How to Enable and Configure Junos OS in FIPS Mode of Operation
You, as security administrator, can enable and configure Junos OS in FIPS mode of operation on your device.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
-
Enable the FIPS mode on the device.
user@host# set system fips level 2 -
Commit and reboot the device.
user@host# commit -
Run integrity and self-tests on powering on the device when the module is operating in FIPS mode.
-
Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
root@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc aes-128-gcm aes-192-cbc aes-256-cbc aes-256-gcm AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit encryption algorithm AES-CBC 256-bit encryption algorithm AES-GCM 256-bit encryption algorithm root@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm root@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc aes-128-gcm aes-192-cbc aes-192-gcm aes-256-cbc aes-256-gcm AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit encryption algorithm AES-GCM 192-bit encryption algorithm AES-CBC 256-bit encryption algorithm AES-GCM 256-bit encryption algorithm root@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm root@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 root@host# set security ike gateway <gateway_name> version v2-only root@host# commit commit complete
-
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshotcommand.
Note:
The show configuration security ike and show configuration
security ipsec commands display the approved and configured IKE/IPsec
configuration for the device operating in FIPS-approved mode.
root@fipscc-vsrx3-c:fips> show version Hostname: fipscc-vsrx3-c Model: vSRX Junos: 22.2R2.10 JUNOS OS Kernel 64-bit [20220817.0361d5f_builder_stable_12_222] JUNOS OS libs [20220817.0361d5f_builder_stable_12_222] JUNOS OS runtime [20220817.0361d5f_builder_stable_12_222] JUNOS OS time zone information [20220817.0361d5f_builder_stable_12_222] JUNOS network stack and utilities [20221105.194720_builder_junos_222_r2] JUNOS libs [20221105.194720_builder_junos_222_r2] JUNOS OS libs compat32 [20220817.0361d5f_builder_stable_12_222] JUNOS OS 32-bit compatibility [20220817.0361d5f_builder_stable_12_222] JUNOS libs compat32 [20221105.194720_builder_junos_222_r2] JUNOS runtime [20221105.194720_builder_junos_222_r2] JUNOS Simple Package [18.4I20180626_1521_tmfink] JUNOS py extensions [20221105.194720_builder_junos_222_r2] JUNOS py base [20221105.194720_builder_junos_222_r2] JUNOS OS vmguest [20220817.0361d5f_builder_stable_12_222] JUNOS OS crypto [20220817.0361d5f_builder_stable_12_222] JUNOS OS boot-ve files [20220817.0361d5f_builder_stable_12_222] JUNOS na telemetry [22.2R2.10] JUNOS Web Management Platform Package [20221105.194720_builder_junos_222_r2] JUNOS vsrx modules [20221105.194720_builder_junos_222_r2] JUNOS publish subscribe base [20221105.194720_builder_junos_222_r2] JUNOS srx libs compat32 [20221105.194720_builder_junos_222_r2] JUNOS srx runtime [20221105.194720_builder_junos_222_r2] JUNOS srx platform support [20221105.194720_builder_junos_222_r2] JUNOS common platform support [20221105.194720_builder_junos_222_r2] JUNOS vsrx runtime [20221105.194720_builder_junos_222_r2] JUNOS Routing mpls-oam-basic [20221105.194720_builder_junos_222_r2] JUNOS Routing lsys [20221105.194720_builder_junos_222_r2] JUNOS Routing 32-bit Compatible Version [20221105.194720_builder_junos_222_r2] JUNOS Routing aggregated [20221105.194720_builder_junos_222_r2] JUNOS probe utility [20221105.194720_builder_junos_222_r2] JUNOS pppoe [20221105.194720_builder_junos_222_r2] JUNOS Openconfig [22.2R2.10] JUNOS mtx network modules [20221105.194720_builder_junos_222_r2] JUNOS modules [20221105.194720_builder_junos_222_r2] JUNOS srx libs [20221105.194720_builder_junos_222_r2] JUNOS L2 RSI Scripts [20221105.194720_builder_junos_222_r2] JUNOS hsm [20221105.194720_builder_junos_222_r2] JUNOS srx Data Plane Crypto Support [20221105.194720_builder_junos_222_r2] JUNOS daemons [20221105.194720_builder_junos_222_r2] JUNOS srx daemons [20221105.194720_builder_junos_222_r2] JUNOS cloud libs [20221105.194720_builder_junos_222_r2] JUNOS cloud init [20221105.194720_builder_junos_222_r2] JUNOS SRX TVP AppQos Daemon [20221105.194720_builder_junos_222_r2] JUNOS Extension Toolkit [20221105.194720_builder_junos_222_r2] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20221105.194720_builder_junos_222_r2] JUNOS Juniper Malware Removal Tool (JMRT) Test [1.0.0+20221105.194720_builder_junos_222_r2] JUNOS J-Insight [20221105.194720_builder_junos_222_r2] JUNOS jfirmware [20220922.092606_builder_junos_222_r2] JUNOS Online Documentation [20221105.194720_builder_junos_222_r2] JUNOS jail runtime [20220817.0361d5f_builder_stable_12_222] JUNOS FIPS mode utilities [20221105.194720_builder_junos_222_r2] JUNOS dsa dsa [22.2R2.10] Junos debug agent [20221105.194720_builder_junos_222_r2]
The fips keyword next to the hostname in the output
indicates that the module is operating in FIPS mode for Junos Software Release 22.2R2.
user@host-vSRX3.0:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}user@host-vSRX3.0:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;
}
}