Learn about the security functions, when FIPS-CC mode
When FIPS-CC mode is enabled, the following
security functions are enforced:
To log into the firewall, the browser must be TLS 1.0 (or
later) compatible. On a WF-500 appliance, you manage the appliance
using the CLI only and you must connect using an SSHv2 compatible
All passwords on the firewall must be at least six characters.
You must enforce a
value that is greater than 0 in authentication
settings. If an administrator reaches the
the administrator is locked out for the duration defined in the
You must enforce an
greater than 0 in authentication settings. If a login session is
idle for more than the specified value, the account is automatically
The firewall automatically determines the appropriate level
of self-testing and enforces the appropriate level of strength in
encryption algorithms and cipher suites.
Unapproved FIPS/CC algorithms are not decrypted and are thus
ignored during decryption.
When configuring an IPSec VPN, the administrator must select
a cipher suite option presented to them during the IPSec setup.
Self-generated and imported certificates must contain public
keys that are either RSA 2048 bits (or more) or ECDSA 256 bits (or
more) and you must use a digest of SHA256 or greater.
The serial console port is only available as a status output
port when FIPS-CC mode is enabled.
Telnet, TFTP, and HTTP management connections are unavailable.
High availability (HA) port encryption is required.