FIPS 140-2 Mode

FIPS (Federal Information Processing Standard) 140-2 is a U.S. government security standard for hardware and software cryptography modules. Modules validated against the standard assure government and other users that the cryptography in the system meets the standard.

The cryptographic libraries used in Forcepoint Web Security, including the Content Gateway component, have passed FIPS 140-2 Level 1 validation. For details on the cryptographic modules used and their FIPS certificates, see FIPS 140-2 with Forcepoint Appliances and Web Security.

By default, Content Gateway does not operate in FIPS 140-2 mode. Content Gateway still uses the FIPS-validated libraries, but it also allows cryptographic algorithms that are not supported by the FIPS 140-2 standard.

Administrators can configure Content Gateway to enforce FIPS 140-2 on HTTPS connections.

When FIPS is enabled:

  • HTTPS connections use TLSv1.1 and TLSv1.2.
  • HTTPS connections use FIPS 140-2 approved algorithms
  • Content Gateway generates SHA-256 certificates in response to origin server certificate requests
Warning: Once the FIPS 140-2 option is enabled, it cannot be disabled without completely reinstalling Content Gateway. If Content Gateway is on an appliance, the appliance must be reimaged.
Important:

FIPS 140-2 is not used for:

  • Traffic that flows through the cloud (Hybrid Module).
  • Traffic forwarded to Forcepoint Advanced Malware Detection.
  • Forcepoint Mobile Security.
  • IWA fallback to NTLM or Legacy NTLM user authentication.