Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode
In FIPS mode, a device operates as a nonmodifiable operational environment in which only files shipped as part of Junos OS can be executed.
In contrast to non-FIPS mode, Junos OS in FIPS mode:
Conforms to FIPS 140-2.
Requires special installation procedures.
Mandates the use of internal, manual IPsec tunnels with specific requirements.
Limits services used for remote access.
Allows only the use of approved ciphers.
Requires user logout on disconnect at the console.
Sets strict requirements for passwords.
Requires special system logging considerations.
Disables the following Junos OS protocols and services so that you cannot configure them. Attempts to configure these services or to load configurations with these services configured result in a configuration syntax error.
finger
FTP
rlogin
rsh
Telnet
Trivial File Transfer Protocol (TFTP)
Transport Layer Security (TLS) protocol
xnm-clear-text
If you try to load a configuration that includes statements not supported by Junos OS in FIPS mode, you see a warning message. For example, suppose you attempt to configure Telnet for remote access:
[edit] crypto-officer:fips# set system services telnet ^ syntax error.
You receive the above syntax error and cannot add the
system services telnet
statement to the loaded configuration.