Intel Core i3-8100 Fortinet CPU Jitter Entropy Library 1.0 Table 2 – TOE Hardware Models Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 4 of 45 Figure 1 shows the TOE in the evaluated configuration. Figure 1 – FortiManager Deployment Diagram 1.5.1.1 TOE Delivery FortiManager units are shipped directly to customers with the FortiManager software pre-installed. If the version of FortiManager is not the CC-evaluated version, customers can download the correct version by logging into the Fortinet Customer Support website (https://support.fortinet.com) and navigating to Download > Firmware Images. Due to having different device drivers, each model offered in the FortiManager Series has its own unique firmware image created from the same common firmware build. For each series, the hardware model identifier changes (i.e. 200F). Customers can download the software based on their FortiManager hardware model. The software is provided to customers as an .out file. An example of a filename is as follows:  FMG-200F-v7.2.9-build6297-FORTINET.out Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 5 of 45 1.5.1.2 TOE Guidance All guidance documentation is provided in Portable Document Format (PDF) format and is available for download at https://docs.fortinet.com/product/fortimanager/7.2 [docs.fortinet.com]. The TOE includes the following guidance documentation:  FortiManager – CLI Reference, Version 7.2.9, December 11, 2024 o FortiManager_7.2.9_CLI_Reference.pdf  FortiManager – Administration Guide, Version 7.2.9, January 14, 2025 o FortiManager_7.2.9-Administration_Guide.pdf  FortiManager & FortiAnalyzer – Event Log Reference, Version 7.2.9, December 11, 2024 o FortiManager_&_FortiAnalyzer_7.2.9_Log_Reference.pdf  FortiManager - Release Notes, Version 7.2.9, February 11, 2025 o fortimanager-v7.2.9-release-notes.pdf In addition to the above, a series of QuickStart Guides are included as part of the TOE. Each of these guides is specific to the hardware model it references. A list of these guides is provided in Table 19. The following FIPS and Common Criteria Guidance Supplement is also available to customers, in PDF format, upon request:  FortiManager 7.2, Common Criteria EAL4 Technote, February 19, 2025 o FMG 7.2 EAL4 CC Technote.pdf Logical Scope The logical boundary of the TOE includes all interfaces and functions within the physical boundary. Table 3 summarizes the logical scope of the TOE. Functional Classes Description Security Audit The TOE generates audit records for security relevant events. An Administrator1 may view the contents of the audit records; however, this functionality is restricted to those users authorized to view the records. 1 An Administrator with any pre-configured profile or with a custom profile with similar permissions. Profiles are discussed in Section 7.5. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 6 of 45 Functional Classes Description Cryptographic Support The TOE provides cryptographic operation functions supported by Cryptographic Algorithm Validation Program (CAVP)-validated algorithms with Fortinet FortiManager SSL Cryptographic Library Version: 7.2, which is part of the TOE. User Data Protection The TOE controls access to the security data required to perform security management functions including management of devices. Identification and Authentication All TOE administrative users must be identified and authenticated. Users are locked out after a number of unsuccessful authentication attempts. Administrator passwords must meet the configured length and composition requirements. Security Management The TOE provides administrative interfaces that permit users with administrative profiles to configure and manage the TOE. This includes management of the attributes used in the Administrative Access Control Security Functional Policy (SFP), and device management. Administrator roles are provided with differing privileges. Protection of the TSF Reliable time stamps are provided in support of the audit function. Trusted Path/Channel The TOE requires an encrypted trusted channel for communication between the TOE and the managed devices in support of the transfer of policy information. A trusted path communication is required in support of remote administration. Table 3 – Logical Scope of the TOE Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 7 of 45 Functionality Excluded from the Evaluated Configuration The following features are excluded from this evaluation:  FortiGuard update options. Automated updates from FortiGuard were not included in the evaluated configuration. Only manual updates are supported. Automated updates that do not require administrative action were not evaluated.  The Trusted Platform Module (TPM)  The following Representational State Transfer (REST) Application Programming Interfaces (APIs) are not included in the evaluation: o JavaScript Object Notation (JSON) o eXtensible Markup Language (XML) o Software Development Kit (SDK)  FortiAnalyzer as a centralized log server for FMG is currently excluded from the evaluation.  The following protocol/interfaces are excluded from this evaluation: SSH Client, DDNS, DHCP, HTTP, NTP, SNMP, SMTP, Telnet, TFTP Client, LDAP, USB, RADIUS, SYSLOG and High Availability. Disabled Features The following TOE features are disabled by default and are excluded from the scope of this evaluation:  Web UI over HTTP (HTTPS must be used)  The TOE acting as a telnet client or server  The TOE acting as a TFTP client Vendor Supported but not Evaluated Hardware Models The following table lists the Hardware models supported for this release but were not evaluated: Model CPU/Entropy Source FMG-200F Intel Core I3-8100 FMG-300F Intel i3-6100 Skylake FMG-400E Intel Zeon E5-2609v3 Haswell FMG-400G Intel Xeon E5-2609v3 Haswell FMG-410G Intel Core I5-8500 FMG-1000F Intel Xeon Bronze 3106 FMG-1000G Intel Xeon Bronze 3106 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 8 of 45 FMG-2000E Intel Xeon E5-2620v3 Haswell FMG-3000F 2x Intel Xeon E5-2630v3 FMG-3000G Intel Xeon Silver 4215 FMG-3100G 2x Intel Xeon Silver 4215 FMG-3700F Intel E5-2640v4 FMG-3700G 2x Intel Xeon Gold 5218 Table 4 – Vendor Supported but not Evaluated Hardware Models Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 9 of 45 2 CONFORMANCE CLAIMS 2.1 COMMON CRITERIA CONFORMANCE CLAIM This Security Target claims to be conformant to Version 3.1 of Common Criteria for Information Technology Security Evaluation according to:  Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; CCMB-2017-04-001, Version 3.1, Revision 5, April 2017  Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB-2017-04-002, Version 3.1, Revision 5, April 2017  Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components CCMB-2017-04-003, Version 3.1, Revision 5, April 2017 As follows:  CC Part 2 conformant  CC Part 3 conformant The Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017 has been taken into account. 2.2 PROTECTION PROFILE CLAIM This ST does not claim conformance of the TOE with any Protection Profile (PP). 2.3 ASSURANCE PACKAGE CLAIM This Security Target claims conformance to EAL4 augmented with ALC_FLR.3 Systematic Flaw Remediation. 2.4 CONFORMANCE RATIONALE This ST does not claim conformance of the TOE with any PP. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 10 of 45 3 SECURITY PROBLEM DEFINITION 3.1 THREATS The threats discussed below are addressed by the TOE. Potential threat agents are persons or external IT entities not authorized to use the TOE itself. The threat agents are assumed to have an enhanced-basic attack potential and are assumed to have access to all publicly available information about the TOE and potential methods of attacking the TOE, a proficient level of expertise, standard equipment and minimal time to attack the TOE without detection. It is expected that the FortiManager units will be protected to the extent necessary to ensure that they remain connected to the networks they protect and minimize the window of opportunity available for attack. Threat Description T.AUDACC Persons may not be accountable for the actions that they conduct because the audit records are not created and reviewed, thus allowing an attacker to escape detection. T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE to access stored data and use security functions provided by the TOE. T.PRIVILEGE An unauthorized person or external IT entity may gain access to the TOE and exploit system privileges to gain access to TOE security functions and data. T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view, modify, and/or delete security related information that is sent between a remotely located authorized administrator and the TOE, or between the TOE and managed devices. Table 5 – Security Threats 3.2 ORGANIZATIONAL SECURITY POLICIES OSPs are security rules, procedures, or guidelines imposed on the operational environment. Table 6 lists the OSPs that are presumed to be imposed upon the TOE or its operational environment by an organization that implements the TOE in the CC evaluated configuration. OSP Description P.ACCACT Users of the TOE shall be accountable for their actions. P.DETECT Events arising from unauthorized activity must be collected. P.MANAGE The TOE shall be manageable only by authorized administrators. Table 6 – Organizational Security Policies Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 11 of 45 3.3 ASSUMPTIONS The assumptions required to ensure the security of the TOE are listed in Table 7. Assumptions Description A.LOCATE The TOE will be located within controlled access facilities and protected from unauthorized physical modification. A.NOEVIL Authorized administrators are properly trained, not malicious, and follow all administrative guidance. Authorized administrators are trusted to administer the TOE correctly. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. Table 7 – Assumptions Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 12 of 45 4 SECURITY OBJECTIVES The purpose of the security objectives is to address the security concerns and to show which security concerns are addressed by the TOE, and which are addressed by the environment. Threats may be addressed by the TOE or the security environment or both. Therefore, the CC identifies two categories of security objectives:  Security objectives for the TOE  Security objectives for the environment 4.1 SECURITY OBJECTIVES FOR THE TOE This section identifies and describes the security objectives that are to be addressed by the TOE. Security Objective Description O.ACCESS The TOE must allow an authorized user access to only those TOE functions and data necessary to perform the duties assigned to that user. O.ADMIN The TOE must provide functionality that enables an authorized administrator to manage TOE security functions, and must ensure that only authorized administrators are able to access such functionality. O.AUDIT The TOE must provide user accountability for authorized administrator use of security functions by providing a means to record and view a readable audit trail of security-related events, with accurate dates and times. O.ENCRYPT The TOE must protect the confidentiality and integrity of data passed between itself and an authorized administrator, or between the TOE and managed devices using cryptographic functions. O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. O.PROTECT The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions in such a way as to cause unauthorized access to its functions and data, or to deny access to legitimate users. O.TIME The TOE shall provide reliable time stamps. Table 8 – Security Objectives for the TOE Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 13 of 45 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT This section identifies and describes the security objectives that are to be addressed by the IT environment or by non-technical or procedural means. Security Objective Description OE.ADMIN Those responsible for the TOE must ensure that the TOE and the supporting hardware devices are delivered, installed, managed, and operated in a manner which is consistent with IT security. There are an appropriate number of trusted, authorized administrators trained to maintain the TOE, including its security policies and practices. Authorized administrators follow all administrator guidance and are not malicious. OE.PHYSICAL Those responsible for the TOE must ensure that the TOE is protected from any physical attack. Table 9 – Security Objectives for the Operational Environment 4.3 SECURITY OBJECTIVES RATIONALE The following table maps the security objectives to the assumptions, threats, and organizational policies identified for the TOE. T.AUDACC T.NOAUTH T.PRIVILEGE T.PROCOM P.ACCACT P.DETECT P.MANAGE A.LOCATE A.NOEVIL A.MANAGE O.ACCESS X X O.ADMIN X X X O.AUDIT X X X O.ENCRYPT X O.IDENTAUTH X X X X O.PROTECT X X X O.TIME X X X OE.ADMIN X X X OE.PHYSICAL X Table 10 – Mapping Between Objectives, Threats, OSPs, and Assumptions Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 14 of 45 Security Objectives Rationale Related to Threats The security objectives rationale related to threats traces the security objectives for the TOE back to the threats addressed by the TOE. Threat: T.AUDACC Persons may not be accountable for the actions that they conduct because the audit records are not created and reviewed, thus allowing an attacker to escape detection. Objectives: O.ADMIN The TOE must provide functionality that enables an authorized administrator to manage TOE security functions, and must ensure that only authorized administrators are able to access such functionality. O.AUDIT The TOE must provide user accountability for authorized administrator use of security functions by providing a means to record and view a readable audit trail of security-related events, with accurate dates and times. O.TIME The TOE shall provide reliable time stamps. Rationale: O.ADMIN provides for security management functionality, including the functionality for reviewing the audit trail. O.AUDIT requires that authorized administrators are accountable for the use of security functions related to audit. The reliable time stamps provided by O.TIME ensures that audit records provide the detail required to demonstrate when an action took place. Threat: T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE to access stored data and use security functions provided by the TOE. Objectives: O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. O.PROTECT The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions in such a way as to cause unauthorized access to its functions and data, or to deny access to legitimate users. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 15 of 45 Rationale: O.IDENTAUTH requires that users be uniquely identified before accessing the TOE. The O.PROTECT objective addresses this threat by preventing unauthorized access to TOE security functions and data. Threat: T.PRIVILEGE An unauthorized person or external IT entity may gain access to the TOE and exploit system privileges to gain access to TOE security functions and data. Objectives: O.ACCESS The TOE must allow an authorized user access to only those TOE functions and data necessary to perform the duties assigned to that user. O.ADMIN The TOE must provide functionality that enables an authorized administrator to manage TOE security functions, and must ensure that only authorized administrators are able to access such functionality. O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. O.PROTECT The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions in such a way as to cause unauthorized access to its functions and data, or to deny access to legitimate users. Rationale: The O.IDENTAUTH objective provides for authentication of users prior to access of TOE functions. The O.ACCESS objective builds upon the O.IDENTAUTH objective by only permitting authorized users to access TOE functions. The O.ADMIN objective addresses the threat by ensuring that only authorized administrators are able to access TOE security functions. The O.PROTECT objective addresses this threat by providing TOE self-protection. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 16 of 45 Threat: T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view, modify, and/or delete security related information that is sent between a remotely located authorized administrator and the TOE, or between the TOE and managed devices. Objectives: O.ENCRYPT The TOE must protect the confidentiality and integrity of data passed between itself and an authorized administrator, or between the TOE and managed devices using cryptographic functions. Rationale: O.ENCRYPT requires that an authorized administrator uses encryption when performing administrative functions on the TOE remotely. The O.ENCRYPT objective ensures that communications between the TOE and managed devices are protected. Security Objectives Rationale Related to OSPs The security objectives rationale related to OSPs traces the security objectives for the TOE and the operational environment back to the OSPs applicable to the TOE. Policy: P.ACCACT Users of the TOE shall be accountable for their actions. Objectives: O.AUDIT The TOE must provide user accountability for authorized administrator use of security functions by providing a means to record and view a readable audit trail of security-related events, with accurate dates and times. O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. O.TIME The TOE shall provide reliable time stamps. Rationale: The O.AUDIT objective implements this policy by requiring auditing of the use of TOE functions. The O.IDENTAUTH objective supports this policy by ensuring each administrative user is uniquely identified and authenticated. O.TIME supports the audit trail with reliable time stamps. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 17 of 45 Policy: P.DETECT Events arising from unauthorized activity must be collected. Objectives: O.AUDIT The TOE must provide user accountability for authorized administrator use of security functions by providing a means to record and view a readable audit trail of security-related events, with accurate dates and times. O.TIME The TOE shall provide reliable time stamps. Rationale: The O.AUDIT objective supports this policy by ensuring the collection of data on security relevant events. O.TIME supports this policy by ensuring that the audit functionality is able to include reliable timestamps. Policy: P.MANAGE The TOE shall be manageable only by authorized administrators. Objectives: O.ACCESS The TOE must allow an authorized user access to only those TOE functions and data necessary to perform the duties assigned to that user. O.ADMIN The TOE must provide functionality that enables an authorized administrator to manage TOE security functions, and must ensure that only authorized administrators are able to access such functionality. O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. O.PROTECT The TOE must protect itself and the designated network against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions in such a way as to cause unauthorized access to its functions and data, or to deny access to legitimate users. OE.ADMIN Those responsible for the TOE must ensure that the TOE and the supporting hardware devices are delivered, installed, managed, and operated in a manner which is consistent with IT security. There Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 18 of 45 are an appropriate number of trusted, authorized administrators trained to maintain the TOE, including its security policies and practices. Authorized administrators follow all administrator guidance and are not malicious. Rationale: The O.ACCESS objective supports this policy by ensuring that authorized administrators have appropriate access to manage the TOE. O.ADMIN supports this policy by ensuring that the TOE provides the appropriate security management functionality to authorized administrators. O.IDENTAUTH supports this policy by ensuring that administrators must be identified and authenticated prior to being granted access to TOE security management functions. O.PROTECT supports this policy by ensuring that the TOE security functions may not be bypassed to allow unauthorized access. OE.ADMIN supports this policy by ensuring that only appropriately trained administrators have access to the TOE security functions. Security Objectives Rationale Related to Assumptions The security objectives rationale related to assumptions traces the security objectives for the operational environment back to the assumptions for the operational environment. Assumption: A.NOEVIL Authorized administrators are properly trained, not malicious, and follow all administrative guidance. Authorized administrators are trusted to administer the TOE correctly. Objectives: OE.ADMIN Those responsible for the TOE must ensure that the TOE and the supporting hardware devices are delivered, installed, managed, and operated in a manner which is consistent with IT security. There are an appropriate number of trusted authorized administrators trained to maintain the TOE, including its security policies and practices. Authorized administrators follow all administrator guidance and are not malicious. Rationale: The OE.ADMIN objective supports this assumption by ensuring that administrators are properly trained, not malicious, and follow all administrative guidance. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 19 of 45 Assumption: A.LOCATE The TOE will be located within controlled access facilities and protected from unauthorized physical modification. Objectives: OE.PHYSICAL Those responsible for the TOE must ensure that the TOE is protected from any physical attack. Rationale: The OE.PHYSICAL objective supports this assumption by ensuring the physical protection of the TOE. Assumption: A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. Objectives: OE.ADMIN Those responsible for the TOE must ensure that the TOE and the supporting hardware devices are delivered, installed, managed, and operated in a manner which is consistent with IT security. There are an appropriate number of trusted, authorized administrators trained to maintain the TOE, including its security policies and practices. Authorized administrators follow all administrator guidance and are not malicious. Rationale: The OE.ADMIN objective supports the assumption by ensuring that all authorized administrators are qualified and trained to manage the TOE. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 20 of 45 5 EXTENDED COMPONENTS DEFINITION 5.1 SECURITY FUNCTIONAL REQUIREMENTS This ST does not include extended Security Functional Requirements (SFRs). 5.2 SECURITY ASSURANCE REQUIREMENTS This ST does not include extended Security Assurance Requirements (SARs). Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 21 of 45 6 SECURITY REQUIREMENTS Section 6 provides security functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC, extended requirements, and an EAL that contains assurance components from Part 3 of the CC. 6.1 CONVENTIONS The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations, when performed on requirements that derive from CC Part 2, are identified in this ST in the following manner:  Selection: Indicated by surrounding brackets, e.g., [selected item].  Assignment: Indicated by surrounding brackets, and italics within the brackets, e.g., [assigned item]. Assignments within selections are also indicated in this manner.  Refinement: Refined components are identified by using bold for additional information, or strikeout for deleted text.  Iteration: Indicated by assigning a number in parenthesis to the end of the functional component identifier as well as by modifying the functional component title to distinguish between iterations, e.g., ‘FDP_ACC.1(1), Subset access control (administrators)’ and ‘FDP_ACC.1(2) Subset access control (devices)’. 6.2 SECURITY FUNCTIONAL REQUIREMENTS The SFRs for this ST consist of the following components from Part 2 of the CC and extended components defined in Section 5, summarized in Table 11. Class Identifier Name Security Audit (FAU) FAU_GEN.1 Audit data generation FAU_GEN.2 User identity association FAU_SAR.1 Audit review FAU_SAR.2 Restricted audit review Cryptographic Support (FCS) FCS_COP.1 Cryptographic operation User Data Protection (FDP) FDP_ACC.1 Subset access control FDP_ACF.1 Security attribute based access control Identification and FIA_AFL.1 Authentication failure handling Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 22 of 45 Class Identifier Name Authentication (FIA) FIA_SOS.1 Verification of secrets FIA_UAU.2 User authentication before any action FIA_UID.2 User identification before any action Security Management (FMT) FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles Protection of the TSF (FPT) FPT_STM.1 Reliable time stamps TOE Access FTA_SSL.3 TSF-initiated termination Trusted path/channels (FTP) FTP_ITC.1 Inter-TSF trusted channel FTP_TRP.1 Trusted path Table 11 – Summary of Security Functional Requirements Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 23 of 45 Security Audit (FAU) 6.2.1.1 FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: Start-up and shutdown of the audit functions; All auditable events for the [not specified] level of audit; and [All auditable events listed in Table 12]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the ST, [information specified in Table 12]. Requirement Auditable Events Additional Audit Record Contents FAU_SAR.1 Reading of information from the audit records (Opening the audit trail) The identity of the administrator performing the function FDP_ACF.1 Administrator action FIA_AFL.1 The reaching of the threshold for the unsuccessful authentication attempts and action taken Identity of the unsuccessfully authenticated user FIA_UAU.2 All uses of the authentication mechanism FIA_UID.2 Unsuccessful use of the user identification mechanism Claimed identity of the user using the identification mechanism FMT_MSA.1 Modification of the security attributes The identity of the administrator performing the function FMT_MSA.3 Modification to the default settings or initial values of security attributes FMT_MTD.1 Modifications made to a Description of the configuration Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 24 of 45 Requirement Auditable Events Additional Audit Record Contents device configuration change event FMT_SMF.1 Use of management functions The identity of the administrator performing the function FMT_SMR.1 Modifications to the group of users that are part of a role User identification of the administrator performing modification, and the user whose role is modified FPT_STM.1 Changes to the time The identity of the administrator performing the operation Note: This event is recorded when the system clock is changed using the CLI. Table 12 – Auditable Events 6.2.1.2 FAU_GEN.2 User identity association Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.2.1.3 FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [authorized administrators] with the capability to read [all audit information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.2.1.4 FAU_SAR.2 Restricted audit review Hierarchical to: No other components. Dependencies: FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 25 of 45 Cryptographic Support (FCS) 6.2.2.1 FCS_COP.1 Cryptographic operation Hierarchical to: No other components. Dependencies: FCS_CKM.4 Cryptographic key generation FCS_CKM.1 Cryptographic key destruction FCS_COP.1.1 The TSF shall perform [the cryptographic operations specified in Table 13] in accordance with a specified cryptographic algorithm [the cryptographic algorithms specified in Table 13] and cryptographic key sizes [cryptographic key sizes specified in Table 13] that meet the following: [standards listed in Table 13]. Operation Algorithm Key Size or Digest (bits) Standard CAVP Certificate Number Encryption and AES (Advanced 128, 256 FIPS PUB 197 A6632 Decryption Encryption (AES) and NIST SP Standard in CBC mode for TLS) 800-38A Encryption and AES-GCM 128, 256 FIPS PUB 197 and A6632 Decryption (Advanced NIST SP 800-38D Encryption Standard with GCM used for TLS) Cryptographic RSA Digital 2048, 3072, 4096 PKCS #1.5, PSS A6632 Signature Signature Services Algorithm (RSASSA-PKCS- v1_5 using SHA- 256) Elliptic Curve P-256, P-384, FIPS 186-5 (Digital A6632 Digital Signature P-521 Signature Standard Algorithm (ECDSA) Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 26 of 45 Operation Algorithm Key Size or Digest (bits) Standard CAVP Certificate Number Key Agreement in support of TLS & SSH Key Agreement Schemes (KAS) and Key Confirmation (Diffie-Hellman) 2048 / 4096 / 8192 NIST SP800-56A A6632 EC DH P-256, P-384, P- 521 Hashing SHA-1 160 FIPS PUB 180-3 A6632 SHA-256 256 SHA-384 384 SHA-512 512 Keyed Hash HMAC-SHA-1 160 key 160 digest FIPS PUB 198 A6632 HMAC-SHA2-256 256 key 256 digest HMAC-SHA2-384 384 key 384 digest HMAC-SHA2-512 8 ~ 1024 bit key 512 bit digest Random Bit Generation CTR_DRBG N/A NIST SP800-90A A6632 Table 13 – Cryptographic Operation Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 27 of 45 User Data Protection (FDP) 6.2.3.1 FDP_ACC.1 Subset access control Hierarchical to: No other components. Dependencies: FDP_ACF.1 Security attribute based access control FDP_ACC.1.1 The TSF shall enforce the [Administrative Access Control SFP] on [ Subjects: Administrators Objects: Security data Operations: read-write, read-only]. 6.2.3.2 FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACF.1.1 The TSF shall enforce the [Administrative Access Control SFP] to objects based on the following: [ Subjects: Administrators Subject Attributes: Username, Profile, Administrative Domain Objects: Security data Attributes: none]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [Administrators are permitted read-write or read-only access to security data in order to perform administrative functions if the user’s profile includes that permission, and only in their user permitted ADOMs]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [Super Users have read-write access to all security data]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [no other rules]. Identification and Authentication (FIA) 6.2.4.1 FIA_AFL.1 Authentication failure handling Hierarchical to: No other components Dependencies: FIA_UAU.1 Timing of authentication. FIA_AFL.1.1 The TSF shall detect when [an administrator configurable positive integer within [1 to 10]] unsuccessful authentication attempts occur related to [administrator login]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [met], the TSF shall [lock out the IP address for a configurable period of time]. 6.2.4.2 FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 28 of 45 FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [  minimum length requirements, which may be configured to be between 8 to 32 characters;  composition requirements, which may specify that passwords must contain: o upper case letters, o lower case letters, o numbers, and/or o special characters]. Note: The following special characters are allowed: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. 6.2.4.3 FIA_UAU.2 User authentication before any action Hierarchical to: FIA_UAU.1 Timing of authentication Dependencies: FIA_UID.1 Timing of identification FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.2.4.4 FIA_UID.2 User identification before any action Hierarchical to: FIA_UID.1 Timing of identification Dependencies: No dependencies. FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Security Management (FMT) 6.2.5.1 FMT_MSA.1 Management of security attributes Hierarchical to: No other components. Dependencies: [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MSA.1.1 The TSF shall enforce the [Administrative Access Control SFP] to restrict the ability to [modify, delete, [create]] the security attributes [Username, Profile, Administrative Domain] to [Super Users]. 6.2.5.2 FMT_MSA.3 Static attribute initialisation Hierarchical to: No other components. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1 The TSF shall enforce the [Administrative Access Control SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [Super User] to specify alternative initial values to override the default values when an object or information is created. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 29 of 45 6.2.5.3 FMT_MTD.1 Management of TSF data Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MTD.1.1 The TSF shall restrict the ability to [query, modify, delete] the [data associated with remotely managed devices] to [users with a profile that allows device access]. 6.2.5.4 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [ a) Manage users; b) View audit records; c) Manage devices; and d) Manage policies ]. 6.2.5.5 FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles [Super User, Standard User, Package User, Restricted User, and any custom roles created by the organization]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Protection of the TSF (FPT) 6.2.6.1 FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies. FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. TOE Access (FTA) 6.2.7.1 FTA_SSL.3 TSF-initiated termination Hierarchical to: No other components. Dependencies: No dependencies. FTA_SSL.3.1 The TSF shall terminate an interactive session after a [period of 5 minutes of user inactivity]. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 30 of 45 Trusted Path/Channels (FTP) 6.2.8.1 FTP_ITC.1 Inter-TSF trusted channel Hierarchical to: No other components. Dependencies: No dependencies. FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [the TSF] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [device management, distribution of policies]. 6.2.8.2 FTP_TRP.1 Trusted Path Hierarchical to: No other components. Dependencies: No dependencies. FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from [disclosure]. FTP_TRP.1.2 The TSF shall permit [remote users] to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for [[remote administration]]. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 31 of 45 6.3 SECURITY ASSURANCE REQUIREMENTS The assurance requirements are summarized in the following table. Assurance Class Assurance Components Identifier Name Development (ADV) ADV_ARC.1 Security architecture description ADV_FSP.4 Complete functional specification ADV_IMP.1 Implementation representation of the TSF ADV_TDS.3 Basic modular design Guidance Documents (AGD) AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life-Cycle Support (ALC) ALC_CMC.4 Production support, acceptance procedures and automation ALC_CMS.4 Problem tracking CM coverage ALC_DEL.1 Delivery procedures ALC_DVS.1 Identification of security measures ALC_FLR.3 Systematic flaw remediation ALC_LCD.1 Developer defined life-cycle model ALC_TAT.1 Well-defined development tools Security Target Evaluation (ASE) ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 32 of 45 Assurance Class Assurance Components Identifier Name Tests (ATE) ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: basic design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample Vulnerability Assessment (AVA) AVA_VAN.3 Focused vulnerability analysis Table 14 – Security Assurance Requirements 6.4 SECURITY REQUIREMENTS RATIONALE Security Functional Requirements Rationale The following table provides a mapping between the SFRs and Security Objectives. O.ACCESS O.ADMIN O.AUDIT O.ENCRYPT O.IDENTAUTH O.PROTECT O.TIME FAU_GEN.1 X FAU_GEN.2 X FAU_SAR.1 X X X FAU_SAR.2 X X FCS_COP.1 X FDP_ACC.1 X FDP_ACF.1 X FIA_AFL.1 X FIA_SOS.1 X FIA_UAU.2 X X FIA_UID.2 X X FMT_MSA.1 X X X Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 33 of 45 O.ACCESS O.ADMIN O.AUDIT O.ENCRYPT O.IDENTAUTH O.PROTECT O.TIME FMT_MSA.3 X X X FMT_MTD.1 X X X FMT_SMF.1 X X FMT_SMR.1 X X FPT_STM.1 X FTA_SSL.3 X FTP_ITC.1 X FTP_TRP.1 X Table 15 – Mapping of SFRs to Security Objectives SFR Rationale Related to Security Objectives The following rationale traces each SFR back to the Security Objectives for the TOE. Objective: O.ACCESS The TOE must allow an authorized user access to only those TOE functions and data necessary to perform the duties assigned to that user. Security Functional Requirements: FAU_SAR.1 Audit review FAU_SAR.2 Restricted audit review FIA_UAU.2 User authentication before any action FIA_UID.2 User identification before any action FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data Rationale: FAU_SAR.1 and FAU_SAR.2 meet this objective by ensuring that only authorized administrators are able to access and read audit records. FIA_UID.2 and FIA_UAU.2 ensure that users are identified and authenticated prior to being allowed access to TOE security management functionality. FMT_MSA.1 ensures that only authorized administrators have access to the security attributes associated with the Administrative Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 34 of 45 Objective: O.ADMIN The TOE must provide functionality that enables an authorized administrator to manage TOE security functions, and must ensure that only authorized administrators are able to access such functionality. Security Functional Requirements: FAU_SAR.1 Audit review FDP_ACC.1 Subset access control FDP_ACF.1 Security attribute based access control FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of Management Functions Rationale: FAU_SAR.1 meets this objective by providing authorized administrators with the ability to read audit logs. FDP_ACC.1 and FDP_ACF.1 meet this objective by restricting access to the security data required to perform administrative functions. FMT_MSA.1 meets the objective by providing the functionality to manage the parameters associated with the Administrative Access Control SFP. FMT_MSA.3 meets the objective by providing the initial values required to manage the Administrative Access Control SFP. FMT_MTD.1 meets this objective by providing functionality to access the data required to manage devices. FMT_SMF.1 meets the objective by providing the management functions supporting the specific security management claims. Objective: O.AUDIT The TOE must provide user accountability for authorized administrator use of security functions by providing a means to record and view a readable audit trail of security-related events, with accurate dates and times. Security Functional FAU_GEN.1 Audit data generation FAU_GEN.2 User identity association Access Control SFP. FMT_MSA.3 restricts default security attributes to further ensure that access is restricted to authorized administrators. FMT_MTD.1 ensures that only authorized administrators have access to data required to manage devices. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 35 of 45 Requirements: FAU_SAR.1 Audit review FAU_SAR.2 Restricted audit review Rationale: FAU_GEN.1 supports the objective by detailing the set of events that the TOE must be capable of recording, ensuring that any security relevant event that takes place in the TOE is audited. FAU_GEN.2 supports the objective by ensuring that the audit records associate a user identity with the auditable event. FAU_SAR.1 provides the means to read the audit information, while FAU_SAR.2 ensures that only those specifically granted access may read the logs. Objective: O.ENCRYPT The TOE must protect the confidentiality and integrity of data passed between itself and an authorized administrator, or between the TOE and managed devices using cryptographic functions. Security Functional Requirements: FCS_COP.1 Cryptographic operation FTP_ITC.1 Inter-TSF trusted channel FTP_TRP.1 Trusted path Rationale: FCS_COP.1 supports this objective by providing the cryptographic functionality required to support trusted links. FTP_ITC.1 and FTP_TRP.1 support the objective by specifying the use of encryption between the TOE and the remote administrator, and between the TOE and the managed devices. Objective: O.IDENTAUTH The TOE must be able to identify and authenticate authorized users prior to allowing access to TOE security management functions. Security Functional Requirements: FIA_UAU.2 User authentication before any action FIA_UID.2 User identification before any action FMT_SMR.1 Security roles Rationale: FIA_UID.2 and FIA_UAU.2 ensure that users are identified and authenticated prior to being granted access to TOE security management functions, or to a connected network. FMT_SMR.1 supports the objective by providing roles which are used to provide users access to TOE security functionality. Objective: The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions in Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 36 of 45 O.PROTECT such a way as to cause unauthorized access to its functions and data, or to deny access to legitimate users. Security Functional Requirements: FIA_AFL.1 Authentication failure handling FIA_SOS.1 Verification of secrets FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of management functions FMT_SMR.1 Security roles FTA_SSL.3 TSF-initiated termination Rationale: FMT_MSA.1, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1 and FMT_SMR.1 support the objective by ensuring that access to TOE security functions is limited to authorized users. FIA_AFL.1 supports the objective by ensuring that unauthorized users are locked out following a configurable number of unsuccessful authentication attempts, thereby thwarting a brute force attack on the TOE. FIA_SOS.1 ensures that administrator passwords meet requirements for length and composition to reduce the risk of a successful brute force attack. FTA_SSL.3 supports the objective by ensuring that open sessions are closed automatically after a period of inactivity to reduce the risk of an attacker using an open session. Objective: O.TIME The TOE shall provide reliable time stamps. Security Functional Requirements: FPT_STM.1 Reliable time stamps Rationale: FPT_STM.1 supports this objective by providing reliable time stamps. Dependency Rationale Table 16 identifies the SFRs from Part 2 of the CC and their associated dependencies. It also indicates whether the ST explicitly addresses each dependency. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 37 of 45 SFR Dependency Dependency Satisfied Rationale FAU_GEN. 1 FPT_STM.1  FAU_GEN. 2 FAU_GEN.1  FIA_UID.1  FIA_UID.2 is hierarchical to FIA_UID.1; therefore this dependency has been satisfied. FAU_SAR. 1 FAU_GEN.1  FAU_SAR. 2 FAU_SAR.1  FCS_COP. 1 FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1  FCS_CKM.1 is considered satisfied as per guidance from the Canadian Common Criteria Scheme. FCS_CKM.4  FCS_CKM.4 is considered satisfied as per Canadian Common Criteria Scheme Guidance FDP_ACC. 1 FDP_ACF.1  FDP_ACF. 1 FDP_ACC.1  FMT_MSA.3  FIA_AFL.1 FIA_UAU.1  FIA_UAU.2 is hierarchical to FIA_UAU.1; therefore this dependency has been satisfied. FIA_AFL.1 FIA_UAU.1  FIA_UAU.2 is hierarchical to FIA_UAU.1; therefore this dependency has been satisfied. FIA_SOS. 1 None N/A FIA_UAU. 2 FIA_UID.1  FIA_UID.2 is hierarchical to FIA_UID.1; this dependency has been satisfied. FIA_UID. 2 None N/A Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 38 of 45 SFR Dependency Dependency Satisfied Rationale FMT_MSA.1 FDP_ACC.1 or FDP_IFC.1  Satisfied by FDP_ACC.1 FMT_SMR.1  FMT_SMF.1  FMT_MSA.3 FMT_MSA.1  FMT_SMR.1  FMT_MTD.1 FMT_SMR.1  FMT_SMF.1  FMT_SMF. 1 None N/A FMT_SMR.1 FIA_UID.1  FIA_UID.2 is hierarchical to FIA_UID.1; therefore this dependency has been satisfied. FPT_STM. 1 None N/A FTA_SSL. 3 None N/A FTP_ITC.1 None N/A FTP_TRP. 1 None N/A Table 16 – Functional Requirement Dependencies Security Assurance Requirements Rationale The TOE assurance requirements for this ST consist of the requirements corresponding to the EAL 4 level of assurance, as defined in the CC Part 3, augmented by the inclusion of Systematic Flaw Remediation (ALC_FLR.3). EAL 4 was chosen for competitive reasons. The developer is claiming the ALC_FLR.3 augmentation since current Fortinet flaw remediation practices and procedures meet or exceed this level of assurance. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 39 of 45 7 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements. 7.1 SECURITY AUDIT The TOE creates audit records for administrative events, including device management and the provision of policy information to managed devices. The TOE records the identity of the Administrator who caused the event for which the audit record is created. The TOE applies timestamps to auditable events as they occur. An Administrator in any of the four pre-configured administrative profiles can review the audit records. The pre-configured profiles are described in Section 7.5. FortiManager units have disks and audit records are locally stored on the disks. Logs may be read using the Graphical User Interface (GUI) on the TOE. This functionality is provided to a user in any profile with Log View privileges. TOE Security Functional Requirements addressed: FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.2. 7.2 CRYPTOGRAPHIC SUPPORT Cryptographic support is provided using a software based, deterministic random bit generator (DRBG) that conforms to the National Institute of Standards and Technology Special Publication 800-90A. Entropy is provided using the Fortinet CPU Jitter Entropy Library to seed the DRBG during the boot process and to periodically reseed the DRBG. The entropy source for each hardware model can be found in Table(s) 2 & 4 above. The TOE only stores keys in memory, either in Synchronous Dynamic Random Access Memory (SDRAM) or Flash Random Access Memory (RAM). Cryptographic operations are performed in accordance with the detail provided in Table 13. TOE Security Functional Requirements addressed: FCS_COP.1. 7.3 USER DATA PROTECTION The TOE provides an Administrative Access Control SFP that controls access of Administrators with any of the pre-configured profiles to the data required to manage the TOE functions. Access to the TOE functions is based on the Administrator profile and permitted ADOMs, as described in Section 7.5. TOE Security Functional Requirements addressed: FDP_ACC.1, FDP_ACF.1. Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 40 of 45 7.4 IDENTIFICATION AND AUTHENTICATION In order to protect the TOE data and services, the TOE requires identification and authentication for all administrative access. Authentication failure handling is implemented to further protect this interface. Administrators can set an administrative lockout threshold between 1 and 10 login attempts. When authentication of an Administrator account fails the set number of times, the account is locked out for an Administrator-configurable period of time. The default number of unsuccessful login attempts for triggering lockout is three, and the default lockout time period is 60 seconds. Administrators can set a password policy that specifies the minimum number of characters in a password (8 to 32) and the types of characters that a password must contain (uppercase letters, lowercase letters, numbers and/or special characters). User management, including management of identification and authentication settings, is performed by an Administrator with a Super User profile, or a custom profile with similar user management permissions. TOE Security Functional Requirements addressed: FIA_AFL.1, FIA_SOS.1, FIA_UAU.2, FIA_UID.2. 7.5 SECURITY MANAGEMENT The TOE provides a web-based GUI and a CLI to manage all of the security functions. The GUI is accessed through a TLS-protected session and may be accessed remotely. The CLI is accessed using a direct console connection, or through a Secure Shell (SSH) protected connection. The functions provided through these interfaces include the management of FortiManager administrative users, and review of audit records. The interfaces also allow for the management of networked Fortinet devices, including configuration of devices and policy management. Management of the security attributes that control access to user management functions is limited to users who have been assigned Super User profiles. Users with the associated Super User privileges are able to create, modify, and delete other user accounts. The default values for the security attributes (username, profile) are restrictive in nature in that there is no username until it is entered by an administrator. Likewise, no profile is associated with a username until that information is entered by an administrator with Super User privileges. The TOE also restricts access to the configuration data associated with the remotely managed devices. This is the security data objects referred to in access control SFP. Although all of the predefined profiles include some device manager privileges, users with Restricted User and Package User profiles have read-only access to some of the device data. Users assigned Super User or Standard User profiles have read-write access to all device manager data allowing them the ability to perform all device management functions. The TOE provides four predefined administrator profiles. Each profile has a set of associated system privileges. Users assigned to the Super User profile have access to all data and functions. Users assigned the Standard User profile have Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 41 of 45 most device and policy management privileges, but are not able to manage users and system settings. Package Users have similar access to data, but with read-only privileges to some of the data, and are therefore not able to perform as many functions. Restricted users are limited to read-only access to most data, and no access to the data related to system level functionality. The Super User and Standard User profiles come with Read-Write access to the Administrative Domain privilege, allowing Admins assigned this profile the ability to create and manages ADOMs. Administrators’ access to Device Management including policy update is further restricted to ADOM’s assigned in their individual user account. TOE Security Functional Requirements addressed: FMT_MSA.1, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1. 7.6 PROTECTION OF THE TSF Time is provided by the TSF and can only be changed by an authorized administrator. The supporting hardware devices include a hardware clock which is used to generate reliable time stamps which in turn are used by the TOE for audit records and to provide scheduling features for flow control policies. TOE Security Functional Requirements addressed: FPT_STM.1. 7.7 TOE ACCESS An administrative session with the GUI or the CLI is closed after five minutes of inactivity. The Administrator must log in again to regain access. This applies to an Administrator with any profile. TOE Security Functional Requirements addressed: FTA_SSL.3. 7.8 TRUSTED PATH / CHANNELS The TOE provides trusted paths and trusted channels, protected by encryption to guard against disclosure and protected by cryptographic signature to detect modifications. Trusted Path A trusted path is used to protect authentication of Administrators, and administration activities. This channel is logically distinct from other communication channels and provides assured identification of the end points and protection of the channel data from disclosure. TLS version 1.2 and TLS 1.3 are used to encrypt and authenticate administration sessions between the remote browser and TOE. SSH is used to protect remote connections to the CLI. The SSH implementation complies with RFCs 4251, 4252, 4253, and 4254. Administrators use password based or SSH-RSA public key authentication. TOE Security Functional Requirements addressed: FTP_TRP.1 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 42 of 45 Trusted Channel The trusted channel is established between the TOE and the managed Fortinet device. In the evaluated configuration, the TOE always initiates the communications to the managed devices. The trusted channel provides security for communications between the TOE and the managed devices using TLS 1.2 or 1.3. This channel is logically distinct from other communication channels and provides assured identification of the end points and protection of the channel data from disclosure. TOE Security Functional Requirements addressed: FTP_ITC.1 Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 43 of 45 8 TERMINOLOGY AND ACRONYMS 8.1 TERMINOLOGY The following terminology is used in this ST: Term Description Management Workstation A computer located remotely from the TOE but which is able to establish a network connection to the TOE. The Management workstation falls outside the TOE Boundary. Person A person is a human being. A person can be, but is not necessarily, an authorized user. Administrators The term ‘Administrators’ is used to refer to all TOE administrative users assigned to any profile. Where capabilities are distinguished by administrator profile, the individual profile name is specified. User A user may be a person or an IT entity. Table 17 – Terminology Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 44 of 45 8.2 ACRONYMS The following acronyms are used in this ST: Acronym Definition ADOM Administrative Domain AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CBC Cipher-block Chaining CC Common Criteria CLI Command Line Interface CM Configuration Management CTR Counter-mode DH or DHE Diffie-Hellman Key Exchange DRBG Deterministic Random Bit Generator EAL Evaluation Assurance Level ECDHE Elliptic Curve Diffie-Hellman Key Exchange FIPS Federal Information Processing Standards GUI Graphical User Interface HMAC Keyed Hash Message Authentication Code ISO International Organization for Standardization IT Information Technology JSON JavaScript Object Notation KAS Key Agreement Scheme NIST National Institute of Standards and Technology OSP Organizational Security Policy PDF Portable Document Format PKCS Public-Key Cryptography Standards PP Common Criteria Protection Profile QSG QuickStart Guide RAM Random Access Memory Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 45 of 45 Acronym Definition RFC Request for Comments RSA Rivest, Shamir and Adleman RSASSA-PKCS1 RSA Signature Scheme with Appendix PKCS1 SDK Software Development Kit SDRAM Synchronous Dynamic Random Access Memory SFP Security Functional Policy SFR Security Functional Requirement SHA Secure Hash Algorithm SSH Secure Shell ST Security Target TLS Transport Layer Security TOE Target of Evaluation TRNG True Random Number Generator TSF TOE Security Functionality USB Universal Serial Bus XML eXtensible Markup Language Table 18 – Acronyms Fortinet FortiManager® 7.2 Security Target Version: 1.2 Date: 23 April 2025 Page 46 of 45 9 ANNEX A – FORTIMANAGER MODELS AND GUIDES Model QuickStart Guide (QSG) FMG-200F Guide: FortiManager 200F QuickStart Guide File: FMG—200F-QSG.pdf FMG-200G Guide: FortiManager 200G QuickStart Guide File: FMG—200G-QSG.pdf FMG-300F Guide: FortiManager 300F QuickStart Guide File: FMG—300F-QSG.pdf FMG-400E Guide: FortiManager 400E QuickStart Guide File: FMG—400E-QSG.pdf FMG-400G Guide: FortiManager 400G QuickStart Guide File: FMG—400G-QSG.pdf FMG-410G Guide: FortiManager 410G QuickStart Guide File: FMG—410G-QSG.pdf FMG-1000F Guide: FortiManager 1000F QuickStart Guide File: FMG—1000F-QSG.pdf FMG-1000G Guide: FortiManager 1000G QuickStart Guide File: FMG—1000G-QSG.pdf FMG-2000E Guide: FortiManager 2000E QuickStart Guide File: FMG—2000E-QSG.pdf FMG-3000F Guide: FortiManager 3000F QuickStart Guide File: FMG—3000F-QSG.pdf FMG-3000G Guide: FortiManager 3000G QuickStart Guide File: FMG—3000G-QSG.pdf FMG-3100G Guide: FortiManager 3100G QuickStart Guide File: FMG—3100G-QSG.pdf FMG-3700F Guide: FortiManager 3700F QuickStart Guide File: FMG—3700F-QSG.pdf FMG-3700G Guide: FortiManager 3700G QuickStart Guide File: FMG—3700G-QSG.pdf Table 19 – FortiManager Quick Start Guides