When FIPS-CC mode is enabled, the following security
functions are enforced on all firewalls and appliances:
To log in, the browser must
be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage
the appliance only through the CLI and you must connect using an
SSHv2-compatible client application.
All passwords must be at least six characters.
You must ensure that Failed Attempts and Lockout
Time (min) are greater than 0 in authentication settings.
If an administrator reaches the Failed Attempts threshold,
the administrator is locked out for the duration defined in the Lockout
Time (min) field.
You must ensure that the Idle Timeout is
greater than 0 in authentication settings. If a login session is
idle for more than the specified time, the administrator is automatically
logged out.
The firewall or appliance automatically determines the appropriate
level of self-testing and enforces the appropriate level of strength
in encryption algorithms and cipher suites.
Unapproved FIPS-CC algorithms are not decrypted—they are
ignored during decryption.
You are required to use a RADIUS server profile configured
with an authentication protocol leveraging TLS encryption.
PAP
and CHAP authentication protocols are not compliant protocols and
shall not be used in FIPS-CC mode.
When configuring an IPSec VPN, the administrator must select
a cipher suite option presented to them during the IPSec setup.
Self-generated and imported certificates must contain public
keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits
(or more); you must also use a digest of SHA256 or greater.
Telnet, TFTP, and HTTP management connections are not available.
(
New HA Deployments) You must enable encryption
for the
HA1 control link when
you set up
high availability (HA) for
firewalls in FIPS-CC mode. You must set automatic rekeying parameters;
you must set the data parameter to a value no greater than 1000
MB (you cannot let it default) and you must set a time interval
(you cannot leave it disabled).
(
Existing HA Deployment) Before you
change the operational mode to FIPS-CC
mode for firewalls in a high availability (HA) configuration,
you must first disable HA ()
before changing the operational mode to FIPS-CC mode.
After
you change the operational mode to FIPS-CC mode for both HA peers, re-enable
HA and enable encryption for the
HA1 control link as
described above.
The serial console port in FIPS-CC mode functions as a limited
status output port only; CLI access is not available.
The serial console port on hardware and private-cloud VM-Series
firewalls booted into the MRT provides interactive access to the
MRT.
Interactive console access is not supported in the hypervisor
environment private-cloud VM-Series firewalls booted into the MRT;
you can access the MRT only using SSH.
You must manually configure a new
master key before
the old master key expires;
Auto Renew Master Key is
not supported in FIPS-CC mode.
(Panorama managed devices) Review the Panorama support
of firewalls and Log Collectors when FIPS-CC is enabled.
Panorama | Firewall | Log Collector |
FIPS-CC Enabled | FIPS-CC Enabled | FIPS-CC Disabled | FIPS-CC Enabled | FIPS-CC Disabled |
Supported | Supported | Supported | Supported |
FIPS-CC Disabled | Not Supported | Supported | Not Supported | Supported |
Review the requirements to import certificates in FIPS-CC
mode.