Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

FIPS mode roadblock on Sonicwall TZ400w

Hi there,

We need to get our Sonicwall TZ400w in FIPS mode to be NIST 800-171 compliant (this is the last thing we need). What a pain... but we are so close. I've whittled it down to just two messages:

Admin or Users password can not be less than 8 characters

HTTP, SSH or SNMP Management is not allowed in FIPS mode

The issues are:

1. Our password policy is 11 characters or more and all of our admin accounts are definitely at least 8 characters as that is how we have it configured. Which makes me think it has something to do with LDAP. 

2. I have disabled HTTP, SSH, and SNMP in all interfaces and everywhere else I could possibly find.

So my questions are:

1. If LDAP is the problem, is there a way to allow the Firewall to see AD passwords? If not, are we just expected to have Sonicwall local user accounts for all of our users?? I can't imagine how companies with 1000s of employees using the VPN would go about this (luckily we are smaller). 

2. Where else could HTTP, SSH, or SNMP still be turned on / enabled in my firewall?

Thanks for any help and let me know if I can provide any additional info. 

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    JoeyJoey Newbie ✭
    Accepted Answer

    Hello any future googlers that arrive here,

    I ended up solving both issues:

    HTTP, SSH or SNMP Management is not allowed in FIPS mode - Sonicwall support discovered it was actually port U0 that still had SSH enabled. I had to turn on 3G/4G/Modem settings and disable SSH and this got rid of that warning.

    Admin or Users password can not be less than 8 characters - I deleted all of our AD users and was able to turn on FIPS mode. I just re-added all of my AD users once FIPS mode was on and FIPS mode remained on!

    Thanks Sonicwall support and everyone's help on this!

Answers

  • SaravananSaravanan Moderator

    Hi @JOEY,

    Thank you for visiting SonicWall Community.

    Please check the VPN policies (Site to Site, GVC, SSLVPN) for HTTPS, HTTP, SSH or SNMP management options enabled. If you are using GMS or CSC or NSM for firewall management specifically, then there is a chance of access rules using the management services. Please verify the access rules too.

    You can import the users from LDAP onto the firewall but you wont see the passwords assigned to the users as they are invisible like the way SonicWall display's it for the local user accounts.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • JoeyJoey Newbie ✭

    Hi @Saravanan ,

    I appreciate the reply but even if I completely disable the VPN the warning still shows up and we are not using GMS, CSC, or NSM. I've looked through every access rule that involves SSH, SNMP, and HTTP and management is disabled on all of them.

    As for the LDAP issue - I understand I won't be able to see the passwords, but is there a way for the firewall to see them. So they can see that they are all at least 8 characters and get rid of the first warning?

    Thanks,

    Joey

  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    Did you see the requirements here?


    As far as management goes: even if you 'disable' an access rule for management, the rule still exists and something somewhere has it enabled. Check the MGMT interface, check IPv6 settings, etc. Also I believe that even if you have SNMP enabled on the unit, but not allowed on any interface, FIPS will complain.

    I don't think your LDAP is the problem, it would complain if it was. I'd check the Login Security section under Appliance \ Base Settings, and System Setup \ Users \ Local Users & Groups \ Settings \ Apply password constraints, and possibly System Setup \ Users \ Settings \ Authentication \ One time Password Complexity.

  • JoeyJoey Newbie ✭
    edited June 10

    Hi @TKWITS ,

    I appreciate your reply!

    I have seen that article many times, but unfortunately it doesn't help. It pretty much just tells me what I already know.

    Good idea checking IPv6 settings. Unfortunately, none of the management check boxes were checked and I even double checked our IPv4 interfaces and those were also only set to HTTPS and/or PING. I did already have SNMP disabled under Appliance \ SNMP.

    I like that you are confident that LDAP won't be the problem (any hope to keep LDAP is awesome). However, I checked out our current settings and we already had Apply password constraints checked in both location. I did enable One Time Password Complexity but this also did not get rid of the warnings.

    If you have any other ideas I am very much open to them (or if I misunderstood any of your instructions let me know). Thank you!

  • VivekVivek SonicWall Employee

    @Joey

    Hello,

    I am interested to see if there is something we can identify from the Technical Support Report to help you out.

    Could I recommend that you please create a ticket with SonicWall Support and DM me the case number ?

    Thank You.

    Regards

    Vivek

  • JoeyJoey Newbie ✭

    Hi @Vivek,

    Appreciate the reply. I am not sure how to send a DM as I am new to this forum. I am guessing it isn't OK to send it in this thread?

  • VivekVivek SonicWall Employee

    Hi @Joey

    I hope these screenshots help you with the problem :)


    On the Top right hand side of the page, please select the Inbox mail icon



    Select the compose icon



    send to Vivek



  • JoeyJoey Newbie ✭

    @Vivek

    It looks like I maybe do not have enough permissions to send a DM as when I click on the icon I do not have the option to compose a message.


  • VivekVivek SonicWall Employee

    No problem @Joey - I'll message you directly from my side.

    Regards

    Vivek

Sign In or Register to comment.