Scrub the Swap Memory on Firewalls or Appliances Running in FIPS-CC Mode

Use the following procedure to remove sensitive information from the swap partition(s) on a firewall or appliance in FIPS-CC mode.
You should ensure that sensitive information is removed from the swap memory before you decommission a firewall or appliance (in FIPS-CC mode) or before you send it in for repair. Use this procedure to remove all cryptographic security parameter (CSP) information from swap partitions.
If you send a firewall that is managed by Panorama in for repair, see Before Starting RMA Firewall Replacement.
  1. Open an SSH management session to the firewall or appliance.
  2. Run the following operational command:
    request [restart | shutdown] system with-swap-scrub [dod | nnsa]
    For example, to shut down the firewall or appliance and perform a Department of Defense (DoD) scrub, run the following command:
    request shutdown system with-swap-scrub dod
  3. Press
    at the warning prompt to start the scrub.
  4. Verify that the scrub completed successfully. View the
    log and filter on the word
    . The
    log indicates the scrub status for each swap partition (either one or two partitions depending on the model) and also displays a log entry that indicates the overall status of the scrub. If the scrub completed successfully on all swap partitions, the
    log shows
    Swap space scrub was successful
    If the scrub failed on one or more swap partitions, the
    log shows
    Swap space scrub was unsuccessful
    . The following screen capture shows the log results for a firewall that has two partitions.
    To view the scrub logs using the CLI, run the
    show log system | match swap
    If you initiate the scrub using the shutdown command, the firewall or appliance will power off after the scrub completes. Before you can power on the firewall or appliance, you must first disconnect and reconnect the power source.

Recommended For You