- play_arrow Overview
- play_arrow Configuring Administrative Credentials and Privileges
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- fips (FIPS)
- level (FIPS)
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
- play_arrow Operational Commands
ON THIS PAGE
Understanding Zeroization to Clear System Data for FIPS Mode
Zeroization completely erases all configuration information on the Routing Engine, including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.
The Crypto Officer initiates the zeroization process by entering
the request system zeroize operational command from the
CLI after enabling FIPS mode. Use of this command is restricted to
the Crypto Officer.
Use delete system-phone home command to delete all
phone-home related configurations.
Perform system zeroization with care. After the zeroization process is complete, no data is left on the Routing Engine. The device is returned to the factory default state, without any configured users or configuration files.
Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.
Why Zeroize?
Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.
For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.
When to Zeroize?
As Crypto Officer, perform zeroization in the following situations:
Before Enabling FIPS mode of operation: To prepare your switch for operation as a FIPS cryptographic module, perform zeroization before enabling FIPS mode.
Before disabling FIPS mode of operation: To begin repurposing your switch for non-FIPS mode of operation, perform zeroization on the switch.
Note:Juniper Networks does not support installing non-FIPS software in a FIPS environment, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.
