Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode
In FIPS mode, an EX Series switch operates as a nonmodifiable operational environment in which only files shipped as part of Junos OS can be executed.
In contrast to non-FIPS mode, Junos OS in FIPS mode:
Conforms to FIPS 140-2.
Establishes a cryptographic boundary depending on the switch chassis type. On fixed-configuration chassis, the boundary is the switch case. On modular chassis, the boundary is the Routing Engine.
Requires special installation procedures.
Mandates the use of internal, manual IPsec tunnels with specific requirements.
Limits services used for remote access.
Allows only the use of approved ciphers.
Requires user logout on disconnect at the console.
Sets strict requirements for passwords.
Requires special system logging considerations.
Disables the following Junos OS protocols and services so that you cannot configure them. Attempts to configure these services or to load configurations with these services configured result in a configuration syntax error.
Trivial File Transfer Protocol (TFTP)
Transport Layer Security (TLS) protocol
If you try to load a configuration that includes statements not supported by Junos OS in FIPS mode, you see a warning message. For example, suppose you attempt to configure Telnet for remote access:crypto-officer@switch:fips# set system services telnet
You receive the following warning and cannot add the system services telnet statement to the loaded configuration:'telnet'warning: not allowed in JUNOS-FIPS; ignored