Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Enabling a Switch to FIPS Mode


FIPS mode is not automatically enabled when you install Junos OS on the switch.

As Crypto Officer, you must explicitly enable FIPS mode on the switch by setting the FIPS level to 1 (one), the FIPS 140-2 level at which EX Series switches are certified. A switch on which FIPS mode is not enabled has a FIPS level of 0 (zero).


To transition to FIPS mode, passwords must be encrypted with a FIPS-compliant hash algorithm. The encryption format must be SHA-1 or higher. Passwords that do not meet this requirement, such as passwords that are hashed with MD5, must be reconfigured or removed from the configuration before FIPS mode can be enabled.

To enable FIPS mode in Junos OS on the switch:

  1. Enter configuration mode:
  2. Enable FIPS mode on the switch by setting the FIPS level to 1, and verify the level:
  3. Commit the configuration: Note

    If the switch terminal displays error messages about the presence of critical security parameters (CSPs), delete those CSPs, and then commit the configuration.

    For switches with a single Routing Engine:

  4. Reboot the switch:

    For switches with a single Routing Engine:

    During the reboot, the switch runs Known Answer Tests (KATS). It returns a login prompt:

    Log in to the switch. The CLI displays a banner that is followed by a prompt that includes “:fips”:

  5. After the reboot has completed, log in and use the show version local command to verify.