FIPS Support in Fireware

The Federal Information Processing Standards Publication 140-3, Security Requirements for Cryptographic Modules (FIPS 140-3), describes the United States Federal Government requirements for cryptographic modules.

Your Firebox is designed meet the overall requirements for FIPS 140-3 Level 2 security, when configured in a FIPS-compliant manner with Fireware v12.11. For more information about FIPS validation status, go to Product Certifications on the WatchGuard Trust Center website.

FIPS 140-3 is supported in Fireware v12.11 with these hardware models:

Firebox T series: T20, T20-W, T40, T40-W, T80, NV5, T25, T25-W, T45, T45-PoE, T45-W-PoE, T45-CW, T85-PoE
Firebox M series: M290, M390, M590, M690, M4800, M5800

FIPS 140-2 is supported only in Fireware v12.3.1 for these hardware models:

Firebox T series: T15, T15-W, T35, T35-W, T55, T55-W, T70
Firebox M series: M200, M270, M300, M370, M400, M440, M470, M500, M570, M670, M4600, M5600

The FIPS 140-2 certification is archived and not recommended for new deployments. Customers that require FIPS certification should pursue hardware and firmware compliant with FIPS 140-3. Fireware v12.3.1 is the latest FIPS 140-2 certified version of Fireware. In Fireware v12.4 and higher, Fireware uses a version of OpenSSL that does not support FIPS 140-2.

You must use the Command Line Interface (CLI) to enable FIPS mode on a Firebox. When the Firebox operates in FIPS mode, each time the device is powered on, it runs a set of self-tests required by the FIPS specification. If any of the tests fail, the Firebox writes an error message to the console log file and shuts down.

For more information about the Firebox when in FIPS mode, go to About FIPS Mode.
For more information about the FIPS CLI commands for FIPS 140-3 support in Fireware v12.11, go to the Command Line Interface Reference.
For more information about the FIPS CLI commands for FIPS 140-2 support in Fireware v12.3.1, go to the Command Line Interface Reference for Fireware v12.6 and lower.

Enable FIPS Mode Operation

The Firebox does not operate in FIPS mode by default. To enable FIPS mode operation:

Log in to the Fireware CLI.
Type the command fips enable

The Firebox immediately reboots and automatically begins to run the FIPS self-tests.

If you start the device in safe mode or recovery mode, the device does not operate in FIPS mode.

Disable FIPS Mode Operation

Issue the CLI command no fips enable to disable FIPS mode operation.

Perform FIPS Zeroization

For FIPS 140-3 support in Fireware v12.11 and higher, you can use the CLI command fips zeroize to disable FIPS mode operation and restore the Firebox to factory-default settings. The device automatically reboots after the zeroization process.

About FIPS Mode

To determine if the Firebox has FIPS mode enabled, type the CLI command show fips.

When you use a Firebox in FIPS mode, your use of the device is subject to these limitations. We recommend that you consider your requirements carefully before you decide to operate your Firebox in FIPS mode. In some environments you could be required to use a FIPS-compliant device, but you might not have to configure the device in a FIPS-compliant manner.

Do not use WatchGuard System Manager or Firebox System Manager to manage the appliance.
Do not use FireCluster (Requires WatchGuard System Manager which is not available in FIPS mode)
Do not use PPPoE.
Do not use Mobile VPN with PPTP.
Do not use the wireless interfaces on Fireboxes with integrated wireless.
Web browsers must be configured to only use TLS v1.2/v1.3 and FIPS-approved cipher suites.
Use a minimum of 2048-bits for all RSA keys.
Telnet and SSH clients must be configured to use SSH-2 and RSA authentication. If the SSH client uses Diffie-Hellman key exchange, configure the client to use DH 2048 bit or greater.
When you configure the Access Portal with SSH hosts based on OpenSSH 7.6P1 (such as Ubuntu 18.04) or higher with older SSH-1 algorithms, you must use DSA keys. RSA is not supported. These algorithms are not supported in FIPS mode: MD5, DES, 3DES, RSA (1024), DSA (1024).
OpenSSH 7.9P1 or higher is required by the SSH server to support Access Portal connections to the SSH server with a private key.
You cannot use the Access Portal with an RDP host configured with the NLA security type. NLA is not supported in FIPS mode.
PFX file import is not supported in FIPS mode. You must import keys and related certificates individually.
You cannot log in to the Firebox from the console port. Console input is disabled.
Do not use a USB device for backup.
Do not use the Autotask, ConnectWise, or Tigerpaw PSA integrations.
VPN Limitations
Mobile VPN with SSL tunnels use TLS v1.2/v1.3. When you configure SSL VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-512, AES-128, AES-192, AES-256).
When you configure IPSec VPN tunnels, only choose FIPS-approved authentication and encryption algorithms (SHA-1, SHA-256, SHA-384, SHA-512, AES-128, AES-192, AES-256).
Non-approved algorithms are MD5, DES, and 3DES. If you use these non-approved algorithms, a warning message appears in the logs that you are using a non-approved algorithm for FIPS compliance. Informational messages for the use of approved FIPS algorithms also appear in the logs.

When you configure IPSEc VPN tunnels, choose Diffie-Hellman Group 14 (2048 bit), Group 15 (3072 bit), Group 19 (256 bit elliptic curve), or Group 20 (384 bit elliptic curve) for IKE Phase 1 negotiation.
When you configure IPSec VPN tunnels, use pre-shared keys or RSA certificates for authentication.

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.