Check the NGFW Engine self-tests

The NGFW Engine contains the OpenSSL FIPS, SafeZone FIPS Cryptographic Module, NGFW Cryptographic Library, and NGFW Cryptographic Kernel Module. The modules run several self-tests when the Forcepoint NGFW appliance starts.

The modules perform these tests:

Cryptographic algorithm known answer tests (KAT)
Software integrity tests using HMAC or digital signature verification
Conditional self-tests for CTR-DRBG
Pair-wise consistency test (PCT) on generated RSA, DSA, and ECDSA keys
File system integrity check using the SafeZone FIPS Cryptographic Module and HMAC

Table 1. OpenSSL FIPS self-tests
Algorithm	Type
Software integrity	HMAC-SHA-256
HMAC	KAT
AES	KAT
AES CCM	KAT
AES GCM	KAT
AES XTS	KAT
AES CMAC	KAT
TDES	KAT
TDES CMAC	KAT
RSA	KAT, PCT
DSA	KAT, PCT
ECDSA	KAT, PCT
DRBG	KAT, Continuous
Diffie-Hellman	KAT
EC Diffie-Hellman	KAT
SHA1	KAT
SHA2	KAT
SHA3	KAT
KBKDF	KAT
PBKDF2	KAT

Table 2. NGFW Cryptographic Library self-tests
Algorithm	Type
Software Integrity	HMAC-SHA-256
AES	KAT
TDES	KAT
DSA	PCT
RSA	KAT, PCT
ECDSA	KAT, PCT
SHS	KAT
HMAC	KAT
DRBG	KAT, Continuous
Diffie-Hellman	KAT, PCT
EC Diffie-Hellman	KAT, PCT

Table 3. NGFW Cryptographic Kernel Module self-tests
Algorithm	Algorithm
Software Integrity	HMAC-SHA-256
AES	KAT
TDES	KAT
HMAC	KAT
SHA	KAT

Table 4. SafeZone FIPS Cryptographic Module self-tests
Algorithm	Algorithm
Software integrity	ECDSA signature verification
HMAC	KAT
AES	KAT
AES CCM	KAT
AES GCM	KAT
AES XTS	KAT
AES CMAC	KAT
TDES	KAT
RSA	KAT, PCT
DSA	KAT, PCT
ECDSA	KAT, PCT
DRBG	KAT, Continuous
SHS	KAT
SHA-3	KAT
KBKDF	KAT

Check the self-test results in the console.

If a cryptographic self-test or the file system integrity check fails, an error message is shown on the console and the appliance is restarted automatically.
```
FIPS: OpenSSL self-tests FAILED, rebooting…
FIPS: rootfs integrity check FAILED, rebooting…
```

Next steps

If the self-tests succeed, continue configuring the NGFW Engine.
If the problem persists, reset the Forcepoint NGFW appliance to factory settings.