FIPS Support in Fireware

The Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements for cryptographic modules.

Your Firebox is designed meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner.

About FIPS Mode

You must use the Command Line Interface (CLI) to enable FIPS mode on a Firebox. When the Firebox operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS 140-2 specification. If any of the tests fail, the Firebox writes a message to the log file and shuts down.

For more information about the CLI commands, see the Command Line Interface Reference at https://www.watchguard.com/help/documentation.

If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.

Enable FIPS Mode Operation

The Firebox does not operate in FIPS mode by default. To operate in FIPS mode, do the following:

  • Issue the CLI command fips enable to enable FIPS mode operation.
  • Choose operator passwords (for Cryptographic Officer and User roles) with a minimum of 8 characters.
  • Run fips selftest before making changes to the VPN configuration.
  • Mobile VPN with SSL tunnels use TLS 1.2. When you configure SSL VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-512, Triple-DES, AES-128, AES-192, AES-256).
  • When you configure IPSec VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-384, SHA-512, Triple-DES, AES-128, AES-192, AES-256).
  • When you configure IPSEc VPN tunnels, choose Diffie-Hellman Group 14 (2048 bit), Group 15 (3072 bit), Group 19 (256 bit elliptic curve), or Group 20 (384 bit elliptic curve) for IKE Phase 1 negotiation.
  • When you configure IPSec VPN tunnels, use pre-shared keys or RSA certificates for authentication.
  • Only use RSA certificates for TLS.
  • Use a minimum of 2048-bits for all RSA keys.
  • Do not use Mobile VPN with PPTP.
  • Do not use PPPoE.
  • Do not use WatchGuard System Manager to manage the appliance.
  • Web browsers must be configured to only use TLS 1.2 and FIPS approved cipher suites.
  • Telnet and SSH clients must be configured to use the SSH V2.0 protocol and RSA authentication. If the SSH client uses Diffie-Hellman key exchange, configure the client to use DH 2048 bit or greater.
  • When using a USB device for backup, the Cryptographic Officer must take possession of the USB device.
  • Do not use the wireless interfaces.

To determine if the Firebox has FIPS mode enabled, type the CLI command show fips.

When you use a Firebox in FIPS mode, your use of the device is subject to these limitations. We recommend that you consider your requirements carefully before you decide to operate your Firebox in FIPS mode. In some environments you could be required to use a FIPS-compliant device, but you might not have to configure the device in a FIPS-compliant manner.

For a Firebox in FIPS mode to send log messages to a Dimension Server, the Firebox must run Fireware v12.1.3 or higher, and the Dimension Server must run Dimension v2.1.2 or higher.