@PhilipDAth the encryption Meraki uses for its VPN tunnels is likely FIPS 140-2 compliant but getting the actual devices certified is what we'd be after.  Cisco already does this with their ASA line of products and those have regular updates available.  So I don't see why Cisco couldn't do this for its Meraki line of products as well.  It cuts out a big chunk of law enforcement and criminal justice customers otherwise. 

Adam,
Have you heard any more?  I'm curious about this as well.

>Cisco already does this with their ASA line of products and those have regular updates available

Note that specific software releases are certified FIPS140-2 for the ASA.  You can not just upgrade the ASA software and maintain your FIPS140-2 certification.

I have just heard a rumor...mind you it is just a rumor and is not substantiated at all, but I heard that Meraki devices will be on the FIPS 140-2 compliance list as soon as May of 2020.

I know it's not May yet but has anyone heard anything about the progress of FIPS?

Due to confidentiality and non-disclosure agreements, I cannot share the content of the signed letter I received from an SVP in Meraki.  I can tell you that though the Meraki devices may not be on the FIPS compliancy list by May, the intent is to be by May.

Can you share the SVP name? Thanks!

Has anyone heard any new information on this?  I know it's not May yet. but at least it's been two months 🙂

Since it is not May as you state, I have not heard anything more.  I'm going to at least wait until then to start asking more questions.

It is May! I have been tracking this thread for at least a year, and now that we are here I wanted to see if there were updates. 

In a previous life as an MSP, Meraki was a great solution. In my current role, we must have FIPS to purchase, and our ASAs are due for replacement. 

Please tell me there is a solution, or if one is on the roadmap still and when. I would prefer to purchase Meraki over the others but need to have this in the pocket before I can. 

From my rep at Meraki...

1. FIPS 140-2 validation for AutoVPN network traffic has been delayed due to a software architectural issue with incorporating the FIPS validated object module that they were looking to use. As a result, we are looking at a minimum of 18 months before AutoVPN traffic will support FIPS 140-2 validation as they will likely have to certify a brand new hardware-based object module and this process alone takes around 12 months.
2. While FIPS for AutoVPN has been delayed, this software limitation will not delay the roadmap for FedRAMP certification. Development efforts are now being focused on achieving FedRAMP in progress (and certification) by using this object module for Meraki control traffic (mtunnel).

So Fortinet it is.. who knows how long this next wait will be..  I can't risk further deployment of Meraki gear with this unknown not being handled in a reasonable amount of time.

Thank you for that. A ton. 

Meraki is obviously not following this thread. I spent a lot of time looking for roadmaps and news. They don't want to say "FIPS, the concept breaks our system and putting that burden on every customer for the DoD / DOJ / etc isn't worth it, ever." They should say that.

Cisco should step up and say "ASA and Firepower our our platforms for customers who require FIPS." 

I will also be giving up on this, I don't have 15 more months to hope that they support it. 

That's your choice.  I'll just continue to buy the cheapest FP1010 for FIPS and run Meraki everywhere else until Meraki gets up to speed.  I love Meraki and their concepts.  Now with the muscle of Cisco, I can wait.  I'm patient. 

I wish I was in that situation. We aren't in a place where we could run two solutions. 99% of our employees and data requires protection. 

I see that the Cisco website shows version 16 of the MX firmware as compliant. I've only seen version 15 so far (beta).

Here is the page on the Cisco site showing version 16 as compliant:

https://www.cisco.com/c/en/us/solutions/industries/government/global-government-certifications/fips-...

Is there a "special" beta of version 16 available? Is it perhaps just for some particular physical models?

Thanks

We just need everyone to upgrade to 15.x, then it will become the new stable release, the 14.x train will be dropped, and 16.x will become the new public beta which everyone can use.

@martin-netx I see from that link that the next beta for wireless, switching and firewalling are all going to be FIPS compliant.

We're running 27.x on MRs, 14.x on MSs* and 15.x on MXs so if the rest of you all follow, as @PhilipDAth said, we'll have FIPS compliance all the sooner.

*Not on an L3 stack of 3x MS210s as it is sorely unstable on that configuration as of 14.10.'

I'm really glad we held out for Meraki's FIPS compliancy.  This is going to just make everything much nicer in my realm.

Thanks cmr,

I work for a Cisco partner and we run beta versions on most of our own Meraki kit already. Got quite a few customers running version 15 on the MX's too. 

I've heard on the grape vine that only certain models of MX are going to be FIPS compliant. Don't know if this is down to the physical encryption processors in use. I'd be very happy to hear anything back from Meraki about this.

@martin-netx I'd think you'll be correct.  I imagine some of the smaller older devices (MX64/65 etc.) will not be able to go to MX16 at all or perhaps only in a limited way.

From my Meraki rep,

Meraki MX450, MX250, and any MX6x will become FIPS compliant, but the rest of the MXs will not.  So for instance, the MX84 will never be FIPS compliant.

Thanks LandrinLong,

Yeah those model numbers correspond with what I've heard. Shame about the MX84 and MX100 in particular.

For the MX84 and MX100, they are currently in development for replacements that will be FIPS 140-2 compliant that have similar price points and throughput, but the current MX84 and MX100 will not be unfortunately.  At least that is what my reps and Cisco/Meraki engineers are telling me.

I'd hope the replacements are somewhat more performant for a similar cost, especially in terms of raw throughout as that would then be a worthwhile improvement.