FIPS mode roadblock on Sonicwall TZ400w
Joey
Newbie ✭
Hi there,
We need to get our Sonicwall TZ400w in FIPS mode to be NIST 800-171 compliant (this is the last thing we need). What a pain... but we are so close. I've whittled it down to just two messages:
Admin or Users password can not be less than 8 characters
HTTP, SSH or SNMP Management is not allowed in FIPS mode
The issues are:
1. Our password policy is 11 characters or more and all of our admin accounts are definitely at least 8 characters as that is how we have it configured. Which makes me think it has something to do with LDAP.
2. I have disabled HTTP, SSH, and SNMP in all interfaces and everywhere else I could possibly find.
So my questions are:
1. If LDAP is the problem, is there a way to allow the Firewall to see AD passwords? If not, are we just expected to have Sonicwall local user accounts for all of our users?? I can't imagine how companies with 1000s of employees using the VPN would go about this (luckily we are smaller).
2. Where else could HTTP, SSH, or SNMP still be turned on / enabled in my firewall?
Thanks for any help and let me know if I can provide any additional info.
Best Answer
-
CORRECT ANSWERJoey
Newbie ✭
Hello any future googlers that arrive here,
I ended up solving both issues:
HTTP, SSH or SNMP Management is not allowed in FIPS mode - Sonicwall support discovered it was actually port U0 that still had SSH enabled. I had to turn on 3G/4G/Modem settings and disable SSH and this got rid of that warning.
Admin or Users password can not be less than 8 characters - I deleted all of our AD users and was able to turn on FIPS mode. I just re-added all of my AD users once FIPS mode was on and FIPS mode remained on!
Thanks Sonicwall support and everyone's help on this!
1
Answers
Hi @JOEY,
Thank you for visiting SonicWall Community.
Please check the VPN policies (Site to Site, GVC, SSLVPN) for HTTPS, HTTP, SSH or SNMP management options enabled. If you are using GMS or CSC or NSM for firewall management specifically, then there is a chance of access rules using the management services. Please verify the access rules too.
You can import the users from LDAP onto the firewall but you wont see the passwords assigned to the users as they are invisible like the way SonicWall display's it for the local user accounts.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Saravanan ,
I appreciate the reply but even if I completely disable the VPN the warning still shows up and we are not using GMS, CSC, or NSM. I've looked through every access rule that involves SSH, SNMP, and HTTP and management is disabled on all of them.
As for the LDAP issue - I understand I won't be able to see the passwords, but is there a way for the firewall to see them. So they can see that they are all at least 8 characters and get rid of the first warning?
Thanks,
Joey
Did you see the requirements here?
As far as management goes: even if you 'disable' an access rule for management, the rule still exists and something somewhere has it enabled. Check the MGMT interface, check IPv6 settings, etc. Also I believe that even if you have SNMP enabled on the unit, but not allowed on any interface, FIPS will complain.
I don't think your LDAP is the problem, it would complain if it was. I'd check the Login Security section under Appliance \ Base Settings, and System Setup \ Users \ Local Users & Groups \ Settings \ Apply password constraints, and possibly System Setup \ Users \ Settings \ Authentication \ One time Password Complexity.
Hi @TKWITS ,
I appreciate your reply!
I have seen that article many times, but unfortunately it doesn't help. It pretty much just tells me what I already know.
Good idea checking IPv6 settings. Unfortunately, none of the management check boxes were checked and I even double checked our IPv4 interfaces and those were also only set to HTTPS and/or PING. I did already have SNMP disabled under Appliance \ SNMP.
I like that you are confident that LDAP won't be the problem (any hope to keep LDAP is awesome). However, I checked out our current settings and we already had Apply password constraints checked in both location. I did enable One Time Password Complexity but this also did not get rid of the warnings.
If you have any other ideas I am very much open to them (or if I misunderstood any of your instructions let me know). Thank you!
@Joey
Hello,
I am interested to see if there is something we can identify from the Technical Support Report to help you out.
Could I recommend that you please create a ticket with SonicWall Support and DM me the case number ?
Thank You.
Regards
Vivek
Hi @Vivek,
Appreciate the reply. I am not sure how to send a DM as I am new to this forum. I am guessing it isn't OK to send it in this thread?
Hi @Joey
I hope these screenshots help you with the problem :)
On the Top right hand side of the page, please select the Inbox mail icon
Select the compose icon
send to Vivek
@Vivek
It looks like I maybe do not have enough permissions to send a DM as when I click on the icon I do not have the option to compose a message.
No problem @Joey - I'll message you directly from my side.
Regards
Vivek