topic Re: Enable FIPS mode in General Topics

Enable FIPS mode

fly1ng_circus — Thu, 22 Sep 2022 14:09:01 GMT

I have searched all over and have found no information on how to enable FIPS mode. Needing to do some testing but can't find documentation on how to enable it.

Re: Enable FIPS mode

G_W_Albrecht — Thu, 22 Sep 2022 15:59:23 GMT

Here you can find it, a switch called called ext_fips: sk98252: List of Role-Based Access features in Gaia OS

Re: Enable FIPS mode

G_W_Albrecht — Fri, 23 Sep 2022 09:46:08 GMT

Here an older discussion with more information: FIPS mode operation and some manual configurations

Re: Enable FIPS mode

the_rock — Fri, 23 Sep 2022 13:12:00 GMT

Not very clear what to look for in that article once you are in /bin and check fips file...if you search for ext_fips, does not find anything.

Re: Enable FIPS mode

fly1ng_circus — Fri, 23 Sep 2022 13:30:06 GMT

no none of it is very clear. I did find the switch to turn it on, but this was very obscure when trying to hunt it all down.

Re: Enable FIPS mode

the_rock — Fri, 23 Sep 2022 13:31:59 GMT

Agree 100%.

Re: Enable FIPS mode

G_W_Albrecht — Sat, 24 Sep 2022 06:10:38 GMT

Did you read FIPS mode operation and some manual configurations ?

Re: Enable FIPS mode

fly1ng_circus — Mon, 26 Sep 2022 13:34:01 GMT

I have been looking through that Doc yes. Thank you.

Re: Enable FIPS mode

fly1ng_circus — Mon, 26 Sep 2022 17:00:48 GMT

the problem I think that is still happening is that when FIPS mode is enabled on the gateway the management station immediately loses connectivity to the gateway. This is what appears to be very poorly documented as to how to complete the full configuration and keep communication established to the gateways from the management server once fips mode is turned on.

Re: Enable FIPS mode

fly1ng_circus — Mon, 26 Sep 2022 17:03:36 GMT

I guess I can't say it loses all connectivity. SIC claims that it is still communicating. but policy can no longer be installed.

Re: Enable FIPS mode

_Val_ — Tue, 27 Sep 2022 07:15:50 GMT

please take this with TAC

Re: Enable FIPS mode

Fire_Verse — Wed, 27 Sep 2023 06:16:47 GMT

I can confirm that when I run 'fips on' in an R81.20/R81.10 environment, I do NOT lose SIC connectivity on the gateways.

I do lose the WebUI (443 or 4434), SSH, ~~SSL VPN~~ (SSL VPN works), and remote access IPSEC VPN (see screenshot).

However I can still install policy on the gateways in FIPS mode.

Re: Enable FIPS mode

the_rock — Tue, 26 Sep 2023 23:13:43 GMT

Whats the command you ran to enable it? I want to try it in the lab tomorrow.

Andy

Re: Enable FIPS mode

Fire_Verse — Tue, 26 Sep 2023 23:33:53 GMT

I ran just the basic 'fips on'. BTW make sure to snapshot the image, because 'fips off' is no longer supported (despite what the documentation might say). You will not be able to back out of FIPS once you enable it on the gateway.

Oooops.

[Expert@firewall-test:0]# fips
Usage:
fips on | off | integrity on

[Expert@firewall-test:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak

[Expert@firewall-test:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled

Re: Enable FIPS mode

the_rock — Tue, 26 Sep 2023 23:47:55 GMT

Wow, thats crazy. Ok, I got lots of R81.20 lab fws, so will try on one tomorrow and update.

Thank you!

Andy

Re: Enable FIPS mode

the_rock — Wed, 27 Sep 2023 00:47:24 GMT

Yup, got EXACT same result...wow, thats truly disappointing. I hope it gets changed at some point.

Andy

[Expert@CP-TEST-ONLY-FW:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@CP-TEST-ONLY-FW:0]# fips off
.bash_history .bash_profile .clish_history 1
.bash_logout .bashrc .toprc last_dump.log
[Expert@CP-TEST-ONLY-FW:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled
[Expert@CP-TEST-ONLY-FW:0]#

Re: Enable FIPS mode

the_rock — Wed, 27 Sep 2023 00:49:30 GMT

Btw, if you want couple minutes, web UI does come back.

Andy

Re: Enable FIPS mode

Fire_Verse — Wed, 27 Sep 2023 06:24:10 GMT

I corrected my post above. After running 'fips on'

SSL VPN portal page does come up and allows login
SSH: disabled (expected)
GAIA WebGUI on 4434: disabled (expected)
Check Point Mobile client sees "Ike negotiation with gateway failed" (not expected)
Site-to-site VPN not tested yet

Lab Environment:

R81.20 SMS w Jumbo 10

R81.10 gateway w Jumbo 110

Re: Enable FIPS mode

the_rock — Wed, 27 Sep 2023 10:20:29 GMT

Here are my results on R81.20 jumbo 26:

web UI on port 443 failed initially after enabling FIPS, but then worked 2 mins later

ssh failed

S2S failed

AFTER reboot web UI also failed.

Andy

Re: Enable FIPS mode

Malcolm_Levy — Wed, 27 Sep 2023 23:02:55 GMT

Instructions for enabling FIPS mode are included in the Security Policy that is published by NIST under the certification listing together with the certification certificate https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4264