fips off is not supported

Its disappointing, in my opinion...any reason why?

Andy

I asked ChatGTP and this is what it came back with...it is logical to me.

Andy

******************

✅ If you're asking why FIPS mode cannot be turned off once enabled:

Answer:
Once FIPS mode is enabled on a Check Point Security Gateway or Management Server, it cannot be disabled without a full reinstallation of the system. This is by design, to ensure:

• Strict compliance with FIPS 140-2 requirements,

• No possibility of falling back to insecure or non-compliant cryptographic modules,

• Maintenance of secure operational mode without administrator bypass.

Check Point essentially locks down the configuration to avoid any risk of misconfiguration or accidental weakening of crypto policies.

This looks like my own wording from long ago. For example, if you were to be able to turn FIPS mode off, that would enable installation of a HF that could overwite the validated code. 

In R82 we ensure that WebUI and SSH only use certified cyphers when in FIPS mode, so enable their use. 

Hello, I'd like a bit of clarification. In previous versions (R81.10 and prior) enabling FIPS mode disabled SSH and WebUI (Gaia) access completely. Are you saying that in R81.20 and above this is no longer the case? Instead, turning FIPS mode ON does NOT disable SSH and WebUI? Instead, enabling FIPS mode in R81.20 and R82 leaves WebUI and SSH access in place, but simply ensures that only FIPS compliant ciphers are enabled for WebUI and SSH? Thanks. 

Its exact same thing, if enabled, no ssh or web ui. Tested in R81.20 and R82.

Thanks. Now I'm even more confused. What does "WebUI and SSH only use certified cyphers when in FIPS mode" really mean if both WebUI and and SSH are disabled in FIPS mode? Does CP have an expectation that we will manually re-enable WebUI and SSH after FIPS mode is turned on? And only then, will CP allow only FIPS approved ciphers?

I hear ya. Thats why if anyone ever asks me about FIPS on CP fw, I straight up tell them not to bother, simply due to these reasons. I hope it will be fixed one day, lets see.

Andy

@John_Tomasetti  and @Malcolm_Levy 

Interesting results, guys. I built brand new R82 standalone, set web UI first to port 443, then 4434, enabled fips and ssh was fine, as well as web UI. BUT, to my surprise, when you try run say show fips and hit tab in clish, nothing happens, so how can you tell what ciphers its enabled for, any way Malcolm?

Andy

[Expert@R82-test:0]# fips on
Generating default filter
defaultfilter:
Compiled OK.
defaultfilter:
Compiled OK.
Backing up default.bin as default.bin.bak
Backing up default.bin6 as default.bin6.bak
generating INSPECT code for GUI Clients
initial_management:
Compiled OK.
initial_management:
Compiled OK.
[Expert@R82-test:0]#

The enabled cyphers are the ones documented in section 2.2.4.1 of the Security Policy

 Try this:

To ensure the module is operating in the approved mode, an operator can observe the following approved mode of operation indicator by executing the ckp_regedit -p "Software/Checkpoint/SIC” CLI command: FIPS_140=[n]1

Thats not my question though : - ). Im wondering how you can tell what fips settings look like once its enabled...before, option show fips existed in clish, but does not appear thats the case though. You cant even do show configuration fips any more. 

Even doing below does not give anything...

Andy

[Expert@R82-test:0]# clish -c "show configuration" > /var/log.config.txt
[Expert@R82-test:0]# grep -i fips /var/log.config.txt
[Expert@R82-test:0]#

Here is another thing I find wayyy too coincidental...R82 version.

As soon as I enabled FIPS, yes, web UI and ssh did work, BUT, funny enough, when I tried to update to latest cpuse package and also install latest jumbo, it would just get stuck at 0% and would not do anything. Doing this on brand new VM without fips worked just fine, so its safe to say fips caused it 100%.

Andy

There are two updates in this thread:

1. We have added R81.20 and R82 to our FIPS 140-2 certificate 

2. We enabled WebUI and SSH in R82 and assured they are FIPS compliant when in FIPS mode (only use certified cyphers) 

Please confirm if you are saying that WebUI and SSH are not available in FIPS mode in R82 

I cant speak for John, but that was my experience. As soon as I turned fips on, web UI and ssh were NOT available. Oddly enough, I tested this only on port 4434 for web UI, but let me spin up brand new R82 in eve ng and see if its any difference if its on port 443 and will update.

Andy

I get that part, but I feel it would still be nice to have option to turn fips off, but if a banner came up warning about all this, then that would be totally acceptable as well.

Just my personal opinion.

Andy