- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
SMA1000- Configuration Extensions used to be used when FIPS is enabled
08/11/2021 
0 People found this article helpful
31,998 Views
Description
Once FIPS is enabled on the Physical appliances- 6200/6210, 7200/7210, the following configuration extension values are required for effective functioning.
Resolution
To put the device into FIPS mode - Navigate to System Configuration|General Settings|FIPS Security.
NOTE: Turning on FIPS mode will cause a reboot and delete all existing certificates on the appliance.
Enter the following CEM extensions in System Configuration|Maintenance|Advanced.
a. ACCEPTABLE_USE_BANNER [Enter the DoD banner]
See the DOD Banner section for a current version of the banner used for APL testing.
This extension enables the display of an Acceptable Use Policy or DoD Banner on an administrative logon (https://IP address:8443).
Configure an Acceptable Use Policy or DoD Banner for user logon in the appropriate Realm (User Access|Realms|[Select an existing realm]|Advanced|Acceptable Use Policy).
b. DISABLE_SHELL_ACCESS =true
This extension disables the Operating System shell normally available through the Console connection on the front of the SMA. The lack of access to the shell is mandatory for APL compliance.
c. EW_BLOCK_X_XSS_VIOLATIONS= true
This extension is necessary for mitigating web vulnerabilities.
d. EW_ENABLE_X_FRAME_OPTIONS 1
This extension is necessary for mitigating web vulnerabilities.
e. AMC_SESSION_TIMEOUT_SECS [number of seconds]
(e.g., AMC_SESSION_TIMEOUT_SECS=600 would result in a timeout of 10 minutes for administrators.
This setting determines how long to allow an AMC or shell session to be idle before forcing a logout.
Additional CEM Commands:
A site may be required by local security policies to limit incorrect logon attempts by a primary administrator.
Similarly, the site may insist that the administrator lockout lasts for a specific period. Finally, local security policies may dictate that SYSLOG traffic be encrypted when sent to an external SYSLOG server, perhaps on a different network or subnet. The following commands will allow the configuration of these things.
CAUTION:Do regular configuration backups (Maintenance|System Configuration|Import or Export) – especially before making configuration changes, usually by clicking on the “Pending changes” icon in the upper right-hand corner of the AMC screen!
1. Set # of failed logins before the admin account is locked out:
ADMINISTRATOR_ACCOUNT_LOCKOUT_ATTEMPTS=#
2. Set # of seconds an admin account is locked out:
ADMINISTRATOR_ACCOUNT_LOCKOUT_SECONDS=#
3. Force TLS for all remote syslog servers:
LOGGING_SECURE_SYSLOG=true|false
Related Articles
- How to secure Virtual Office portal from all external access
- NetExtender users fail to get connected throwing an Error Failed to get vpn protocol on firmware 10.2.1.2 or above due to misconfigured protocol
- Is SRA/SMA appliance vulnerable to CVE-2016-2183 and CVE-2016-5915?
YES
NO