As stated, webui and ssh are being made fips compliant and will be enabled in fips mode. 

Not sure what you mean by vpn broken. IPsec is tested, You should open a support ticket.

Well, I sure learned based on testing NOT to bother with fips, breaks all the important stuff.

Cheers,

Andy

I have to agree with Andy on the fips on/off. There shouldn't be an 'off' if it not longer does anything. Otherwise there should be a warning to the customer for fips 'on':

Warning! These changes you are about make are permanent. These changes are permanent and this gateway will need to be re-imaged in order to restore its functinoality. Do you wish to proceed? Y/n

Are you sure? Y/n

I wonder how many customers thought "Hmmmm. This FIPS mode looks like a good way to lock down the box. Oh looks like there is a command to turn it off if it's too much. Let's give it a try...." 

You got it @Fire_Verse . I learned in my early 20s NOT to waste my time/energy on stuff I cant change. If CP thinks this is the right way to have FIPS configured, then I have a choice not to bother with it 🤣🤣

Andy

the lack of support tickets indicates that fips mode is hardly used.

the feedback we received on webui and ssh are being addressed

In my mind mate, something hardly used does NOT mean it should not be configured as user friendly/logical manner.

Just saying : - )

Andy

Anyway, onto something way more important now. Im done discussing FIPS for today and probably forseable future lol

I have a customer right now with FBI/CJIS requirements stating appliances need to be run in FIPS-mode. Based on what I have documented in the lab, they are now going to have to bring in another vendor, probably Cisco because of its FIPS compliance. The main driver is what looks like the loss of IPSEC B2B and IPSEC remote access (IKE issues) with FIPS 'on'

I'm actually fine with making the changes to SSH and SSL manually...and am documenting that process on my own. 

Is there an ETA on when the 'fips' command is going to be changed to allow SSH and the WebUI? Will IPSEC availability be addressed?

Awesome! Please be free to share it when done, it would be greatly appreciated.

Cheers,

Andy

Part 1 from a few weeks ago:

https://fireverse.org/2023/08/25/r81-20-ciphers/ 

To be fair I don't claim that the two 'ChaChas' are FIPS-compliant, just that they can be used.

At the bottom of the post I made, the only two recommended ciphers that work "out of the box" without creating a new certificate for the gateways, and that are FIPS-compliant:

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

https://fireverse.org/2023/08/25/r81-20-ciphers/

SSH and WebUI are targeted for R82. Once validated I will ask to include in next JHF for R81.10 and R81.20

You can ask for a customer hot fix if more urgent. 

I'm not familiar with an IPsec issue which is why I suggest you open a formal ticket. 

Any word if there is a new FIPS-mode script that allows SSH and the WebUI to be enabled?

This is still targeted for R82. Backporting looks more challenging than I understood.

I thought it might be helpful for you to have the prospective of a customer on Check Point's FIPS implementation.

At best I would rate Check Points FIPS implementation as poor.  First issue the lack of the ability to management appliance once it FIPS mode, no SSH or WebUI (you've already stated you are addressing this).  Applying a JHFA when in FIPS mode is not documentated by Check Point and is time consuming.  Features such as AV and AB don't update when in FIPS mode (open TAC case - 3+ months with no resolution).  In ability to turn off FIPS mode when encountering something that doesn't work for troubleshooting etc.  Extreme lack of documentation on FIPS mode.

I have seen that other vendors have a well documented FIPS mode, They provide methods for managing the appliance once in FIPS mode. They provide a documented process for disabling FIPS mode without needing to reinstall.  Updates can be applied using the documented steps they provide.

I understand that applying a patch to an appliance in FIPS mode, technically doesn't make the appliance FIPS compliant any more.  However, it is more important to be able to patch vulnerabilities (specifically critical and exploited ones) than to run in a compliant mode and FIPS could always be re-enabled once the patch is applied to achieve some level of compliance.

Check Point's poor or complete lack of documentation on FIPS mode leads to many customers that should use it, too not using it.

Let me spin up brand new lab fw R81.20 jumbo 65 and see if results are same as before.

Andy

Just tested it, exact same issue, R81.20 jumbo 65

[Expert@CP-test-fw:0]# fips on
cpridstop: cprid watchdog stopped
cpridstop: cprid stopped
Stopping sshd: [ OK ]
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
initial_module:
Compiled OK.
initial_module:
Compiled OK.
[Expert@CP-test-fw:0]# fips off
The command 'fips off' is no longer supported. FIPS mode cannot be disabled

There was no commitment for R81.20 JHF. WebUI and SSH are in R82. I encourage you to enroll in the EA.

I suggest you open a RFE for the other issues if not already done, including not allowing FIPS Off which is the pure implementation of the standard.  Antivirus and antibot were not part of the certification, Do you have a status?  Can you share the reference?

I have to agree 100% with what @Fangorn had said. Take for example other vendors...Fortinet, PAN, Cisco...enabling/disabling FIPS, super EASY and does not cause any ssh/web UI issues.

I really hope in R82 that will also be the case with Check Point.

Andy

Disabling and reenabling is not planned for R82. We are opening a request. Like all requests it will be prioritized against other requests and in consideration of the release process. 

Given that Webui and SSH will be available in FIPS mode, can you say more about the need? 

I think disabling and reenabling is one thing that should be on top of the list, in my opinion. Think about it...so say you enable fips, go about your day, then next day you realize things are broken, you try to disable...ooops, cant be done??!! Not great...

Glad web UI and ssh will be available, thats step forward.

Andy

Regarding Antivirus and Antibot it is case 6-0003902978.  TAC has requested that we complete additional steps for troubleshooting, however we restored a snapshot from prior to running in FIPS mode and then installed the R81.10 JHF 150.  At this time we have not re-enabled FIPS mode due to many of the issued previously stated.