https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/159635#M27996 <P>FIPS mode is restricted by design. This will be reviewed for our next FIPS certification, but be aware the FIPS certification process is very long.&nbsp;</P> <P>Most customers prefer to run in a self-configured FIPS like mode which is the reason this document was written. I understand that the restrictions were originally implemented to prevent modification into a configuration that is not FIPS compliant. There is a conflict between the FIPS standard that does not allow flaw remediation and a security product that is under constant revision. Understandably, customers of security products need the ability to apply updates.&nbsp;</P> Sat, 15 Oct 2022 18:47:57 GMT Malcolm_Levy 2022-10-15T18:47:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/97289#M7550 <P>The attached provides some information on FIPS mode, and commands that can be used when not in FIPS mode to achieve some of the same&nbsp;</P> <P>31-May-2022: I've updated according to the current status. For the new certificate we are waiting for the Validator approval. Hope to hear in a short time.</P> <P>22-September-2022: Removed May document and replaced with August version following certificate award</P> Thu, 22 Sep 2022 07:43:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/97289#M7550 Malcolm_Levy 2022-09-22T07:43:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/109490#M14923 <P>Hi Malcolm, RE: R80.10 and R80.20 soon to be R81.</P><P>How can I show a FISMA auditor that FIPs is enabled when a customer connects with TLS 1.2 to our SSLVPN?&nbsp; There is no mention of FIPS in the ES admin guide.&nbsp; Assuming windows OS and browser they are connecting from is using FIPs would be enforced by an ES policy.</P><P>On the CP VPN side, RE: site to site, Endpoint Security or SSLVPN (network extender) I haven't found a way to show that FIPS is enabled/disabled one way or the other. I do see the libraries and FIPs certification. Would FIPs have to be turned on - on the gateway for it to be supported on the VPN?<BR /><A href="https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2995.pdf" target="_blank" rel="noopener">https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2995.pdf</A> IOW, on the CP side how can we show proof FIPs is enabled, other than<BR />Checkpoint is using a validated cryptographic module per: <A href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules" target="_blank" rel="noopener">https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules</A></P> Mon, 01 Feb 2021 20:26:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/109490#M14923 Daniel_Kavan 2021-02-01T20:26:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/109803#M14995 <P>1. It is only possible to see if FIPS mode is enabled on the GW</P> <P>2. The status of FIPS mode can be seen by:</P> <P>ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"</P> <P>or</P> <P>ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Malcolm_Levy_0-1612441064885.png" style="width: 1168px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/10452i1DDCA789C2E0BDDB/image-dimensions/1168x71?v=v2" width="1168" height="71" role="button" title="Malcolm_Levy_0-1612441064885.png" alt="Malcolm_Levy_0-1612441064885.png" /></span></P> <P>3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)</P> <P>5. For configuring cyphers refer to <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk126613&amp;partition=Advanced&amp;product=Security" target="_blank">sk126613: Cipher configuration tool for Security Gateways</A></P> Thu, 04 Feb 2021 12:38:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/109803#M14995 Malcolm_Levy 2021-02-04T12:38:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/132868#M19736 <P>Hi Malcolm,</P> <P>After FIPs is enabled on the gw,&nbsp; on the client side - can both SSLVPN (logging into the portal) and using the fat client (Endpoint Security/Harmony) be FIPS compliant?&nbsp; &nbsp; I'm fairly certain both the fat Harmony client could also be configured with FIPS as well as the web client (SSLVPN portal). It would just require the windows PC on the client end to be FIPs compliant.&nbsp; &nbsp;Maybe, nothing more needs to be done on the ES / Harmony client or the web (sslvpn) client.</P> Fri, 29 Oct 2021 14:42:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/132868#M19736 Daniel_Kavan 2021-10-29T14:42:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/159633#M27995 <P><SPAN>From the above attached pdf, FIPS mode disables SSH, Web</SPAN><SPAN>UI, the remote installation daemon cprid_d and removes </SPAN><SPAN>support for SSLv3 from SIC (i.e. only TLS is supported). When in FIPS mode access to the </SPAN><SPAN>fw, fwm, and vpn command line utilities are removed. FIPS mode disables </SPAN><SPAN>AES</SPAN><SPAN>-</SPAN><SPAN>NI, CPRID</SPAN><SPAN>the QOS blade and the moni</SPAN><SPAN>toring blade</SPAN></P> <P>&nbsp;</P> <P><STRONG>How are you supposed to manage the gateway if you can't manage the gw with webui OR SSH?&nbsp; &nbsp;How are you supposed to manage VPN tunnel if it disable vpn command and the monitoring blade?</STRONG></P> Sat, 15 Oct 2022 14:44:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/159633#M27995 Daniel_Kavan 2022-10-15T14:44:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/159635#M27996 <P>FIPS mode is restricted by design. This will be reviewed for our next FIPS certification, but be aware the FIPS certification process is very long.&nbsp;</P> <P>Most customers prefer to run in a self-configured FIPS like mode which is the reason this document was written. I understand that the restrictions were originally implemented to prevent modification into a configuration that is not FIPS compliant. There is a conflict between the FIPS standard that does not allow flaw remediation and a security product that is under constant revision. Understandably, customers of security products need the ability to apply updates.&nbsp;</P> Sat, 15 Oct 2022 18:47:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/FIPS-mode-operation-and-some-manual-configurations/m-p/159635#M27996 Malcolm_Levy 2022-10-15T18:47:57Z