Focus

Prisma SD-WAN

Prerequisites to FIPS-CC Mode

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Activation & Onboarding
Administration
CloudBlades
Select a Document
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
Deployment
Incidents & Alerts
Reference
Release Notes
Select a Document
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed

FIPS Approved Ciphers and Algorithms

Switch From Non-FIPS to FIPS Mode

Prerequisites to FIPS-CC Mode

Learn prerequisites to FIPS-CC mode.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Prisma SD-WAN license

The prerequisites to FIPS-CC mode are:

All variants of Prisma SD-WAN Controllers (On-Premises, Commercial, FedRAMP) adhere to the X.509 certificate specifications.
Certificate revocation is checked based on the following conditions:
- OCSP-based (Online Certificate Status Protocol) checks are enabled by default in FIPS-CC mode. You cannot disable the checks.
- TLS and standard IPSec VPN connections are dropped if the revocation check fails.
- If no OCSP parameters are included in the certificate, OCSP revocation checks are ignored. For example, in a syslog profile with TLS, if the certificate does not contain the OCSP attributes, the ION can't check the revocation status and hence will allow the TLS connection to be established.
- If OCSP attributes are included in the certificate and if the certificate is revoked, connections will be dropped mandatorily.
- If an ION device is unable to reach the OCSP responder, the IPsec and TLS connections fail.
- The OCSP responder should be reachable from the source interface used for the syslog server or the standard VPN interface. OCSP certificate revocation is done only for syslog over TLS and standard IPSec (VPN ) tunnel using certificate-based authentication.
NTP authentication is based on the following conditions:
- NTP Authentication is only enabled in the FIPS-CC mode; it is disabled by default.
- An ION device supports only SHA256 for NTP authentication; MD5 is not supported.
- During ION device upgrade and FIPS mode change scenarios, you must explicitly enable NTP authentication after the upgrade and/or completion of the FIPS-CC mode change to comply with CC specifications.
- To downgrade an ION device to pre-6.5.1, you must explicitly disable NTP authentication.
Standard IPSec VPN symmetric algorithm key strength requirements are adhered to when upgrading an ION device to 6.5.x in FIPS-CC mode.
- IKEv2 is supported only in FIPS-CC mode. You need to update the standard IPSec VPN profile if IKEv1 is configured before upgrading to 6.5.1 or changing the mode to release 6.5.1.
- Only approved encryption and hashing algorithms are allowed for IKE and standard IPSec VPN proposals.
- Approved DH groups and X.509 validations are supported.
- The IKE encryption key size should be greater than the IPSec encryption key size when negotiating between IPSec endpoints (ION device and third-party peer).
- If unsupported encryptions are used in configuring Syslog TLS, connections will fail.

FIPS Approved Ciphers and Algorithms

Switch From Non-FIPS to FIPS Mode

Prisma SD-WAN Docs

Prerequisites to FIPS-CC Mode

Prisma SD-WAN Docs

Prerequisites to FIPS-CC Mode

Activation & Onboarding

SASE

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices

Resources