Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Enabling FIPS Mode

 

FIPS mode is not automatically enabled when you install Junos OS on the switch.

As Authorized Administrator, you must explicitly enable FIPS mode on the switch by setting the FIPS level to 1 (one), the FIPS 140-2 level at which EX Series switches are certified. A switch on which FIPS mode is not enabled has a FIPS level of 0 (zero).

Note

To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-1 or higher. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.

To enable FIPS mode in Junos OS on the switch:

  1. Enter configuration mode:
  2. Enable FIPS mode on the switch by setting the FIPS level to 1, and verify the level:
  3. Commit the configuration: Note

    If the switch terminal displays error messages about the presence of critical security parameters (CSPs), delete those CSPs, and then commit the configuration.

  4. Reboot the switch:

    During the reboot, the switch runs Known Answer Tests (KATS). It returns a login prompt:

    Log in to the switch. The CLI displays a banner that is followed by a prompt that includes “:fips”:

  5. After the reboot has completed, log in and use the show version local command to verify.
Note

Use “local” keyword for operational commands in FIPS mode. For example, show version local, and show system uptime local.