FIPS-CC Security Functions
Focus
Focus

FIPS-CC Security Functions

Table of Contents
End-of-Life (EoL)

FIPS-CC Security Functions

When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances:
  • To log in, the browser must be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
  • All passwords must be at least six characters.
  • You must ensure that Failed Attempts and Lockout Time (min) are greater than 0 in authentication settings. If an administrator reaches the Failed Attempts threshold, the administrator is locked out for the duration defined in the Lockout Time (min) field.
  • You must ensure that the Idle Timeout is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
  • The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
  • You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption.
    PAP and CHAP authentication protocols are not compliant protocols and shall not be used in FIPS-CC mode.
  • When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
  • Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits (or more); you must also use a digest of SHA256 or greater.
  • Telnet, TFTP, and HTTP management connections are not available.
  • (New HA Deployments) You must enable encryption for the HA1 control link when you set up high availability (HA) for firewalls in FIPS-CC mode. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
  • (Existing HA Deployment) Before you change the operational mode to FIPS-CC mode for firewalls in a high availability (HA) configuration, you must first disable HA (DeviceHigh AvailabilityGeneral) before changing the operational mode to FIPS-CC mode.
    After you change the operational mode to FIPS-CC mode for both HA peers, re-enable HA and enable encryption for the HA1 control link as described above.
  • The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
  • The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
  • Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
  • You must manually configure a new master key before the old master key expires; Auto Renew Master Key is not supported in FIPS-CC mode.
    If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  • (Panorama managed devices) Review the Panorama support of firewalls and Log Collectors when FIPS-CC is enabled.
    Panorama
    Firewall
    Log Collector
    FIPS-CC Enabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    Supported
    Supported
    Supported
    Supported
    FIPS-CC Disabled
    Not Supported
    Supported
    Not Supported
    Supported
  • Review the requirements to import certificates in FIPS-CC mode.
    • To import a certificate and corresponding private key, the private key must be in PKCS8 standard syntax (PEM format) and encrypted with a FIPS compliant cipher.
    • To import a leaf certificate, you must first successfully import the entire Certificate Authority (CA) chain.