topic Re: FIPS and Hotfix Installation in Firewall and Security Management

FIPS and Hotfix Installation

gto_gary — Sat, 18 Apr 2026 21:04:08 GMT

Hi All,

I have a need to enable FIPS mode on a number of our 81.20 take 120 appliances to meet some compliance requirements. I am working in a virtual lab environment to test this out. I do understand that ssh, https (web interface), and cprid are unavailable in R81.20 when running in FIPS mode. However I was under the impression after reading:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/Disable-FIPS-for-HotFix-install/td-p/248338

and other similar posts that after enabling FIPS I would no longer be able to install a jumbo hotfix on the gateways. However in my lab I have found that I can indeed install take 127 after enabling FIPS mode.

To install, I enabled ssh on the gateway so I could manually copy the offline package to the gateway. Then used CPUSE to import and install the hotfix with no issues that I can see.

I used the following commands to enable FIPS as listed in (pg30):

chkconfig --add jitterentropy_rngd_init
chkconfig --level 2345 jitterentropy_rngd_init on
fips on

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4264.pdf

Should this have been possible in FIPS mode? Or perhaps I did not enable it properly?

I need to understand what to expect in our production environments when in comes time to install jumbos.

I appreciate any clarity you can help provide!

Re: FIPS and Hotfix Installation

Chris_Atkinson — Sun, 19 Apr 2026 04:03:44 GMT

Not to oversimplify it but in ways FIPS by nature conflicts with the need to regularly update security products...

@Malcolm_Levy Touches on this topic here:

https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/97289

Re: FIPS and Hotfix Installation

Malcolm_Levy — Sun, 19 Apr 2026 04:21:45 GMT

The FIPS 140-2 implementation is distributed amongst the libraries identified in the FIPS Security Policy.

In the 140-3 implementation the security relevant code will just be an updated jitter and CPOpenSSL library.

Further, the FIPS mode will be based on the OpenSSL FIPS provider rather than the legacy code.

The code will be fully integrated in of R82.20.

The code will also be in a branch of R82.10 that will be used by FedRAMP

With the new code the existing restrictions will be removed, but I cannot tell you the support that will be provided for the R82.10 branch.

Re: FIPS and Hotfix Installation

gto_gary — Mon, 20 Apr 2026 14:02:52 GMT

HI,

Thank you for your reply!

For my immediate requirements I need to know if what the restriction is on applying a Jumbo Hotfix on a FIPS enabled gateway? Is the method I used to install a hotfix on a FIPS gateway supported?

Thank you!

Re: FIPS and Hotfix Installation

Malcolm_Levy — Mon, 20 Apr 2026 14:21:01 GMT

Gary,

If you find your method works I will not contradict. As certifications are for a point release, and FIPS 140-2 does not support updates, your question is outside the scope of the certification work and therefore not considered when we certify. However, we have certified multiple versions on the same FIPS 140-2 certificate to provide an upgrade path.

I would recommend to make a fresh installation, preferably of R82 as the latest that is certified, take the latest JHF and after configuration enable FIPS mode. As data is stored on the Management Server I don't even think that back up of the data should be required.

Re: FIPS and Hotfix Installation

gto_gary — Mon, 20 Apr 2026 14:33:24 GMT

Thank you Malcom!

So while the method may work, FIPS 140-2 does not support updates. So the best method when it comes time for a new jumbo is a clean install, install the latest jumbo, and Enable FIPS.

I really appreciate the assistance!

Re: FIPS and Hotfix Installation

Malcolm_Levy — Mon, 20 Apr 2026 14:37:48 GMT

Gary,

It is always safer to tread a standard well trodden path than to hoe your own! So yes, that is my recommendation.

Malcolm