Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

Use the following procedure to remove sensitive information from the swap partition(s) on a firewall or appliance in FIPS-CC mode.
You should ensure that sensitive information is removed from the swap memory before you decommission a firewall or appliance (in FIPS-CC mode) or before you send it in for repair. Use this procedure to remove all cryptographic security parameter (CSP) information from swap partitions.
If you send a firewall that is managed by Panorama in for repair, see Before Starting RMA Firewall Replacment.
  1. Open an SSH management session to the firewall or appliance.
  2. Run the following operational command:
    request [restart | shutdown] system with-swap-scrub [dod | nnsa]
    For example, to shut down the firewall or appliance and perform a Department of Defense (DoD) scrub, run the following command:
    request shutdown system with-swap-scrub dod
  3. Press Y at the warning prompt to start the scrub.
  4. Verify that the scrub completed successfully. View the System log and filter on the word swap. The System log indicates the scrub status for each swap partition (either one or two partitions depending on the model) and also displays a log entry that indicates the overall status of the scrub. If the scrub completed successfully on all swap partitions, the System log shows Swap space scrub was successful.
    If the scrub failed on one or more swap partitions, the System log shows Swap space scrub was unsuccessful. The following screen capture shows the log results for a firewall that has two partitions.
    fips-scrub-log.png
    To view the scrub logs using the CLI, run the show log system | match swap command.
    If you initiate the scrub using the shutdown command, the firewall or appliance will power off after the scrub completes. Before you can power on the firewall or appliance, you must first disconnect and reconnect the power source.

Related Documentation