Enable Fips And Cc Mode; Enable Fips Mode; Enable Common Criteria (Cc) Mode - Cisco Firepower 4110 Preparative Procedures & Operational User Manual

Cisco Preparative Procedures & Operational User Guide

4.3 Enable FIPS and CC Mode

The system by default only supports SSH and HTTPS security protocols for management. Telnet and
HTTP are not supported for management and should not be enabled. SNMPv3 is supported but is not
permitted for management—only for sending SNMP traps. The system is required to support only the
cipher suites, version, and protocols claimed in the Security Target. HTTPS, TLS, and SSH connection
settings are configured automatically when CC and FIPS mode are enabled.

4.3.1 Enable FIPS Mode

1) From the FXOS CLI, enter the security mode:
scope system
scope security
2) Enable FIPS mode:
enable fips-mode
3) Commit the configuration:
commit-buffer
4) Reboot the system:
connect local-mgmt
reboot
IMPORTANT! Prior to FXOS release 2.0.1, the existing SSH host key created during first-
time setup of a device was set to 1024 bits. To comply with FIPS and Common Criteria
certification requirements, you must destroy this old host key and generate a new one using
the procedure detailed in Generate the SSH Host Key (see below). If you performed first-
time setup using FXOS 2.0.1 or later, you do not have to generate a new host key.

4.3.2 Enable Common Criteria (CC) Mode

1) From the FXOS CLI, enter the security mode:
scope system
scope security
2) Enable FIPS mode:
enable cc-mode
3) Commit the configuration:
commit-buffer
4) Reboot the system:
connect local-mgmt
reboot
© 2016 Cisco Systems, Inc. All rights reserved.