FIPS Support in Fireware
The Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements for cryptographic modules.
Your Firebox is designed meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner.
About FIPS Mode
You must use the Command Line Interface (CLI) to enable FIPS mode on a Firebox. When the Firebox operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS 140-2 specification. If any of the tests fail, the Firebox writes a message to the log file and shuts down.
For more information about the CLI commands, see the Command Line Interface Reference at http://www.watchguard.com/help/documentation.
If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.
FIPS Mode Operation and Constraints
The Firebox does not operate in FIPS mode by default.
To use your Firebox in FIPS mode:
- Type the CLI command fips enable to enable FIPS mode operation.
- Configure the Admin and Status administrative accounts to use passwords with a minimum of 8 characters.
- When you configure VPN tunnels, you must choose only FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-512, 3DES, AES-128, AES-192, AES-256).
- When you configure VPN tunnels, you must choose Diffie-Hellman Group 2 or Group 5 for IKE Phase 1 negotiation. Use a minimum of 1024-bits for all RSA keys.
- Do not use a certificate that uses MD5, or any certificate that does not meet the requirements of the FIPS 140-2 standard.
- Do not configure FireCluster for high availability.
- Do not use Mobile VPN with PPTP.
- Do not use PPPoE.
- Do not use WatchGuard System Manager to manage the Firebox.
- For access to Fireware Web UI, the web browser must be configured to use only TLS 1.0 and FIPS approved cipher suites.
- For network access to the CLI, telnet and SSH clients must use SSH V2.0 protocol.
To determine if the Firebox has FIPS mode enabled, type the CLI command show fips.
When you use a Firebox in FIPS mode, your use of the device is subject to these limitations. We recommend that you consider your requirements carefully before you decide to operate your Firebox in FIPS mode. In some environments you could be required to use a FIPS-compliant device, but you might not have to configure the device in a FIPS-compliant manner.