Here an older discussion with more information:         FIPS mode operation and some manual configurations               

Not very clear what to look for in that article once you are in /bin and check fips file...if you search for ext_fips, does not find anything.

no none of it is very clear. I did find the switch to turn it on, but this was very obscure when trying to hunt it all down.

Agree 100%.

Did you read         FIPS mode operation and some manual configurations                ?

I have been looking through that Doc yes. Thank you.

the problem I think that is still happening is that when FIPS mode is enabled on the gateway the management station immediately loses connectivity to the gateway. This is what appears to be very poorly documented as to how to complete the full configuration and keep communication established to the gateways from the management server once fips mode is turned on.

I guess I can't say it loses all connectivity. SIC claims that it is still communicating. but policy can no longer be installed.

please take this with TAC

I can confirm that when I run 'fips on' in an R81.20/R81.10 environment, I do NOT lose SIC connectivity on the gateways.

I do lose the WebUI (443 or 4434), SSH, SSL VPN (SSL VPN works), and remote access IPSEC VPN (see screenshot).

However I can still install policy on the gateways in FIPS mode.

Whats the command you ran to enable it? I want to try it in the lab tomorrow.

Andy

I ran just the basic 'fips on'. BTW make sure to snapshot the image, because 'fips off' is no longer supported (despite what the documentation might say). You will not be able to back out of FIPS once you enable it on the gateway.

Oooops.

Or

[Expert@firewall-test:0]# fips
Usage:
fips on | off | integrity on

[Expert@firewall-test:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak

[Expert@firewall-test:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled

Wow, thats crazy. Ok, I got lots of R81.20 lab fws, so will try on one tomorrow and update.

Thank you!

Andy

Yup, got EXACT same result...wow, thats truly disappointing. I hope it gets changed at some point.

Andy

[Expert@CP-TEST-ONLY-FW:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@CP-TEST-ONLY-FW:0]# fips off
.bash_history .bash_profile .clish_history 1
.bash_logout .bashrc .toprc last_dump.log
[Expert@CP-TEST-ONLY-FW:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled
[Expert@CP-TEST-ONLY-FW:0]#

Btw, if you want couple minutes, web UI does come back.

Andy

I corrected my post above. After running 'fips on'

• SSL VPN portal page does come up and allows login
• SSH: disabled (expected)
• GAIA WebGUI on 4434: disabled (expected)
• Check Point Mobile client sees "Ike negotiation with gateway failed" (not expected)
• Site-to-site VPN not tested yet

Lab Environment:

R81.20 SMS w Jumbo 10

R81.10 gateway w Jumbo 110

Here are my results on R81.20 jumbo 26:

web UI on port 443 failed initially after enabling FIPS, but then worked 2 mins later

ssh failed

S2S failed

AFTER reboot web UI also failed.

Andy

If you still have a problem with remote access please open a ticket. That way it will be looked at. If it was resolved, please report here. 

Yep, I opened a ticket last week. Support was able to confirm the IKE issue for the Check Point Mobile client once 'fips on' is run. I will post here if there is a fix.

Please keep us posted.

thanks, can you share the reference?

In my mind, if fips can be enabled, option should be there to disable it...lol

Andy

Features are disabled by enabling FIPS mode. In R80 there was “fips off” that was set a value registry. Changing the value (from on) is not enough to enable all the features. It it not a supported feature.

We  plan to enable SSH and WebUI in FIPS mode limited to using the FIPS approved ciphers. Maybe this will answer why you wish to disable FIPS mode? 

Here is my HONEST feedback

Fips gets disabled, features dont work...ok, fine, not perfect, but I guess thats expected

Fips can NOT be re-enabled...I find that odd and in my mind, that should be FIXED 🙂

Cheers mate.

Andy

I think you mean when fips mode is enabled, features are disabled and this is sort of fine. 

What you are asking for is a way to back-out so the fips mode can be disabled. 

What is the reason why you want to disable fips mode? Will enabling use of webui and ssh in fips mode help? 

Technically fips mode is defined in the registry, but there are also changes in setting fips mode that may not be reversed if only the registry entry is changed. There are also considerations regarding the ability to create keys when not in fips mode as they may not be fips compliant. When not in fips mode non-approved cyphers are available, and the default is not to use fips approved entropy. KAT tests also operate differently when not in fips mode, and that could be a problem. Not having fips off removes these and maybe other considerations.

Well, put yourself in customers' place for a second. IF you enable a feature and you dont like it, would you not want to have an option to disable it? : - )

Anyway, you pretty much got exactly what I was implicating...

Andy

You have not provided the need for a customer to disable fips mode.