FIPS Support in Fireware

The Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules (FIPS 140-2), describes the United States Federal Government requirements for cryptographic modules.

Your Firebox is designed meet the overall requirements for FIPS 140-2 Level 2 security, when configured in a FIPS-compliant manner.

Fireware v12.3.1 is the latest FIPS-certified version of Fireware. In Fireware v12.4 and higher, Fireware uses a version of OpenSSL that does not support FIPS 140-2. For more information about FIPS-certified Firebox models, go to Product Certifications on the WatchGuard website.

You must use the Command Line Interface (CLI) to enable FIPS mode on a Firebox. When the Firebox operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS 140-2 specification. If any of the tests fail, the Firebox writes a message to the log file and shuts down.

If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.

FIPS mode is not available in Fireware v12.5.9 Update 2 and higher or Fireware v12.7.2 Update 2 or higher.

Enable FIPS Mode Operation

The Firebox does not operate in FIPS mode by default. To operate in FIPS mode, do the following:

  1. Issue the CLI command fips enable to enable FIPS mode operation.
  2. Choose operator passwords (for Cryptographic Officer and User roles) with a minimum of 8 characters.

The Firebox immediately reboots and automatically begins to run the FIPS tests.

Disable FIPS Mode Operation

Issue the CLI command no fips enable to disable FIPS mode operation.

About FIPS Mode

To determine if the Firebox has FIPS mode enabled, type the CLI command show fips.

When you use a Firebox in FIPS mode, your use of the device is subject to these limitations. We recommend that you consider your requirements carefully before you decide to operate your Firebox in FIPS mode. In some environments you could be required to use a FIPS-compliant device, but you might not have to configure the device in a FIPS-compliant manner.

  • Do not use PPPoE.
  • Do not use WatchGuard System Manager to manage the appliance.
  • Do not use FireCluster (Requires WatchGuard System Manager which is not available in FIPS mode)
  • Web browsers must be configured to only use TLS 1.2 and FIPS approved cipher suites.
  • Telnet and SSH clients must be configured to use the SSH V2.0 protocol and RSA authentication. If the SSH client uses Diffie-Hellman key exchange, configure the client to use DH 2048 bit or greater.
  • When using a USB device for backup, the Cryptographic Officer must take possession of the USB device.
  • Do not use the wireless interfaces.
  • Do not use the Autotask, ConnectWise, or Tigerpaw PSA integrations.
  • Run fips selftest before making changes to the VPN configuration.
  • VPN Limitations
  • Mobile VPN with SSL tunnels use TLS 1.2. When you configure SSL VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-512, Triple-DES, AES-128, AES-192, AES-256).
  • When you configure IPSec VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-384, SHA-512, Triple-DES, AES-128, AES-192, AES-256).
  • When you configure IPSEc VPN tunnels, choose Diffie-Hellman Group 14 (2048 bit), Group 15 (3072 bit), Group 19 (256 bit elliptic curve), or Group 20 (384 bit elliptic curve) for IKE Phase 1 negotiation.
  • When you configure IPSec VPN tunnels, use pre-shared keys or RSA certificates for authentication.
  • Only use RSA certificates for TLS.
  • Use a minimum of 2048-bits for all RSA keys.
  • Do not use Mobile VPN with PPTP.

For a Firebox in FIPS mode to send log messages to a Dimension Server, the Firebox must run Fireware v12.1.3 or higher, and the Dimension Server must run Dimension v2.1.2 or higher.