Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode

In FIPS mode, a device operates as a nonmodifiable operational environment in which only files shipped as part of Junos OS can be executed.

In contrast to non-FIPS mode, Junos OS in FIPS mode:

Conforms to FIPS 140-2.
Requires special installation procedures.
Mandates the use of internal, manual IPsec tunnels with specific requirements.
Limits services used for remote access.
Allows only the use of approved ciphers.
Requires user logout on disconnect at the console.
Sets strict requirements for passwords.
Requires special system logging considerations.
Disables the following Junos OS protocols and services so that you cannot configure them. Attempts to configure these services or to load configurations with these services configured result in a configuration syntax error.
- finger
- FTP
- rlogin
- rsh
- Telnet
- Trivial File Transfer Protocol (TFTP)
- Transport Layer Security (TLS) protocol
- xnm-clear-text
If you try to load a configuration that includes statements not supported by Junos OS in FIPS mode, you see a warning message. For example, suppose you attempt to configure Telnet for remote access:
You receive the above syntax error and cannot add the system services telnet statement to the loaded configuration.