How to Enable and Configure Junos OS in FIPS Mode of Operation
To enable the Junos OS in FIPS mode of operation, perform the following steps:
-
Zeroize the device before enabling FIPS mode of operation
user@host> request vmhost zeroize -
Enable the FIPS mode on the device.
user@host# set system fips level 2 -
Set the root password.
user@host# set system root-authentication plain-text-password.Enter a password.
-
Remove the CSPs on commit check.
user@host# commit -
After you reboot the device, perform integrity and self-test when the module is operating in FIPS mode.
- Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshot command.
Note: The
show configuration security ike and show configuration
security ipsec commands display the approved and configured IKE/IPsec configuration
for the device operating in FIPS approved mode.user@host-srx5400:fips> show version Hostname: host-srx5400 Model: srx5400 Junos: 22.2R1.9 JUNOS OS Kernel 64-bit [20220607.2c547a1_builder_stable_12_222] JUNOS OS libs [20220607.2c547a1_builder_stable_12_222] JUNOS OS runtime [20220607.2c547a1_builder_stable_12_222] JUNOS OS time zone information [20220607.2c547a1_builder_stable_12_222] JUNOS network stack and utilities [20220617.153850_builder_junos_222_r1] JUNOS libs [20220617.153850_builder_junos_222_r1] JUNOS OS libs compat32 [20220607.2c547a1_builder_stable_12_222] JUNOS OS 32-bit compatibility [20220607.2c547a1_builder_stable_12_222] JUNOS libs compat32 [20220617.153850_builder_junos_222_r1] JUNOS runtime [20220617.153850_builder_junos_222_r1] Junos vmguest package [20220617.153850_builder_junos_222_r1] JUNOS py extensions [20220617.153850_builder_junos_222_r1] JUNOS py base [20220617.153850_builder_junos_222_r1] JUNOS OS vmguest [20220607.2c547a1_builder_stable_12_222] JUNOS OS crypto [20220607.2c547a1_builder_stable_12_222] JUNOS OS boot-ve files [20220607.2c547a1_builder_stable_12_222] JUNOS na telemetry [22.2R1.9] JUNOS Web Management Platform Package [20220617.153850_builder_junos_222_r1] JUNOS srx libs compat32 [20220617.153850_builder_junos_222_r1] JUNOS srx runtime [20220617.153850_builder_junos_222_r1] JUNOS Routing mpls-oam-basic [20220617.153850_builder_junos_222_r1] JUNOS Routing lsys [20220617.153850_builder_junos_222_r1] JUNOS Routing 32-bit Compatible Version [20220617.153850_builder_junos_222_r1] JUNOS Routing aggregated [20220617.153850_builder_junos_222_r1] Redis [20220617.153850_builder_junos_222_r1] JUNOS probe utility [20220617.153850_builder_junos_222_r1] JUNOS common platform support [20220617.153850_builder_junos_222_r1] JUNOS srx platform support [20220617.153850_builder_junos_222_r1] JUNOS Openconfig [22.2R1.9] JUNOS mtx network modules [20220617.153850_builder_junos_222_r1] JUNOS modules [20220617.153850_builder_junos_222_r1] JUNOS srx modules [20220617.153850_builder_junos_222_r1] JUNOS srx libs [20220617.153850_builder_junos_222_r1] JUNOS L2 RSI Scripts [20220617.153850_builder_junos_222_r1] JUNOS srx Data Plane Crypto Support [20220617.153850_builder_junos_222_r1] JUNOS ike [20220617.153850_builder_junos_222_r1] JUNOS daemons [20220617.153850_builder_junos_222_r1] JUNOS srx daemons [20220617.153850_builder_junos_222_r1] JUNOS High End AppQos Daemon [20220617.153850_builder_junos_222_r1] JUNOS Services URL Filter package [20220617.153850_builder_junos_222_r1] JUNOS Services TLB Service PIC package [20220617.153850_builder_junos_222_r1] JUNOS Services Telemetry [20220617.153850_builder_junos_222_r1] JUNOS Services TCP-LOG [20220617.153850_builder_junos_222_r1] JUNOS Services SSL [20220617.153850_builder_junos_222_r1] JUNOS Services SOFTWIRE [20220617.153850_builder_junos_222_r1] JUNOS Services Stateful Firewall [20220617.153850_builder_junos_222_r1] JUNOS Services RTCOM [20220617.153850_builder_junos_222_r1] JUNOS Services RPM [20220617.153850_builder_junos_222_r1] JUNOS Services PCEF package [20220617.153850_builder_junos_222_r1] JUNOS Services NAT [20220617.153850_builder_junos_222_r1] JUNOS Services Mobile Subscriber Service Container package [20220617.153850_builder_junos_222_r1] JUNOS Services MobileNext Software package [20220617.153850_builder_junos_222_r1] JUNOS Services Logging Report Framework package [20220617.153850_builder_junos_222_r1] JUNOS Services LL-PDF Container package [20220617.153850_builder_junos_222_r1] JUNOS Services Jflow Container package [20220617.153850_builder_junos_222_r1] JUNOS Services Deep Packet Inspection package [20220617.153850_builder_junos_222_r1] JUNOS Services IPSec [20220617.153850_builder_junos_222_r1] JUNOS Services IDS [20220617.153850_builder_junos_222_r1] JUNOS IDP Services [20220617.153850_builder_junos_222_r1] JUNOS Services HTTP Content Management package [20220617.153850_builder_junos_222_r1] JUNOS Services DNS Filter package (i386) [20220617.153850_builder_junos_222_r1] JUNOS Services Crypto [20220617.153850_builder_junos_222_r1] JUNOS Services Captive Portal and Content Delivery Container package [20220617.153850_builder_junos_222_r1] JUNOS Services COS [20220617.153850_builder_junos_222_r1] JUNOS AppId Services [20220617.153850_builder_junos_222_r1] JUNOS Services Application Level Gateways [20220617.153850_builder_junos_222_r1] JUNOS Services AACL Container package [20220617.153850_builder_junos_222_r1] JUNOS Extension Toolkit [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (wrlinuxlts19) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (spc3) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (M/T Common) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (MX Common) [20220617.153850_builder_junos_222_r1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20220617.153850_builder_junos_222_r1] JUNOS J-Insight [20220617.153850_builder_junos_222_r1] JUNOS jfirmware [20220608.110139_builder_junos_222_r1] JUNOS Online Documentation [20220617.153850_builder_junos_222_r1] JUNOS jail runtime [20220607.2c547a1_builder_stable_12_222] JUNOS fips optest [22.2R1.9] JUNOS FIPS mode utilities [20220617.153850_builder_junos_222_r1] JUNOS dsa dsa [22.2R1.9]
The fips keyword next to the hostname in the output indicates that the
module is operating in FIPS mode for Junos Software Release 22.2R1.
user@host-vSRX3.0:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}
user@host-vSRX3.0:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;