Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enabling FIPS Mode

FIPS mode is not automatically enabled when you install Junos OS on the switch.

As Crypto Officer, you must explicitly enable FIPS mode on the switch by setting the FIPS level to 1 (one), the FIPS 140-2 level at which EX Series switches and QFX Series switches are certified. A switch on which FIPS mode is not enabled has a FIPS level of 0 (zero).

Note:

To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.

To enable FIPS mode in Junos OS on the switch:

  1. Zeroize the switch to delete all CSPs before entering FIPS mode.
  2. After the switch comes up in Amnesiac mode, login using console with username root and password (blank).
  3. Configure root authentication with password at least 10 characters or more.
  4. Load configuration to switch and commit new configuration.
  5. Configure Crypto Officer and login with Crypto Officer credentials.
  6. Configure chassis boundary fips by setting the set system fips level 1 command followed by the commit command.
    Note:

    The device might display warnings to delete older CSPs in loaded configuration- Encrypted-password must be re-configured to use FIPS compliant hash.

  7. After deleting and reconfiguring the CSPs, commit is successful and the switch needs reboot to enter FIPS mode.
  8. After rebooting the switch, FIPS self-tests will run and switch enters FIPS mode.
Note:

Use local keyword for operational commands in FIPS mode. For example, show version local, and show system uptime local.