Scrub the Swap Memory on Firewalls or Appliances Running
in FIPS-CC Mode
Use the following procedure to remove sensitive information
from the swap partition(s) on a firewall or appliance in FIPS-CC
mode.
You
should ensure that sensitive information is removed from the swap
memory before you decommission a firewall or appliance (in FIPS-CC mode)
or before you send it in for repair. Use this procedure to remove
all cryptographic security parameter (CSP) information from swap
partitions.
Open an SSH management session to the firewall
or appliance.
Run the following operational command:
request [restart | shutdown] system with-swap-scrub [dod | nnsa]
For
example, to shut down the firewall or appliance and perform a Department
of Defense (DoD) scrub, run the following command:
request shutdown system with-swap-scrub dod
Press Y at the warning prompt
to start the scrub.
Verify that the scrub completed successfully. View the System log
and filter on the word swap. The System log
indicates the scrub status for each swap partition (either one or
two partitions depending on the model) and also displays a log entry
that indicates the overall status of the scrub. If the scrub completed
successfully on all swap partitions, the System log
shows Swap space scrub was successful.
If the scrub failed on one or more swap partitions, the System log
shows Swap space scrub was unsuccessful.
The following screen capture shows the log results for a firewall
that has two partitions.
To view the scrub logs using the CLI,
run the show log system | match swap command.
If you initiate the scrub using
the shutdown command, the firewall or appliance will power off after
the scrub completes. Before you can power on the firewall or appliance,
you must first disconnect and reconnect the power source.