Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=Certifications

Certifications

You can configure Sophos Firewall to use a cryptography library that is certified for the Federal Information Processing Standard 140-2 (FIPS 140-2) level 1.

FIPS 140-2 level 1

The Federal Information Processing Standard 140-2 (FIPS 140-2) level 1 is a public standard of the United States that defines security requirements for cryptographic modules.

Supported installations

Sophos Firewall supports the FIPS mode on the following installations:

  • XGS Series hardware
  • Virtual machines (VMware vSphere, Hyper-V, KVM, Xen)
  • Cloud (AWS, Azure)

SFOS 18.5 MR2 to MR5 are FIPS-compliant.

Sophos Firewall doesn't support the FIPS mode on the following installations:

  • Software
  • XG and SG Series hardware

FIPS-compliant algorithms

These algorithms are available for VPN configurations on FIPS-compliant firewalls:

  • DH groups: 14, 15, 16, 17, 18, 19, 20, and 21
  • Encryption: AES256, AES128, AES192, 3DES
  • RSA key: 1024, 1536, 2048, and higher strength. Only 1024, 1536, 2048, and 3072 are FIPS-compliant. However, Sophos Firewall allows you to select larger key sizes because they're stronger.
  • EC curves: 192-bit and larger key sizes
  • Authentication: SHA1, SHA256, SHA384, SHA512

How to turn on FIPS

To turn on the FIPS mode, go to the command-line interface (CLI) and enter the following command:

system fips enable

The firewall restarts with the factory configuration, and the cryptography module now becomes FIPS-compliant.

Warning

The restart replaces your current configuration with the factory default.

To turn the FIPS mode on with high availability (HA) deployments, turn on the FIPS mode first and then turn on HA.

Restriction

You can't turn FIPS on or off for devices for which HA is already turned on.

Backup and restore with FIPS

You can restore backups that have FIPS turned on or off on any compatible Sophos Firewall version. The following table shows how this affects the FIPS mode in the restored configuration.

Restore to ▶

Backup type ▼		 Firewall version that supports FIPS Firewall version that doesn't support FIPS
FIPS was turned on FIPS will be turned on FIPS won't be available
FIPS was turned off FIPS will be turned off FIPS won't be available

Firmware upgrades with FIPS

If you migrate or upgrade the firmware and then turn on FIPS, you can roll back to the previous version where FIPS was turned off since the configuration is still available.

On an active firmware with FIPS turned on, Sophos Firewall restricts the upload of firmware that doesn't support FIPS. If you still want to upload it, turn off the FIPS mode.

SFOS 18.5 MR2 to MR4 are FIPS-compliant. If you've turned on FIPS on one of these versions and are migrating to later versions, turn off the FIPS mode, then upgrade the firmware.

FIPS behavior

Sophos Firewall generates all the default policies with FIPS-compliant settings.

Usually, Sophos Firewall generates the default L2TP policy using MD5, but on FIPS-enabled devices, it uses the minimally required authentication algorithm SHA1.

VPN

When you turn on the FIPS mode, IPsec uses the FIPS-certified cryptography library for VPN tunnel establishments (phase 1). SSL VPN uses the FIPS-certified cryptography library to establish the phase 1 and phase 2 VPN tunnels.

To meet FIPS compliance, some encryption options aren't available.

IPsec VPN

In FIPS mode, Sophos Firewall generates certificates that are FIPS-compliant and FIPS-validated. Sophos Firewall uses a FIPS-certified cryptography library for the generation.

When you upload certificates or certificate authorities (CAs), Sophos Firewall validates them for a FIPS-compliant algorithm.

  • IPsec policies phase 1 and 2:

    • DH group: You can't select 1, 2, 5, 25, or 26 because they're not FIPS-certified.
      You can select 31 because the encryption is stronger than required, but your connection will then not be FIPS-compliant.
    • Encryption: You can't select Blowfish, Twofish, and Serpent.
    • Authentication: You can't select MD5.

  • IPsec connections

    • Encryption > Authentication type:

      • RSA key: 1024, 1536, 2048, and higher strength. Only 1024, 1536, 2048, and 3072 are FIPS-compliant. However, Sophos Firewall allows you to select larger key sizes because they're stronger.
      • Digital certificate: You can use only FIPS-compliant certificates.

    • IPsec wizard: Offers FIPS-compliant settings.

  • IPsec (remote access) and L2TP (remote access): For authentication based on Digital certificate, you can use only FIPS-compliant certificates.

SSL VPN

VPN > Show VPN settings > SSL VPN:

  • SSL server certificate: For authentication based on Digital certificate, you can use only FIPS-compliant certificates.

  • Cryptography settings:

    • Encryption algorithm: You can't select BF-CBC.
    • Authentication algorithm: You can't select MD5.
    • Key size: You can't select 1024.

  • SSL VPN (site-to-site): Sophos Firewall generates FIPS-compliant server and client configurations. If you download a server configuration from a FIPS-enabled device, you can't use it on versions earlier than 18.5 MR2 if the VPN configuration is password-protected and vice versa.

Certificates and certificate authorities

In FIPS mode, Sophos Firewall generates certificates that are FIPS-compliant and FIPS-validated. Sophos Firewall uses a FIPS-certified cryptography library for the generation.

When you upload certificates or certificate authorities (CAs), Sophos Firewall validates them for a FIPS-compliant algorithm.

For digital certificates (local or remote), the restriction depends on the certificate type:

  • You can't select MD5 digest.
  • You can't select External CA as the remote certificate.
  • RSA key: 1024, 1536, 2048, and higher strength. Only 1024, 1536, 2048, and 3072 are FIPS-compliant. However, Sophos Firewall allows you to select larger key sizes because they're stronger.

  • RSA type: You can select 1024, 1536, 2048, and higher strength. Only 1024, 1536, 2048, and 3072 are FIPS-compliant. However, Sophos Firewall also allows you to select larger key sizes because they're stronger.

    • EC curves: Prime field curves

      • 192 and larger key sizes are allowed
      • Key sizes lower than 192 bits are disallowed

High availability

You can turn on HA on FIPS-enabled devices. First, turn on FIPS on the primary device, then turn on HA. Sophos Firewall will then turn on FIPS for the secondary device automatically.

You can't turn on or off FIPS while HA is turned on for the devices.

If you turn off HA, the FIPS status doesn't change on any HA device.

Logging and reporting

The log viewer and reports show the change when you turn FIPS on or off.

Log viewer message when FIPS is turned on.

More resources