The NGFW Engine contains the OpenSSL FIPS, SafeZone FIPS Cryptographic Module, NGFW
Cryptographic Library, and NGFW Cryptographic Kernel Module. The modules run several self-tests when the Forcepoint NGFW appliance starts.
The modules perform these tests:
- Cryptographic algorithm known answer tests (KAT)
- Software integrity tests using HMAC or digital signature verification
- Conditional self-tests for CTR-DRBG
- Pair-wise consistency test (PCT) on generated RSA, DSA, and ECDSA keys
- File system integrity check using the SafeZone FIPS Cryptographic Module and HMAC
Table 1. OpenSSL FIPS self-tests
Algorithm |
Type |
Software integrity |
HMAC-SHA-256 |
HMAC |
KAT |
AES |
KAT |
AES CCM |
KAT |
AES GCM |
KAT |
AES XTS |
KAT |
AES CMAC |
KAT |
TDES |
KAT |
TDES CMAC |
KAT |
RSA |
KAT, PCT |
DSA |
KAT, PCT |
ECDSA |
KAT, PCT |
DRBG |
KAT, Continuous |
Diffie-Hellman |
KAT |
EC Diffie-Hellman |
KAT |
SHA1 |
KAT |
SHA2 |
KAT |
SHA3 |
KAT |
KBKDF |
KAT |
PBKDF2 |
KAT |
Table 2. NGFW Cryptographic Library self-tests
Algorithm |
Type |
Software Integrity |
HMAC-SHA-256 |
AES |
KAT |
TDES |
KAT |
DSA |
PCT |
RSA |
KAT, PCT |
ECDSA |
KAT, PCT |
SHS |
KAT |
HMAC |
KAT |
DRBG |
KAT, Continuous |
Diffie-Hellman |
KAT, PCT |
EC Diffie-Hellman |
KAT, PCT |
Table 3. NGFW Cryptographic Kernel Module self-tests
Algorithm |
Algorithm |
Software Integrity |
HMAC-SHA-256 |
AES |
KAT |
TDES |
KAT |
HMAC |
KAT |
SHA |
KAT |
Table 4. SafeZone FIPS Cryptographic Module self-tests
Algorithm |
Algorithm |
Software integrity |
ECDSA signature verification |
HMAC |
KAT |
AES |
KAT |
AES CCM |
KAT |
AES GCM |
KAT |
AES XTS |
KAT |
AES CMAC |
KAT |
TDES |
KAT |
RSA |
KAT, PCT |
DSA |
KAT, PCT |
ECDSA |
KAT, PCT |
DRBG |
KAT, Continuous |
SHS |
KAT |
SHA-3 |
KAT |
KBKDF |
KAT |
Check the self-test results in the console.
Next steps
- If the self-tests succeed, continue configuring the NGFW Engine.
- If the problem persists, reset the Forcepoint NGFW appliance to factory settings.