In order to comply with FIPS, I am considering purchasing hardware to run an RHEL server in FIPS mode as a firewall/gateway. I am very familiar with Linux, and not at all concerned about the difficulty of configuring RHEL to perform this function. I like that it has SELinux enabled by default and has a tool to switch the OS into FIPS mode, the binaries themselves are validated which allows updating and patching. What I find very off-putting is the suggestion to use old FIPS validated firmware on something as critical as this. There are two points I would also like to address below:

• The firewall only needs to have a FIPS certified module and doesn't need to run in a validated manner. (This is entirely incorrect, I have heard in the industry that validation is mandatory)
• You only need FIPS validation when CUI is unencrypted. (I am skeptical of this, from what I understand even your firewall logs etc. will require FIPS. From my point of view there seems to be no way to avoid having a FIPS validated firewall at the border of your network.)

If a FIPS validated off the shelf firewall is unavoidable, which would be recommended? I am concerned about using Fortinet as some of their PSIRTs tell you simply to upgrade your firmware which would break validation. Preferably I would like to patch as little as possible.