01-09-2010 06:25 AM
Does anybody have much experience of setting up a FIPS environment? I'm in the middle of trying to set up an NSMXpress, 2 SSG320s, 2 SA4500FIPS and an IDP75.
It seems that enabling FIPS on the NSMXpress means that it can only manage devices that are FIPS compliant and have FIPS enabled (correct me if I'm mistaken).
I originally got the NSM talking to the SA4500FIPS units (and when I was installing the NSM I set it to FIPS enabled). I was having difficulty getting the NSM to talk to our 2 SSG320M firewalls and it seems these need to be set to FIPS enabled to do this. I set FIPS enabled on one of the firewalls and it wiped the config and rebooted. Now the firewall can't be managed by the web browser and it's making things difficult. According to the documentation, to communicate with the firewalls I need to make a VPN to them. I'm really not sure what this means. Does it mean that I will onlly be able to manage the firewalls with the NSM? Can they no longer be managed with the web browser when they have FIPS enabled? Does the VPN need to be created between the NSM and the firewalls to manage them - if so is this pretty straightforward? Can I manage them with a web browser if there's some kind of VPN to the firewalls from my PC?? I'm finding it difficult to get hold of much documentation on FIPS relating to what I'm doing and hardly anybody seems to know anything about FIPS.
Any advice or opinions appreciated,
08-30-2013 02:13 PM
I'm going through the same scenario. ScreenOS firewall with FIPS enabled mean you can access via HTTP unless it's in a VPN tunnel which require you to have a VPN gateway between the host machine and the firewall. In my opinion, i recommend not to buy Juniper product when the next tech refresh cycle.