Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fly1ng_circus
Contributor
Jump to solution

Enable FIPS mode

I have searched all over and have found no information on how to enable FIPS mode. Needing to do some testing but can't find documentation on how to enable it.

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

Here you can find it, a switch called called ext_fips: sk98252: List of Role-Based Access features in Gaia OS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

52 Replies
G_W_Albrecht
Legend Legend
Legend

Here you can find it, a switch called called ext_fips: sk98252: List of Role-Based Access features in Gaia OS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
G_W_Albrecht
Legend Legend
Legend

Here an older discussion with more information:         FIPS mode operation and some manual configurations               

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Not very clear what to look for in that article once you are in /bin and check fips file...if you search for ext_fips, does not find anything.

0 Kudos
fly1ng_circus
Contributor

no none of it is very clear. I did find the switch to turn it on, but this was very obscure when trying to hunt it all down.

0 Kudos
the_rock
Legend
Legend

Agree 100%.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did you read         FIPS mode operation and some manual configurations                ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
fly1ng_circus
Contributor

I have been looking through that Doc yes. Thank you.

0 Kudos
fly1ng_circus
Contributor

the problem I think that is still happening is that when FIPS mode is enabled on the gateway the management station immediately loses connectivity to the gateway. This is what appears to be very poorly documented as to how to complete the full configuration and keep communication established to the gateways from the management server once fips mode is turned on.

0 Kudos
fly1ng_circus
Contributor

I guess I can't say it loses all connectivity. SIC claims that it is still communicating. but policy can no longer be installed.

0 Kudos
_Val_
Admin
Admin

please take this with TAC

0 Kudos
Fire_Verse
Contributor

I can confirm that when I run 'fips on' in an R81.20/R81.10 environment, I do NOT lose SIC connectivity on the gateways.

I do lose the WebUI (443 or 4434), SSH, SSL VPN (SSL VPN works), and remote access IPSEC VPN (see screenshot).

IKE-Negotiation-Fails.JPG

However I can still install policy on the gateways in FIPS mode.

0 Kudos
the_rock
Legend
Legend

Whats the command you ran to enable it? I want to try it in the lab tomorrow.

Andy

0 Kudos
Fire_Verse
Contributor

I ran just the basic 'fips on'. BTW make sure to snapshot the image, because 'fips off' is no longer supported (despite what the documentation might say). You will not be able to back out of FIPS once you enable it on the gateway.

Oooops.Oooops.

Or

[Expert@firewall-test:0]# fips
Usage:
fips on | off | integrity on

[Expert@firewall-test:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak

[Expert@firewall-test:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled

0 Kudos
the_rock
Legend
Legend

Wow, thats crazy. Ok, I got lots of R81.20 lab fws, so will try on one tomorrow and update.

Thank you!

Andy

0 Kudos
the_rock
Legend
Legend

Yup, got EXACT same result...wow, thats truly disappointing. I hope it gets changed at some point.

Andy

[Expert@CP-TEST-ONLY-FW:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@CP-TEST-ONLY-FW:0]# fips off
.bash_history .bash_profile .clish_history 1
.bash_logout .bashrc .toprc last_dump.log
[Expert@CP-TEST-ONLY-FW:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled
[Expert@CP-TEST-ONLY-FW:0]#

0 Kudos
the_rock
Legend
Legend

Btw, if you want couple minutes, web UI does come back.

Andy

0 Kudos
Fire_Verse
Contributor

I corrected my post above. After running 'fips on'

  • SSL VPN portal page does come up and allows login
  • SSH: disabled (expected)
  • GAIA WebGUI on 4434: disabled (expected)
  • Check Point Mobile client sees "Ike negotiation with gateway failed" (not expected)
  • Site-to-site VPN not tested yet

 

Lab Environment:

R81.20 SMS w Jumbo 10

R81.10 gateway w Jumbo 110

0 Kudos
the_rock
Legend
Legend

Here are my results on R81.20 jumbo 26:

web UI on port 443 failed initially after enabling FIPS, but then worked 2 mins later

ssh failed

S2S failed

AFTER reboot web UI also failed.

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

If you still have a problem with remote access please open a ticket. That way it will be looked at. If it was resolved, please report here. 

0 Kudos
Fire_Verse
Contributor

Yep, I opened a ticket last week. Support was able to confirm the IKE issue for the Check Point Mobile client once 'fips on' is run. I will post here if there is a fix.

the_rock
Legend
Legend

Please keep us posted.

0 Kudos
Malcolm_Levy
Employee
Employee

thanks, can you share the reference?

0 Kudos
Malcolm_Levy
Employee
Employee

Instructions for enabling FIPS mode are included in the Security Policy that is published by NIST under the certification listing together with the certification certificate https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4264

 

 

0 Kudos
the_rock
Legend
Legend

In my mind, if fips can be enabled, option should be there to disable it...lol

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

Features are disabled by enabling FIPS mode. In R80 there was “fips off” that was set a value registry. Changing the value (from on) is not enough to enable all the features. It it not a supported feature.

We  plan to enable SSH and WebUI in FIPS mode limited to using the FIPS approved ciphers. Maybe this will answer why you wish to disable FIPS mode? 

0 Kudos
the_rock
Legend
Legend

Here is my HONEST feedback

Fips gets disabled, features dont work...ok, fine, not perfect, but I guess thats expected

Fips can NOT be re-enabled...I find that odd and in my mind, that should be FIXED 🙂

Cheers mate.

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

I think you mean when fips mode is enabled, features are disabled and this is sort of fine. 

What you are asking for is a way to back-out so the fips mode can be disabled. 

What is the reason why you want to disable fips mode? Will enabling use of webui and ssh in fips mode help? 

Technically fips mode is defined in the registry, but there are also changes in setting fips mode that may not be reversed if only the registry entry is changed. There are also considerations regarding the ability to create keys when not in fips mode as they may not be fips compliant. When not in fips mode non-approved cyphers are available, and the default is not to use fips approved entropy. KAT tests also operate differently when not in fips mode, and that could be a problem. Not having fips off removes these and maybe other considerations.

0 Kudos
the_rock
Legend
Legend

Well, put yourself in customers' place for a second. IF you enable a feature and you dont like it, would you not want to have an option to disable it? : - )

Anyway, you pretty much got exactly what I was implicating...

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

You have not provided the need for a customer to disable fips mode. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events