Common Criteria Support in Fireware
The US National Security Agency (NSA) Commercial Solutions for Classified (CSfC) program certifies security-enabled products to be used for classified applications. The NIAP (National Information Assurance Partnership) defines Protection Profiles with certification requirements.
Fireware OS is certified for these NIAP-approved Protection Profiles:
- Network Device
- Virtual Private Network
- Firewall
Firebox models evaluated under the CSfC program:
- Firebox T Series: T20, T35, T40, T55, T70, T80
- Firebox M Series: M270, M370, M470, M570, M670, M4600, M5600
These Firebox models meet the overall requirements for Common Criteria certification, when configured with required settings and managed with approved administration methods.
Firebox models not listed here, and wireless variants of the listed models, are not certified as compliant with Common Criteria.
For deployment and configuration instructions, see the Common Criteria Deployment Guide.
About CSfC Mode
To configure your Firebox to comply with Common Criteria requirements, you must enable CSfC mode on the Firebox. CSfC mode is supported in Fireware v12.6.2 or higher.
To request Fireware v12.6.2 for a Firebox T35, T55, or T70, send an email to [email protected].
When you enable CSfC mode, Fireware has some functional differences:
Boot Time Integrity Checks
At boot time, the Firebox runs required integrity checks. If a check fails, the Firebox shuts down immediately and all interfaces are disabled.
Upgrade Integrity Checks
When you upgrade the Firebox, the Firebox checks a signature in the upgrade image against a key already installed on the Firebox. If the signature check fails, the Firebox refuses the upgrade.
TLS v1.3 is Disabled
TLS v1.3 is disabled by default. TLS v1.3 is not yet federally certified.
Fireware v12.7.2 Update 2 and higher, Fireware v12.5.9 Update 2 and higher, and Fireware v12.1.3 Update 8 and higher include boot time and upgrade integrity checks for Fireboxes that do not have CSfC mode enabled. For more information, see System Integrity Checks.
Enable CSfC Mode
To enable CSfC mode on a Firebox, you must use the Fireware Command Line Interface (CLI). When you enable CSfC mode, the Firebox immediately reboots and runs the required integrity checks.
CLI commands for CSfC:
- To enable CSfC mode, type the CLI command csfc enable.
- To disable CSfC mode, type the CLI command no csfc enable.
- To determine if CSfC mode is enabled, type the CLI command show csfc.
For more information about CLI commands, see the Command Line Interface Reference at https://www.watchguard.com/help/documentation.
Approved Administration Methods
To configure and manage the Firebox to comply with Common Criteria requirements, you must use only these management interfaces:
- Fireware Web UI
- Fireware Command Line Interface (CLI) from a direct connection to the serial management port (ssh is not an approved administration method)
When you use a Firebox in CSfC mode, your use of the device is subject to these limitations. We recommend that you consider your requirements carefully before you decide to operate your Firebox in CSfC mode. Some environments might require you to use a CSfC-compliant device, but you might not have to configure the device in a CSfC-compliant manner.