As stated, webui and ssh are being made fips compliant and will be enabled in fips mode. 

Not sure what you mean by vpn broken. IPsec is tested, You should open a support ticket.

Well, I sure learned based on testing NOT to bother with fips, breaks all the important stuff.

Cheers,

Andy

I have to agree with Andy on the fips on/off. There shouldn't be an 'off' if it not longer does anything. Otherwise there should be a warning to the customer for fips 'on':

Warning! These changes you are about make are permanent. These changes are permanent and this gateway will need to be re-imaged in order to restore its functinoality. Do you wish to proceed? Y/n

Are you sure? Y/n

I wonder how many customers thought "Hmmmm. This FIPS mode looks like a good way to lock down the box. Oh looks like there is a command to turn it off if it's too much. Let's give it a try...." 

You got it @Fire_Verse . I learned in my early 20s NOT to waste my time/energy on stuff I cant change. If CP thinks this is the right way to have FIPS configured, then I have a choice not to bother with it 🤣🤣

Andy

the lack of support tickets indicates that fips mode is hardly used.

the feedback we received on webui and ssh are being addressed

In my mind mate, something hardly used does NOT mean it should not be configured as user friendly/logical manner.

Just saying : - )

Andy

Anyway, onto something way more important now. Im done discussing FIPS for today and probably forseable future lol

I have a customer right now with FBI/CJIS requirements stating appliances need to be run in FIPS-mode. Based on what I have documented in the lab, they are now going to have to bring in another vendor, probably Cisco because of its FIPS compliance. The main driver is what looks like the loss of IPSEC B2B and IPSEC remote access (IKE issues) with FIPS 'on'

I'm actually fine with making the changes to SSH and SSL manually...and am documenting that process on my own. 

Is there an ETA on when the 'fips' command is going to be changed to allow SSH and the WebUI? Will IPSEC availability be addressed?

Awesome! Please be free to share it when done, it would be greatly appreciated.

Cheers,

Andy

Part 1 from a few weeks ago:

https://fireverse.org/2023/08/25/r81-20-ciphers/ 

To be fair I don't claim that the two 'ChaChas' are FIPS-compliant, just that they can be used.

At the bottom of the post I made, the only two recommended ciphers that work "out of the box" without creating a new certificate for the gateways, and that are FIPS-compliant:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

https://fireverse.org/2023/08/25/r81-20-ciphers/

SSH and WebUI are targeted for R82. Once validated I will ask to include in next JHF for R81.10 and R81.20

You can ask for a customer hot fix if more urgent. 

I'm not familiar with an IPsec issue which is why I suggest you open a formal ticket. 

Any word if there is a new FIPS-mode script that allows SSH and the WebUI to be enabled?

This is still targeted for R82. Backporting looks more challenging than I understood.