Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode

 

In FIPS mode, an NFX150 device operates as a non-modifiable operational environment in which only files shipped as part of Junos OS can be executed.

In contrast to non-FIPS mode, Junos OS in FIPS mode:

  • Conforms to FIPS 140-2.

  • Requires special installation procedures.

  • Mandates the use of internal, manual IPsec tunnels with specific requirements.

  • Limits services used for remote access.

  • Allows only the use of approved ciphers.

  • Requires user logout on disconnect at the console.

  • Sets strict requirements for passwords.

  • Requires special system logging considerations.

  • Disables the following Junos OS protocols and services so that you cannot configure them. Attempts to configure these services or to load configurations with these services configured result in a configuration syntax error.

    • finger

    • FTP

    • rlogin

    • rsh

    • Telnet

    • Trivial File Transfer Protocol (TFTP)

    • Transport Layer Security (TLS) protocol

    • xnm-clear-text

    If you try to load a configuration that includes statements not supported by Junos OS in FIPS mode, you see a warning message. For example, suppose you attempt to configure Telnet for remote access:

    You receive the following warning and cannot add the system services telnet statement to the loaded configuration: