on 02-29-2024 01:02 PM
This Nominated Discussion Article is based on the post "FIPS-CC Mode Initial Setup" by @B.Vance and answered by Cyber Elites @BPry & @OtakarKlier
We are now required to switch to FIPS-CC mode for compliance. I have read the Admin Guide section about switching the operation mode to FIPS-CC but have a question about a FIPS security function.
The guide states that I can save my current running-config since this change will revert the FW back to factory defaults and all configs will be lost but also states that the config file will need to be edited for FIPS-CC security functions or the import will fail.
Then, one of the security functions states "You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption".
We are not using a RADIUS server for anything now but this is worded in a way that sounds like we will be required to, so if this one control isn't set in my exported running-config file will it cause the import to fail? Not sure what authentication it is requiring this for? Am I just reading the security function wrong?
One other question, is it possible to set all of the FIPS security functions while in normal mode and then export that running-config so the config file is already good to import or would there be some options missing in normal mode that are only available in FIPS-CC mode?
I'll try to break down the different questions, please let me know if I missed something:
1. YES backup the config as enabling FIPS wipes it. There is no other special setting to change on the config. Just work through any errors you get. I've done this a few times so know its possible. Obviously get approval in writing and change control, etc.
2. If you don't use RADIUS, don't worry about this. You can use local auth etc.
3. Sorry no there is no other way :(.
Just remember again to backup your config!
The guide states that I can save my current running-config since this change will revert the FW back to factory defaults and all configs will be lost but also states that the config file will need to be edited for FIPS-CC security functions or the import will fail.
Loading the config that you exported won't be an issue, however if you're using anything that you aren't allowed to utilize anymore it won't pass validation. Utilize the validation errors to strip those elements out of your configuration until you can pass validation and commit the config. You can drastically speed this up by ensuring that you're using cipher suites that are actually supported in FIPS mode.
One really important aspect of this import to take note of is that the phash value from your old config isn't going to work when you switch to FIPS, so before you commit the configuration ensure that you change at least one superuser account password to ensure that you know that the password will actually work. Failure to do this will lose access to the box.
Then, one of the security functions states "You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption". We are not using a RADIUS server for anything now but this is worded in a way that sounds like we will be required to, so if this one control isn't set in my exported running-config file will it cause the import to fail? Not sure what authentication it is requiring this for? Am I just reading the security function wrong?
This could be better worded. If you're utilizing a RADIUS server profile you must use an authentication profile that uses TLS, so you won't be able to utilize PAP or CHAP if you were using a radius. Since you aren't you don't need to worry about this.
Thanks for your reply. Just to clarify, are you saying that once I import my saved running-config I should be able to see the admins in the web UI even before I commit so I can change the password?
Also, is the a document you know of that will show how to edit the config file if I need to strip anything out? Thanks again for your help.
Correct. Once you import and load the saved configuration file it's just a candidate config just like when you make any other changes; the firewall will have all of the changes visible and they won't go into effect until you commit them. You'll be able to see all of the administrators that you have specified and modify their passwords as needed.
The validation errors that you'll see once you load the configuration file will detail everything you need to modify and these changes can be made while in the GUI, you don't need to modify the XML file and load it back in. I'm not aware of any documents that detail everything that needs to be modified; the biggest change from a configuration standpoint is going to be the FIPS-CC cipher suites versus what you can utilize right now. You can preemptively align your ciphers with those that are allowed in FIPS-CC mode, but I'm not sure I'd take the time to do this preemptively versus just loading the saved configuration and working through the errors.
When you say work through the errors, is this something I can do on the firewall after importing the config file or do I have to edit the config file to fix the errors and then import again?
What I meant to say is 'if' there are any errors work through those during the commit phase.
