Create a Post
Showing results for 
Search instead for 
Did you mean: 

Check Point VPN encprytion and FIPS 140-2


Is the Endpoint Security, SSLVPN (TLS 1.2)  or IPSEC tunnel traffic (AES-256, SHA256, Group 2) considered FIPS 140-2 validated encryption?   If its not called FIPS 140-2 validated encryption what is it called?  Non-validated encryption/basic encryption/encryption?  Our security auditors want to know.

side point:  It would be nice to be able to print out crypto-maps like CISCO for VPN configs or something else that's graphical and sums up VPN encryption/access or both.


This is the official request:

Encryption configuration for remote access. If FIPS 140-2 validated encryption is being used please demonstrate the cryptographic module was configured in accordance with the CMVP security policy.

4 Replies

Are the auditors asking if Checkpoint is using a validated cryptographic module that needs to be listed here?:

If so....Then as long as you are running R77.30


There’s also the client side of this:
I assume we are working on getting a more recent version of the modules certified but they aren’t substantially different from what’s in these releases.


FISMA auditors are here & they say

That CMVP cert says “When operated in FIPD mode” in the Caveat section.  So there is a switch.  Can you check it to find out its status?

Normally, there would be a way to initiate FIPS mode for FIPS capable products. If there is a way to initiate FIPS mode, is that being used?

-Show that the VPN is running in FIPS mode or using FIPS-validated cryptography for data in transit.  I believe currently we only have a screenshot showing that TLS 1.2 and higher is being used.

-Show how a user’s VPN connection would be disconnected by an administrator.


RE:VPN only

RE: S2S, fat C2S and/or SSLVPN?   Maybe, you have to run in the gw in FIPS mode as a pre-req to VPN, I'm not sure.  After that, how do you set FIPS on for the TLS 1.2 connection to SSLVPN?   I'm guessing there are 3 things involved 1. windows OS 2. browser 3. network extender

I have to assume that FIPS library is enabled by default in the browser when a user connects with TLS 1.2 to our sslvpn, but how can I show proof?


On the gateway, is there a way to show an auditor fips is on for VPN?  I see here you can turn it ON in general for the gateway, with some serious limitations.


0 Kudos