Enabling FIPS TZ370
gladmin
Newbie ✭
I understand in order to toggle the FIPS mode on the Firewall TZ370 specifically, we must do these first:
- Minimum password length in the Administration settings can not be less than 8
- Admin or Users password can not be less than 8 characters
- LDAP can not be enabled in FIPS mode without being protected by TLS
- LDAP can not be enabled in FIPS mode without selecting 'Require valid certificate from server'
- LDAP can not be enabled in FIPS mode without a valid local certificate for TLS
- RADIUS can not be enabled with a shared secret shorter than 8 characters
- RADIUS can not be enabled without being protected by IPSEC VPN
- When creating VPN tunnels, ensure ESP is enabled for IPSec.
- VPN Policy pre-shared key length must be longer than 8 characters.
- Use FIPS-approved encryption and authentication algorithms when creating VPN tunnels. The SonicWall UTM appliance supports the following FIPS-approved cryptographic algorithms:
- AES (128, 192, and 256-bit) in CBC mode (Cert. #1200)
- Triple-DES in CBC mode (Cert. #868)
- SHA-1 (Cert. #1105)
- DSA (Cert. #398)
- RNG (Cert. #664)
- RSA (Cert. #577)
- HMAC-SHA-1 (Cert. #697)
- Only support IKE DH Group 14, 19, 20, 21 in FIPS mode
- Only support AES CBC for IKE Phase 1/2 Encryption in FIPS mode
- Only SHA-256 Authentication or higher is allowed in FIPS mode
- IKEv2 Dynamic Client Proposal in VPN advanced settings requires SHA-256 or higher
- IKEv2 Dynamic Client Proposal in VPN advanced settings requires AES
- IKEv2 Dynamic Client Proposal in VPN advanced settings requires DH Group 14, 19, 20, 21
- HTTP, SSH, and SNMP Management are not allowed in FIPS Mode.
- Do not enable Advanced Routing Services.
- Management via Group VPN is not allowed in FIPS mode.
- Bandwidth Management has to be on.
What I don't understand is how to find these specific settings within the firewall. Is there a tutorial to set up a basic, (non configured) firewall for example, and plug in all these settings just to enable it? Thank you in advance.
Category: Entry Level Firewalls
0
Answers
Hi @gladmin
We don't have an article on every option - but do you know if you are using any of the services mentioned such as IPSEC VPN (Client and site to site), LDAP, advanced routing, etc?
Admin password settings are under the device tab -> Administration -> management
If you are using LDAP, you can find the settings for it under Device -> Users -> Settings -> Configure LDAP
All settings regarding VPN settings are found in the VPN policies you have created if you are using VPNs under Network -> IPSec VPN -> Rules and settings then in each vpn policy
For Management via Group VPN is not allowed in FIPS mode - this can be found in the same area as the VPN policies - the vpn policy is called WANgroupVPN - if you are using this and its enabled please edit the policy, go to advanced tab and make sure anything under management via this SA is disabled
For advanced routing, this is located under policy -> routing rules
Again, it depends if you use/have these options already enabled or not. If the firewall is not configured, then I believe you should be good - please try enabling fips and see if it gives you any errors based on the needed parameters.
I'm still having issues @TonyA
I'm sending you a Private message now
Thanks @gladmin
Just responded, let us know the results here after. :)