When FIPS-CC mode is enabled, the following security functions are enforced:
To log into the firewall, the browser must be TLS 1.0 (or later) compatible. On a WF-500 appliance, you manage the appliance using the CLI only and you must connect using an SSHv2 compatible client application. All passwords on the firewall must be at least six characters. You must enforce a Failed Attempts and Lockout Time (min) value that is greater than 0 in authentication settings. If an administrator reaches the Failed Attempts threshold, the administrator is locked out for the duration defined in the Lockout Time (min) field. You must enforce an Idle Timeout value greater than 0 in authentication settings. If a login session is idle for more than the specified value, the account is automatically logged out. The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites. Unapproved FIPS/CC algorithms are not decrypted and are thus ignored during decryption. When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup. Self-generated and imported certificates must contain public keys that are either RSA 2048 bits (or more) or ECDSA 256 bits (or more) and you must use a digest of SHA256 or greater. The serial console port is only available as a status output port when FIPS-CC mode is enabled. Telnet, TFTP, and HTTP management connections are unavailable. High availability (HA) port encryption is required.

Related Documentation