FIPS-CC Security Functions

• To log in, the browser must be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
• All passwords must be at least six characters.
• You must ensure that Failed Attempts and Lockout Time (min) are greater than 0 in authentication settings. If an administrator reaches the Failed Attempts threshold, the administrator is locked out for the duration defined in the Lockout Time (min) field.
• You must ensure that the Idle Timeout is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
• The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
• Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
• You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption.
  PAP and CHAP authentication protocols are not compliant protocols and shall not be used in FIPS-CC mode.
• When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
• Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits (or more); you must also use a digest of SHA256 or greater.
• Telnet, TFTP, and HTTP management connections are not available.
• (New HA Deployments) You must enable encryption for the HA1 control link when you set up high availability (HA) for firewalls in FIPS-CC mode. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
• (Existing HA Deployment) Before you change the operational mode to FIPS-CC mode for firewalls in a high availability (HA) configuration, you must first disable HA (DeviceHigh AvailabilityGeneral) before changing the operational mode to FIPS-CC mode.
  After you change the operational mode to FIPS-CC mode for both HA peers, re-enable HA and enable encryption for the HA1 control link as described above.
• The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
• The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
• Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
• You must manually configure a new master key before the old master key expires; Auto Renew Master Key is not supported in FIPS-CC mode.
  If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
• (Panorama managed devices) Review the Panorama support of firewalls and Log Collectors when FIPS-CC is enabled.

  Panorama	Firewall		Log Collector
  FIPS-CC Enabled	FIPS-CC Enabled	FIPS-CC Disabled	FIPS-CC Enabled	FIPS-CC Disabled
  	Supported	Supported	Supported	Supported
  FIPS-CC Disabled	Not Supported	Supported	Not Supported	Supported

• Review the requirements to import certificates in FIPS-CC mode.
  • To import a certificate and corresponding private key, the private key must be in PKCS8 standard syntax (PEM format) and encrypted with a FIPS compliant cipher.
  • To import a leaf certificate, you must first successfully import the entire Certificate Authority (CA) chain.