FIPS-CC Security Functions

When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances:
  • To log in, the browser must be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
  • All passwords must be at least six characters.
  • You must ensure that
    Failed Attempts
    Lockout Time (min)
    are greater than 0 in authentication settings. If an administrator reaches the
    Failed Attempts
    threshold, the administrator is locked out for the duration defined in the
    Lockout Time (min)
  • You must ensure that the
    Idle Timeout
    is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
  • The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
  • MS-CHAPv2 is not compatible with FIPS-CC mode. It is recommended to use RADIUS with TLS.
  • When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
  • Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits (or more); you must also use a digest of SHA256 or greater.
    You cannot use a hardware security module (HSM) to store the private ECDSA keys used for SSL Forward Proxy or SSL Inbound Inspection.
  • Telnet, TFTP, and HTTP management connections are not available.
  • You must enable encryption for the HA1 control link. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
  • The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
  • The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
  • Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
  • You must manually configure a new master key before the old master key expires;
    Auto Renew Master Key
    is not supported in FIPS-CC mode.
    If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  • (
    Panorama managed firewalls
    ) A firewall in FIPS-CC mode must be managed by a Panorama™ management server in FIPS-CC mode.
    Management of a firewall in FIPS-CC mode is not supported for a Panorama not in FIPS-CC mode.

Recommended For You