End-of-Life (EoL)

FIPS-CC Security Functions

Learn about the security functions, when FIPS-CC mode is enabled.
When FIPS-CC mode is enabled, the following security functions are enforced:
  • To log into the firewall, the browser must be TLS 1.0 (or later) compatible. On a WF-500 appliance, you manage the appliance using the CLI only and you must connect using an SSHv2 compatible client application.
  • All passwords on the firewall must be at least six characters.
  • You must enforce a
    Failed Attempts
    and
    Lockout Time (min)
    value that is greater than 0 in authentication settings. If an administrator reaches the
    Failed Attempts
    threshold, the administrator is locked out for the duration defined in the
    Lockout Time (min)
    field.
  • You must enforce an
    Idle Timeout
    value greater than 0 in authentication settings. If a login session is idle for more than the specified value, the account is automatically logged out.
  • The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Unapproved FIPS/CC algorithms are not decrypted and are thus ignored during decryption.
  • When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
  • Self-generated and imported certificates must contain public keys that are either RSA 2048 bits (or more) or ECDSA 256 bits (or more) and you must use a digest of SHA256 or greater.
  • The serial console port is only available as a status output port when FIPS-CC mode is enabled.
  • Telnet, TFTP, and HTTP management connections are unavailable.
  • High availability (HA) port encryption is required.

Recommended For You