This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Malcolm_Levy
Employee
Employee
‎2020-09-22 05:57 AM

FIPS mode operation and some manual configurations

Jump to solution

The attached provides some information on FIPS mode, and commands that can be used when not in FIPS mode to achieve some of the same 

Preview file
682 KB
0 Kudos
1 Solution

Accepted Solutions
Malcolm_Levy
Employee
Employee
‎2021-02-04 04:38 AM
In response to Daniel_Kavan

Jump to solution

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

View solution in original post

2 Replies
Daniel_Kavan
Advisor
‎2021-02-01 12:25 PM

Jump to solution

Hi Malcolm, RE: R80.10 and R80.20 soon to be R81.

How can I show a FISMA auditor that FIPs is enabled when a customer connects with TLS 1.2 to our SSLVPN?  There is no mention of FIPS in the ES admin guide.  Assuming windows OS and browser they are connecting from is using FIPs would be enforced by an ES policy.

On the CP VPN side, RE: site to site, Endpoint Security or SSLVPN (network extender) I haven't found a way to show that FIPS is enabled/disabled one way or the other. I do see the libraries and FIPs certification. Would FIPs have to be turned on - on the gateway for it to be supported on the VPN?
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security... IOW, on the CP side how can we show proof FIPs is enabled, other than
Checkpoint is using a validated cryptographic module per: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

0 Kudos
Malcolm_Levy
Employee
Employee
‎2021-02-04 04:38 AM
In response to Daniel_Kavan

Jump to solution

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

View solution in original post