Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Malcolm_Levy
Employee
Employee

FIPS mode operation and some manual configurations

Jump to solution

The attached provides some information on FIPS mode, and commands that can be used when not in FIPS mode to achieve some of the same 

0 Kudos
1 Solution

Accepted Solutions
Malcolm_Levy
Employee
Employee

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

View solution in original post

2 Replies
Daniel_Kavan
Advisor

Hi Malcolm, RE: R80.10 and R80.20 soon to be R81.

How can I show a FISMA auditor that FIPs is enabled when a customer connects with TLS 1.2 to our SSLVPN?  There is no mention of FIPS in the ES admin guide.  Assuming windows OS and browser they are connecting from is using FIPs would be enforced by an ES policy.

On the CP VPN side, RE: site to site, Endpoint Security or SSLVPN (network extender) I haven't found a way to show that FIPS is enabled/disabled one way or the other. I do see the libraries and FIPs certification. Would FIPs have to be turned on - on the gateway for it to be supported on the VPN?
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security... IOW, on the CP side how can we show proof FIPs is enabled, other than
Checkpoint is using a validated cryptographic module per: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules

0 Kudos
Malcolm_Levy
Employee
Employee

1. It is only possible to see if FIPS mode is enabled on the GW

2. The status of FIPS mode can be seen by:

ckp_regedit -p "software\\checkpoint\\SIC\\FIPS_140"

or

ckp_regedit -p "software\\checkpoint\\SIC” and looking for fips registry

Malcolm_Levy_0-1612441064885.png

3. Enabling FIPS mode does not change the cryptographic library (there is a single library on the GW) or protocol implementation of SSL VPN (including TLS 1.2) and it should be noted FIPS does not validate protocols, only crypto algorithms (it does validate Key Derivation Functions - KDFs)

5. For configuring cyphers refer to sk126613: Cipher configuration tool for Security Gateways

View solution in original post