Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fly1ng_circus
Contributor
Jump to solution

Enable FIPS mode

I have searched all over and have found no information on how to enable FIPS mode. Needing to do some testing but can't find documentation on how to enable it.

0 Kudos
52 Replies
the_rock
Legend
Legend

I think its fairly obvious from my responses lol

Anyway, here it is...web UI broken, ssh broken, VPN broken...Im sure there is more, just have not had chance to confirm.

Andy

Malcolm_Levy
Employee
Employee

As stated, webui and ssh are being made fips compliant and will be enabled in fips mode. 

Not sure what you mean by vpn broken. IPsec is tested, You should open a support ticket.

0 Kudos
the_rock
Legend
Legend

Well, I sure learned based on testing NOT to bother with fips, breaks all the important stuff.

Cheers,

Andy

0 Kudos
Fire_Verse
Contributor

I have to agree with Andy on the fips on/off. There shouldn't be an 'off' if it not longer does anything. Otherwise there should be a warning to the customer for fips 'on':

Warning! These changes you are about make are permanent. These changes are permanent and this gateway will need to be re-imaged in order to restore its functinoality. Do you wish to proceed? Y/n

Are you sure? Y/n

 

I wonder how many customers thought "Hmmmm. This FIPS mode looks like a good way to lock down the box. Oh looks like there is a command to turn it off if it's too much. Let's give it a try...." 

(1)
the_rock
Legend
Legend

You got it @Fire_Verse . I learned in my early 20s NOT to waste my time/energy on stuff I cant change. If CP thinks this is the right way to have FIPS configured, then I have a choice not to bother with it 🤣🤣

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

the lack of support tickets indicates that fips mode is hardly used.

the feedback we received on webui and ssh are being addressed

0 Kudos
the_rock
Legend
Legend

In my mind mate, something hardly used does NOT mean it should not be configured as user friendly/logical manner.

Just saying : - )

Andy

Anyway, onto something way more important now. Im done discussing FIPS for today and probably forseable future lol

0 Kudos
Fire_Verse
Contributor

I have a customer right now with FBI/CJIS requirements stating appliances need to be run in FIPS-mode. Based on what I have documented in the lab, they are now going to have to bring in another vendor, probably Cisco because of its FIPS compliance. The main driver is what looks like the loss of IPSEC B2B and IPSEC remote access (IKE issues) with FIPS 'on'

I'm actually fine with making the changes to SSH and SSL manually...and am documenting that process on my own. 

Is there an ETA on when the 'fips' command is going to be changed to allow SSH and the WebUI? Will IPSEC availability be addressed?

(1)
the_rock
Legend
Legend

Awesome! Please be free to share it when done, it would be greatly appreciated.

Cheers,

Andy

0 Kudos
Fire_Verse
Contributor

Part 1 from a few weeks ago:

https://fireverse.org/2023/08/25/r81-20-ciphers/ 

0 Kudos
Malcolm_Levy
Employee
Employee
Your page needs updating:
 
Is ChaCha20-Poly1305 FIPS compliant?
 
FIPS is a US government standard that specifies, among other things, the ciphers and modes of operation that are approved for government use. AES and CCM are part of FIPS, but ChaCha20 and Poly1305 are not
 
 
For example, the ChaCha20 algorithm is not FIPS-approved, and the FIPS cryptographic policy ensures that TLS servers and clients do not announce the TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS cipher suite, because any attempt to use such a cipher fails.

 


0 Kudos
Fire_Verse
Contributor

To be fair I don't claim that the two 'ChaChas' are FIPS-compliant, just that they can be used.

At the bottom of the post I made, the only two recommended ciphers that work "out of the box" without creating a new certificate for the gateways, and that are FIPS-compliant:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

https://fireverse.org/2023/08/25/r81-20-ciphers/

0 Kudos
Malcolm_Levy
Employee
Employee

SSH and WebUI are targeted for R82. Once validated I will ask to include in next JHF for R81.10 and R81.20

You can ask for a customer hot fix if more urgent. 

I'm not familiar with an IPsec issue which is why I suggest you open a formal ticket. 

0 Kudos
Fire_Verse
Contributor

Any word if there is a new FIPS-mode script that allows SSH and the WebUI to be enabled?

0 Kudos
Malcolm_Levy
Employee
Employee

This is still targeted for R82. Backporting looks more challenging than I understood.

0 Kudos
Fangorn
Explorer

I thought it might be helpful for you to have the prospective of a customer on Check Point's FIPS implementation.

At best I would rate Check Points FIPS implementation as poor.  First issue the lack of the ability to management appliance once it FIPS mode, no SSH or WebUI (you've already stated you are addressing this).  Applying a JHFA when in FIPS mode is not documentated by Check Point and is time consuming.  Features such as AV and AB don't update when in FIPS mode (open TAC case - 3+ months with no resolution).  In ability to turn off FIPS mode when encountering something that doesn't work for troubleshooting etc.  Extreme lack of documentation on FIPS mode.

I have seen that other vendors have a well documented FIPS mode, They provide methods for managing the appliance once in FIPS mode. They provide a documented process for disabling FIPS mode without needing to reinstall.  Updates can be applied using the documented steps they provide.

I understand that applying a patch to an appliance in FIPS mode, technically doesn't make the appliance FIPS compliant any more.  However, it is more important to be able to patch vulnerabilities (specifically critical and exploited ones) than to run in a compliant mode and FIPS could always be re-enabled once the patch is applied to achieve some level of compliance.

Check Point's poor or complete lack of documentation on FIPS mode leads to many customers that should use it, too not using it.

(1)
the_rock
Legend
Legend

Let me spin up brand new lab fw R81.20 jumbo 65 and see if results are same as before.

Andy

0 Kudos
the_rock
Legend
Legend

Just tested it, exact same issue, R81.20 jumbo 65

 

[Expert@CP-test-fw:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@CP-test-fw:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled

0 Kudos
Malcolm_Levy
Employee
Employee

There was no commitment for R81.20 JHF. WebUI and SSH are in R82. I encourage you to enroll in the EA.

I suggest you open a RFE for the other issues if not already done, including not allowing FIPS Off which is the pure implementation of the standard.  Antivirus and antibot were not part of the certification, Do you have a status?  Can you share the reference?

0 Kudos
(1)
the_rock
Legend
Legend

I have to agree 100% with what @Fangorn had said. Take for example other vendors...Fortinet, PAN, Cisco...enabling/disabling FIPS, super EASY and does not cause any ssh/web UI issues.

I really hope in R82 that will also be the case with Check Point.

Andy

0 Kudos
Malcolm_Levy
Employee
Employee

Disabling and reenabling is not planned for R82. We are opening a request. Like all requests it will be prioritized against other requests and in consideration of the release process. 

Given that Webui and SSH will be available in FIPS mode, can you say more about the need? 

 

0 Kudos
the_rock
Legend
Legend

I think disabling and reenabling is one thing that should be on top of the list, in my opinion. Think about it...so say you enable fips, go about your day, then next day you realize things are broken, you try to disable...ooops, cant be done??!! Not great...

Glad web UI and ssh will be available, thats step forward.

Andy

0 Kudos
Fangorn
Explorer

Regarding Antivirus and Antibot it is case 6-0003902978.  TAC has requested that we complete additional steps for troubleshooting, however we restored a snapshot from prior to running in FIPS mode and then installed the R81.10 JHF 150.  At this time we have not re-enabled FIPS mode due to many of the issued previously stated.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events