SonicWALL.com
Using FIPS Mode

FIPS Mode acts as a filtering system, allowing only FIPS Level 2-compliant SSL objects to be used for data transfer. Entering FIPS Mode is a two-step process: starting the FIPS Mode process and rebooting the device in FIPS Mode.

  1. Connect to the device using a serial management session and enter Privileged Mode.
    SSL-RX> enable
    SSL-RX#
     
  2. Enable FIPS operation.
    SSL-RX# fips enable
     
  3. A caution is displayed. Read the text carefully before replying to it.
    Enabling FIPS mode will cause a restart of the device.
    Entering FIPS mode will also change the behavior of the device.
     Only FIPS-approved algorithms are supported.
     Only FIPS-compliant servers can be used.
     Management is available only via the serial console.
     Passwords must be at least eight characters long.
     Firmware signature verification is enabled.
     Some commands are not supported.
    Are you sure you want to do this? (y/n) [n]
     
  4. The SSL device checks access- and enable-level passwords previously set, if any. The display reflects the state of current passwords:

Note: FIPS Mode passwords must be at least eight characters in length and are limited to a character set containing the alphabet, Arabic numerals, period (.), hyphen (-), underscore (_), and !@#$%^&*+=[]{};:<>?~ .

    • If no passwords had been set previously, this text is displayed:
      You need to provide an access-level password of at least 8 characters.
      Enter new password:
      Confirm password:
      You need to provide an enable-level password of at least 8 characters.
      Enter new password:
      Confirm new password:
       

Note: Passwords are not echoed to the screen. These passwords are not FIPS-specific and are prompted for when the device is used in normal operation.

    • If the previously set access-level password is not appropriate for FIPS Mode operation, the following text is displayed:
      Your current access-level password is not valid for FIPS mode.
      You need to provide an access-level password of at least 8 characters.
      Enter new password:
      Confirm password:
       
    • If the previously set enable-level password is not appropriate for FIPS Mode operation, the following text is displayed:
      Your current enable-level password is not valid for FIPS mode.
      You need to provide an access-level password of at least 8 characters.
      Enter new password:
      Confirm password:
       
    • If both the previously set access- and enable-level passwords are valid for FIPS Mode operation, no additional text is displayed.
  1. The device reboots and enters FIPS Mode. Enter the access-level password to control the device.
    Enter the access-level password:
     

Caution: If you cannot remember the passwords, you will not be able to view device status and statistics or configure the device. The only option is to use the “FailSafe” password as described in “Factory Default Reset Password”. All configuration will be lost!

  1. Use the enable-level password to enter Privileged Mode.
    Enter the enable-level password:

Creating a Server in FIPS Mode

Creating and configuring server operations in FIPS Mode are nearly identical to those in normal operational modes. The differences are the following:

  • Only the FIPS security policy and security policies containing FIPS-approved algorithms can be used
  • Only FIPS-compliant servers can be used for data transfer (non-FIPS-compliant servers can be edited for FIPS compliance)

Follow the steps below to create a FIPS-compliant server.

  1. Connect to the SSL device using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a secure server named mySecServ.
    [FIPS] SSL-RX> enable
    [FIPS] SSL-RX# config
    [FIPS] config[SSL-RX]# ssl
    [FIPS] ssl-config[SSL-RX]# server mySecServ create
    [FIPS] ssl-server[mySecServ]#>
     
  2. Assign an IP address, key, certificate, and FIPS-compliant security policy.
    [FIPS] ssl-server[mySecServ]#> ip address 10.1.114.30
    [FIPS] ssl-server[mySecServ]#> key myOwnKey
    [FIPS] ssl-server[mySecServ]#> cert myOwnCert
    [FIPS] ssl-server[mySecServ]#> secpolicy fips
    [FIPS] ssl-server[mySecServ]#>
     
  3. Exit to Top Level Mode.
    [FIPS] ssl-server[mySecServ]#> finished
    [FIPS] SSL-RX#

You can create a security policy containing only the FIPS-approved algorithm you want to use. The following example demonstrates creating a security policy containing on the 3DES/SHA algorithm and editing a secure server to use the new user-defined security policy rather than the FIPS security policy.

  1. Connect to the SSL device using a serial management session, and enter Privileged, Configuration, and SSL Modes. Create a security policy named myFIPS.
    [FIPS] SSL-RX> enable
    [FIPS] SSL-RX# config
    [FIPS] config[SSL-RX]# ssl
    [FIPS] ssl-config[SSL-RX]# secpolicy myFIPS create
    [FIPS] ssl-secpolicy[myFIPS]#>
     
  2. Specify the 3DES/SHA cryptographic algorithm, and return to SSL Configuration Mode.
    [FIPS] ssl-secpolicy[myFIPS]#> crypto DES-CBC3-SHA
    [FIPS] ssl-secpolicy[myFIPS]#> exit
    [FIPS] ssl-config[SSL-RX]#>
     
  3. Enter Server Configuration Mode to edit the configuration of the server mySecServ to use the myFIPS security policy rather than the previously specified FIPS security policy.
    [FIPS] ssl-config[SSL-RX]#> server mySecServ
    [FIPS] ssl-server[mySecServ]#> secpolicy myFIPS
    [FIPS] ssl-server[mySecServ]#>
     
  4. Exit to Top Level Mode.
    [FIPS] ssl-server[mySecServ]# finished
    [FIPS] SSL-RX#

 

[Contents] [1 SSL Devices] [2 Installation] [3 QuickStart Wizard] [4 Config Manager] [5 GUI] [6 FIPS Operation] [A Specifications] [B Deployment] [C Command Summary] [D Troubleshooting] [E SSL Introduction] [F Regulatory] [G Glossary] [Release Note]