Install the NGFW Engine in FIPS mode

Use the NGFW Configuration Wizard to install the NGFW Engine in FIPS mode.

These steps are the high-level tasks. For complete installation instructions, see the Forcepoint Next Generation Firewall Installation Guide. Before upgrading, read the Forcepoint Next Generation Firewall Release Notes for the version you are upgrading to.

Note: NGFW appliances come with NGFW Engine software pre-installed. Before setting the NGFW Engine to use FIPS mode, upgrade the NGFW Engine software to the version that you want to use.

Steps

  1. Download the NGFW Engine software from https://⁠support.forcepoint.com/⁠Downloads, then validate the checksums.
    Note: Save the NGFW Engine upgrade .zip file to the root directory of the USB drive or DVD media.
    For information about obtaining the installation files, see the Forcepoint Next Generation Firewall Installation Guide.
  2. Upgrade the NGFW Engine software to the version that you want to use.
    1. In the NGFW Configuration Wizard, select Firewall/VPN as the role.
    2. Select Upgrade.
    3. In the Select Source Media dialog box, select the appropriate media type, then click OK.
      The software update signature is verified.
    4. Click OK.
      The upgrade starts.
    5. Select Set kernel in FIPS mode after reboot.
    6. Click OK.
    NGFW appliance restarts and displays the upgraded version.
  3. Configure the NGFW Engine with the NGFW Configuration Wizard.
    Follow the normal process to define the NGFW Engine properties, with these exceptions:
    • Select FIPS-Compatible Operating Mode.

      This option enables the FIPS 140-2 cryptographic module.

    • (Optional) To use the cryptographic module updated for FIPS 140-3, select FIPS 140-3 Compatible Mode.
  4. To verify FIPS-Approved mode of operation, verify that the following messages are shown on the console when the NGFW appliance restarts:
    FIPS: rootfs integrity check OK

    This message confirms that the module's integrity test has been executed successfully.

    FIPS power-up tests succeeded

    This message confirms that the FIPS power-up self-tests have been executed successfully. If the power-up tests fail, a power-up test error message is shown and the module restarts.