close
keyboard_arrow_left
Table of Contents
- play_arrow Overview
- Understanding the Common Criteria Evaluated Configuration
- Understanding Junos OS in FIPS Mode of Operation
- Understanding FIPS Mode of Operation Terminology and Supported Cryptographic Algorithms
- Configuring the Time and Date
- Configuring the User Session Idle Timeout
- Understanding Management Interfaces
- play_arrow Configuring Administrative Credentials and Privileges
- play_arrow Configuring Network Time Protocol
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Configuring Cluster Mode
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
- play_arrow Junos-FIPS Configuration Restrictions
list Table of Contents
How to Enable and Configure Junos OS in FIPS Mode of Operation
date_range
13-Sep-23
You, as security administrator, can enable and configure Junos OS in FIPS mode of operation on your device.
To enable the Junos OS in FIPS mode of operation, perform the following steps:
Enable the FIPS mode on the device.
user@host# set system fips level 2Commit and reboot the device.
user@host# commitRun integrity and self-tests on powering on the device when the module is operating in FIPS mode.
Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
content_copy zoom_out_maproot@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc aes-128-gcm aes-192-cbc aes-256-cbc aes-256-gcm AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit encryption algorithm AES-CBC 256-bit encryption algorithm AES-GCM 256-bit encryption algorithm root@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm root@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc aes-128-gcm aes-192-cbc aes-192-gcm aes-256-cbc aes-256-gcm AES-CBC 128-bit encryption algorithm AES-GCM 128-bit encryption algorithm AES-CBC 192-bit encryption algorithm AES-GCM 192-bit encryption algorithm AES-CBC 256-bit encryption algorithm AES-GCM 256-bit encryption algorithm root@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm root@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 root@host# set security ike gateway <gateway_name> version v2-only root@host# commit commit complete
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshotcommand.
Note:
The show configuration security ike and show configuration
security ipsec commands display the approved and configured IKE/IPsec
configuration for the device operating in FIPS-approved mode.
content_copy zoom_out_map
root@fipscc-vsrx3-c:fips> show version Hostname: fipscc-vsrx3-c Model: vSRX Junos: 22.2R2.10 JUNOS OS Kernel 64-bit [20220817.0361d5f_builder_stable_12_222] JUNOS OS libs [20220817.0361d5f_builder_stable_12_222] JUNOS OS runtime [20220817.0361d5f_builder_stable_12_222] JUNOS OS time zone information [20220817.0361d5f_builder_stable_12_222] JUNOS network stack and utilities [20221105.194720_builder_junos_222_r2] JUNOS libs [20221105.194720_builder_junos_222_r2] JUNOS OS libs compat32 [20220817.0361d5f_builder_stable_12_222] JUNOS OS 32-bit compatibility [20220817.0361d5f_builder_stable_12_222] JUNOS libs compat32 [20221105.194720_builder_junos_222_r2] JUNOS runtime [20221105.194720_builder_junos_222_r2] JUNOS Simple Package [18.4I20180626_1521_tmfink] JUNOS py extensions [20221105.194720_builder_junos_222_r2] JUNOS py base [20221105.194720_builder_junos_222_r2] JUNOS OS vmguest [20220817.0361d5f_builder_stable_12_222] JUNOS OS crypto [20220817.0361d5f_builder_stable_12_222] JUNOS OS boot-ve files [20220817.0361d5f_builder_stable_12_222] JUNOS na telemetry [22.2R2.10] JUNOS Web Management Platform Package [20221105.194720_builder_junos_222_r2] JUNOS vsrx modules [20221105.194720_builder_junos_222_r2] JUNOS publish subscribe base [20221105.194720_builder_junos_222_r2] JUNOS srx libs compat32 [20221105.194720_builder_junos_222_r2] JUNOS srx runtime [20221105.194720_builder_junos_222_r2] JUNOS srx platform support [20221105.194720_builder_junos_222_r2] JUNOS common platform support [20221105.194720_builder_junos_222_r2] JUNOS vsrx runtime [20221105.194720_builder_junos_222_r2] JUNOS Routing mpls-oam-basic [20221105.194720_builder_junos_222_r2] JUNOS Routing lsys [20221105.194720_builder_junos_222_r2] JUNOS Routing 32-bit Compatible Version [20221105.194720_builder_junos_222_r2] JUNOS Routing aggregated [20221105.194720_builder_junos_222_r2] JUNOS probe utility [20221105.194720_builder_junos_222_r2] JUNOS pppoe [20221105.194720_builder_junos_222_r2] JUNOS Openconfig [22.2R2.10] JUNOS mtx network modules [20221105.194720_builder_junos_222_r2] JUNOS modules [20221105.194720_builder_junos_222_r2] JUNOS srx libs [20221105.194720_builder_junos_222_r2] JUNOS L2 RSI Scripts [20221105.194720_builder_junos_222_r2] JUNOS hsm [20221105.194720_builder_junos_222_r2] JUNOS srx Data Plane Crypto Support [20221105.194720_builder_junos_222_r2] JUNOS daemons [20221105.194720_builder_junos_222_r2] JUNOS srx daemons [20221105.194720_builder_junos_222_r2] JUNOS cloud libs [20221105.194720_builder_junos_222_r2] JUNOS cloud init [20221105.194720_builder_junos_222_r2] JUNOS SRX TVP AppQos Daemon [20221105.194720_builder_junos_222_r2] JUNOS Extension Toolkit [20221105.194720_builder_junos_222_r2] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20221105.194720_builder_junos_222_r2] JUNOS Juniper Malware Removal Tool (JMRT) Test [1.0.0+20221105.194720_builder_junos_222_r2] JUNOS J-Insight [20221105.194720_builder_junos_222_r2] JUNOS jfirmware [20220922.092606_builder_junos_222_r2] JUNOS Online Documentation [20221105.194720_builder_junos_222_r2] JUNOS jail runtime [20220817.0361d5f_builder_stable_12_222] JUNOS FIPS mode utilities [20221105.194720_builder_junos_222_r2] JUNOS dsa dsa [22.2R2.10] Junos debug agent [20221105.194720_builder_junos_222_r2]
The fips keyword next to the hostname in the output
indicates that the module is operating in FIPS mode for Junos Software Release 22.2R2.
content_copy zoom_out_map
user@host-vSRX3.0:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}content_copy zoom_out_map
user@host-vSRX3.0:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;
}
}