close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Getting Started
- Get Started
- Log in to Apstra GUI
- Reset Apstra GUI Admin Password
play_arrow Blueprints
- Blueprint Summaries and Dashboard
- Freeform Blueprints Introduction
- Blueprint-Wide Search
- Create Blueprint
- Delete Blueprint
play_arrow Blueprint Analytics
- What are Blueprint Analytics
- play_arrow Dashboards
- play_arrow Anomalies
  - Anomalies (Analytics)
- play_arrow Probes
- play_arrow Predefined Reports
- play_arrow Root Causes
  - Root Causes
play_arrow Staged Datacenter Blueprints
- play_arrow Physical
  - play_arrow Build
  - play_arrow Topology
    - Topology (Datacenter)
  - play_arrow Nodes
  - play_arrow Links
    - Links (Datacenter)
    - play_arrow Add Links
    - play_arrow Cabling Map
    - play_arrow Link Speeds
    - play_arrow LAG
    - Update Tags on Link (Datacenter)
    - Change Assigned Link IP Addresses (Datacenter)
    - Update Link Properties
    - Fetch LLDP Data (Datacenter)
    - Delete Link (Datacenter)
  - play_arrow Interfaces
  - play_arrow Racks
  - play_arrow Pods
  - play_arrow Planes
- play_arrow Virtual
  - play_arrow Virtual Networks
  - play_arrow Routing Zones
  - play_arrow Static Routes
    - Static Routes (Virtual)
  - play_arrow Protocol Sessions
    - Protocol Sessions (Virtual)
  - play_arrow Virtual Infrastructure
- play_arrow Policies
  - play_arrow Endpoints
  - play_arrow Security Policies
    - Security Policies
  - play_arrow Interface Policies
    - Interface Policies
  - play_arrow Routing Policies
  - play_arrow Routing Zone Constraints
    - Routing Zone (VRF) Constraints
  - play_arrow Tenants
- play_arrow Data Center Interconnect (DCI)
  - play_arrow Integrated Interconnect
    - Integrated DCI (VXLAN Stitching)
  - play_arrow Over the Top or External Gateways
    - Data Center Interconnect Introduction
    - Data Center Interconnect (DCI) / Remote EVPN Gateways
  - play_arrow Settings
  - Update ESI MAC msb
- play_arrow Catalog
  - play_arrow Logical Devices
    - Export Logical Device
  - play_arrow Interface Maps
    - Import Interface Map
    - Delete Interface Map (Blueprint)
  - play_arrow Property Sets
  - play_arrow Configlets
  - play_arrow AAA Servers
    - AAA Servers (Datacenter Blueprint)
  - play_arrow Tags
- play_arrow Tasks
  - Tasks (Datacenter) Staged
- play_arrow Connectivity Templates
- play_arrow Fabric Settings
  - play_arrow Fabric Policy
  - play_arrow Severity Preferences
    - Update Severity Preferences
play_arrow Staged Freeform Blueprints
- Freeform Introduction
- play_arrow Blueprints
  - Export Freeform Blueprint
- play_arrow Physical
- play_arrow Resource Management
  - Resource Management Introduction (Freeform)
  - play_arrow Blueprint Resources
  - play_arrow Allocation Groups
    - Create Allocation Group (Freeform)
  - play_arrow Local Pools
    - Create Local Pool (Freeform)
    - Create Local Pool Generator (Freeform)
- play_arrow Catalog (Freeform)
  - play_arrow Config Templates
  - play_arrow Device Profiles
    - Import Device Profile (Freeform)
    - Delete Device Profile (Freeform)
  - play_arrow Property Sets
  - play_arrow Tags
- play_arrow Tasks
  - Tasks - Staged (Freeform)
play_arrow Uncommitted Blueprints
- Uncommitted Introduction
- Commit / Revert Changes to Blueprint
play_arrow Active Datacenter Blueprints
- Active (Datacenter Blueprint)
- play_arrow Topology (Active)
- Nodes (Active)
- Links (Active)
- Racks (Active)
- Pods (Active)
- Query
- Anomalies (Service)
play_arrow Time Voyager (Blueprints)
- Time Voyager Introduction
- Roll Back Blueprint Revision
- Keep Blueprint Revision
- Change Number of Saved Blueprint Revisions
- Update Blueprint Revision Description
- Delete Blueprint Revision
play_arrow Devices
- Device Configuration Lifecycle
- What are Managed Devices
- Add Managed Device
- Drain Device Traffic
- Upgrade Device NOS
- Device AAA
- play_arrow Device
- play_arrow Agent
  - What are System Agents
  - Create Onbox Agent
  - Create Offbox Agent
  - Update Agent
  - Uninstall Agent
  - Delete Agent
  - play_arrow Agent Profiles
  - Packages (Devices)
- play_arrow Pristine Config
  - Edit Pristine Config
  - Update Pristine Config from Device
- play_arrow Telemetry
  - Device Telemetry Services
- play_arrow Apstra ZTP
- play_arrow Device Profiles
play_arrow Design
- play_arrow Logical Devices
- play_arrow Interface Maps
- play_arrow Rack Types
- play_arrow Templates
- play_arrow Config Templates (Freeform)
  - Config Templates (Freeform Design)
- play_arrow Configlets (Datacenter)
- play_arrow Property Sets (Datacenter)
- play_arrow TCP/UDP Ports
- play_arrow Tags
play_arrow Resources
- What are Resources
- ASNs
- VNIs
- Integers
- IPv4 Addresses
- IPv6 Addresses
play_arrow Analytics - Telemetry
- Telemetry Services
- Telemetry Service Registry
- Create Telemetry Service Schema
- Telemetry Collection Statistics
- Telemetry Streaming
- Route Anomalies for a Host - Example
- Juniper Telemetry Commands
- Cisco Telemetry Commands
- Arista Telemetry Commands
- Linux Server Telemetry Command
- Debugging Telemetry
play_arrow Analytics - Flow
- play_arrow Apstra Flow Overview
  - Apstra Flow Introduction
  - System Requirements
- play_arrow Dashboards
  - Apstra Flow Dashboards
- play_arrow Supported Flow Records
- play_arrow Flow Enrichment
- play_arrow Monitor Apstra Flow
  - Metrics
- play_arrow Configuration Reference
- play_arrow API
  - API Endpoints Options
- play_arrow Additional Documentation
- play_arrow Knowledge Base
play_arrow Analytics - Exploratory Analytics
- QBA Exporatory Interface
play_arrow External Systems (RBAC Providers)
- play_arrow Providers
- play_arrow Provider Role Mapping
play_arrow Platform
- play_arrow User Management
  - User / Role Management Introduction
  - play_arrow Users
  - play_arrow Roles
- play_arrow Security
- play_arrow External Services
  - Syslog Configuration (Platform)
- play_arrow Streaming
  - Receivers (Platform)
  - Global Statistics (Platform)
- Event Log (Audit Log)
- Licenses
- play_arrow Apstra VM Clusters
- play_arrow Developers
- play_arrow Technical Support
- Check Apstra Versions and Patent Numbers
play_arrow Favorites & User
- Favorites & User
play_arrow Apstra Server Management
- Apstra Server Introduction
- Monitor Apstra Server via CLI
- Restart Apstra Server
- Reset Apstra Server VM Password
- Reinstall Apstra Server
- Apstra Database Overview
- Back up Apstra Database
- Restore Apstra Database
- Reset Apstra Database
- Migrate Apstra Database
- Replace SSL Certificate on Apstra Server with Signed One
- Replace SSL Certificate on Apstra Server with Self-Signed One
- Change Apstra Server Hostname
- FIPS 140-2 Support
play_arrow Apstra CLI Utility
- Install Apstra CLI Utility
- Apstra CLI Commands
play_arrow Guides
- 5-Stage Clos Architecture
- Juniper EVPN Support
- Extensible Telemetry Guide
- Intent-Based Analytics with apstra-cli Utility
- AOSOM-Streaming Guide
play_arrow References
- play_arrow Feature Matrix
  - Apstra 5.0.0 Feature Matrix
- play_arrow Devices
- play_arrow Blueprint Analytics
- Configlet Examples (Design)
- Apstra EVPN Support Addendum
- Apstra Server Configuration File
- Graph
- Juniper Apstra Tech Previews

list Table of Contents

English

keyboard_arrow_right

FIPS 140-2 Support

Release: Juniper Apstra 5.0

date_range 11-Dec-24

arrow_backward

arrow_forward

FIPS 140-2 Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.

Overview of FIPS 140-2

FIPS 140-2 is a U.S. government standard that specifies security requirements for cryptographic modules. Implementing Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.

Why FIPS 140-2 is Needed

Apstra handles sensitive data that must comply with regulatory standards for some users. Implementing FIPS 140-2 Level 1 ensures that our cryptographic operations meet these security requirements, giving users confidence in our data protection.

Default FIPS Mode

By default, Apstra operates with FIPS mode disabled to minimize disruption. You can manually enable FIPS mode using the CLI.

Enabling and Managing FIPS 140-2

You can manage FIPS mode with the following commands:

aos_fips enable – Enables FIPS mode on the Apstra VM.
aos_fips disable – Disables FIPS mode on the Apstra VM.
aos_fips status – Reports the status of FIPS mode, checking configurations such as Apstra config, SSH configuration, NGINX config, Docker containers, and OpenSSL settings.

Example Command:

To check the FIPS status, run:

aos_fips status

Sample output indicates whether FIPS mode is activated and which components are FIPS-enabled.

content_copy zoom_out_map
admin@aos-server:~$ aos_fips status 
Checking aos.config... 
  FIPS mode is activated 
Checking Docker Compose settings... 
  effective config is FIPS enabled 
Checking OpenSSL effective config on host... 
  effective config is FIPS enabled 
Checking Docker containers... 
  [5109bea58085][aos-uninstall-onbox-30e49774-10.28.212.15-j2] FIPS activated 
  [2295b59992c6][aos-uninstall-onbox-54b69f7d-10.28.212.13-j2] FIPS activated 
  [f6e3b4993c33][             aos_nginx_1] FIPS activated 
  [104caaddaf9c][        aos_controller_1] FIPS activated 
  [ebf916a27b15][             aos_sysdb_1] FIPS activated 
  [b11a6723bc26][              aos_auth_1] FIPS activated 
  [b893a2fb8c54][           aos_license_1] FIPS activated 
  [95c281aca3ee][            aos_metadb_1] FIPS activated 
Checking SSH server settings... 
  FIPS config found 
Checking SSH client settings... 
  FIPS config found 
Host smoke test... 
  FIPS is activated 
Checking NGINX config... 
  effective config is FIPS enabled 
Overall status: ENABLED 

Cluster Setup:

For clustered environments, FIPS mode must be enabled or disabled on all Apstra VMs in the cluster using the aos_fips enable or aos_fips disable command. The order of execution across VMs doesn't matter.

Upgrade Process

During an upgrade, the FIPS setting is preserved. The aos_fips enable command automatically runs post-upgrade to maintain FIPS mode, ensuring ongoing compliance.

FIPS 140-2 Implementations

Apstra has implemented FIPS 140-2 compliance across several components:

ZTP Server VM: Ensures secure cryptographic operations during device initialization in the Zero Touch Provisioning process.
Apstra Controller VM: Manages network orchestration, policy management, and device configuration securely, adhering to FIPS 140-2 standards for all cryptographic functions.
Apstra Worker VM: Handles secure data processing and communication tasks, ensuring all cryptographic operations meet FIPS 140-2 requirements.
Off-box Device Agents: Manages external devices with FIPS-compliant cryptographic communication between the agent and both the devices and the Controller VM.
On-box Device Agents:Operates directly on network devices, securing configurations and communications. Note that this compliance applies only to the agent; Apstra doesn't enable FIPS on the network operating system itself.

Note:

The underlying host operating system for these VMs and agents is not FIPS-140 enabled. This means the specific cryptographic modules within Apstra components are compliant, but the overall system security depends on the host environment.

arrow_backward PREVIOUS Change Apstra Server Hostname

NEXT arrow_forward Install Apstra CLI Utility

Juniper Apstra 5.0.1 / 5.0.0 User Guide

FIPS 140-2 Support

Stay in touch

Helped me install or use the product
Accelerated my deployment

Discuss the product with a co-worker
Make a purchase inquiry