How do I enable FIPS Mode?
03/26/2020 68 14960
A Federal Information Processing Standard (FIPS) is a publicly announced standardization developed by the United States federal government for use in computer systems by all non-military government agencies and by government contractors, when properly invoked and tailored on a contract.
The 140 series of Federal Information Processing Standards (FIPS) are U.S. government computer security standards that specify requirements for cryptography modules.
SonicWall UTM appliances are FIPS 140-2 certified. The overall FIPS validation level for SonicWall UTM appliances is Security Level 2. A special FIPS SonicOS firmware, SonicOS 184.108.40.206-fips_4o, is available for download at mysonicwall.com. The SonicOS 220.127.116.11 FIPS/CC release is certified for Level 3 Cryptographic Module Specification and Level 3 Design Assurance and is supported in NSA 3500 and above. For more information, refer to the SonicOS_18.104.22.168_FIPS_CC_Release_Notes.
When operating in FIPS (Federal Information Processing Standard) Mode, the SonicWall security appliance supports FIPS 140-2 Compliant security. Among the FIPS-compliant features of the SonicWall security appliance include PRNG (Psuedo Random Number Generator) based on SHA-1 and only FIPS approved algorithms are supported (DES, 3DES, and AES with SHA-1).
SonicWall UTM appliances are not configured to operate in FIPS-mode by default. This article describes the steps that must be taken to enable FIPS-mode operation.
SonicWall UTM appliances are not configured to operate in FIPS-mode by default. The following steps must be taken to enable FIPS-mode operation.
- Set Administrator and User password to at least eight characters.
- Do not enable LDAP on the Users/Settings page.
- Use IKE with 3rd Party Certificates for IPsec Keying Mode when creating VPN tunnels.
- When creating VPN tunnels, ensure ESP is enabled for IPSec.
- Use FIPS-approved encryption and authentication algorithms when creating VPN tunnels. The SonicWall UTM appliance supports the following FIPS-approved cryptographic algorithms:
- AES (128, 192, and 256-bit) in CBC mode (Cert. #1200)
- Triple-DES in CBC mode (Cert. #868)
- SHA-1 (Cert. #1105)
- DSA (Cert. #398)
- RNG (Cert. #664)
- RSA (Cert. #577)
- HMAC-SHA-1 (Cert. #697)
- Use Group 2 or Group 5 for IKE Phase 1 DH Group and Use SHA1 for Authentication
- HTTP, SSH or SNMP Management is not allowed in FIPS Mode
- Do not enable Advanced Routing Services.
- Do not enable Group VPN management
When configured to operate in FIPS mode, the SonicWall UTM appliance provides only FIPS 140-2 compliant services.
To enable FIPS mode navigate to Manage | Settings. Click on Settings gear. On pop up window, go to FIBS, then check Enable FIPS Mode and click Apply. The FIPS mode configuration can be determined by checking the state of the Enable FIPS Mode checkbox on the Manage | Firmware & Backups | Settings page and verification of the preceding steps. If the Enable FIPS Mode checkbox is enabled, the module is running in the FIPS Approved mode of operation.
Enabling FIPS Mode
Select Enable FIPS Mode to enable the SonicWall UTM appliance to comply with FIPS. When you check this setting, a dialog box is displayed with the following message:
Warning! Modifying the FIPS mode will disconnect all users and restart the device. Click OK to proceed.
Click OK to reboot the SonicWall in FIPS mode. A second warning displays. Click Yes to continue rebooting. To return to normal operation, uncheck the Enable FIPS Mode check box and reboot the SonicWall UTM appliance into non-FIPS mode.
Caution: When using the SonicWall UTM appliance for FIPS-compliant operation, the tamper-evident sticker that is affixed to the SonicWall UTM appliance must remain in place and untouched.