How to Enable and Configure Junos OS in FIPS Mode of Operation
To enable the Junos OS in FIPS mode of operation, perform the following steps:
-
Enable the FIPS mode on the device.
user@host# set system fips level 2 -
Set the root password.
user@host# set system root-authentication plain-text-password.Enter a password.
-
Remove the CSPs on commit check.
user@host# commit -
After you reboot the device, perform integrity and self-test when the module is operating in FIPS mode.
- Configure IKEv2 when AES-GCM is used for encryption of IKE and/or IPSec.
[edit] user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
Ensure that the backup image of the firmware is also a JUNOS-FIPS image by issuing the
request system snapshot command.
Note: The
show configuration security ike and show configuration
security ipsec commands display the approved and configured IKE/IPsec configuration
for the device operating in FIPS approved mode.root@host-vsrx:fips> show version Hostname: host-vsrx Model: vSRX Junos: 22.2R2-S2.3 JUNOS OS Kernel 64-bit [20230120.775b907_builder_stable_12_222] JUNOS OS libs [20230120.775b907_builder_stable_12_222] JUNOS OS runtime [20230120.775b907_builder_stable_12_222] JUNOS OS time zone information [20230120.775b907_builder_stable_12_222] JUNOS OS libs compat32 [20230120.775b907_builder_stable_12_222] JUNOS OS 32-bit compatibility [20230120.775b907_builder_stable_12_222] JUNOS py extensions [20230225.062510_builder_junos_222_r2_s2] JUNOS py base [20230225.062510_builder_junos_222_r2_s2] JUNOS OS vmguest [20230120.775b907_builder_stable_12_222] JUNOS OS crypto [20230120.775b907_builder_stable_12_222] JUNOS OS boot-ve files [20230120.775b907_builder_stable_12_222] JUNOS network stack and utilities [20230225.062510_builder_junos_222_r2_s2] JUNOS libs [20230225.062510_builder_junos_222_r2_s2] JUNOS libs compat32 [20230225.062510_builder_junos_222_r2_s2] JUNOS runtime [20230225.062510_builder_junos_222_r2_s2] JUNOS na telemetry [22.2R2-S2.3] JUNOS Web Management Platform Package [20230225.062510_builder_junos_222_r2_s2] JUNOS vsrx modules [20230225.062510_builder_junos_222_r2_s2] JUNOS srx libs compat32 [20230225.062510_builder_junos_222_r2_s2] JUNOS srx runtime [20230225.062510_builder_junos_222_r2_s2] JUNOS srx platform support [20230225.062510_builder_junos_222_r2_s2] JUNOS common platform support [20230225.062510_builder_junos_222_r2_s2] JUNOS vsrx runtime [20230225.062510_builder_junos_222_r2_s2] JUNOS Routing mpls-oam-basic [20230225.062510_builder_junos_222_r2_s2] JUNOS Routing lsys [20230225.062510_builder_junos_222_r2_s2] JUNOS Routing 32-bit Compatible Version [20230225.062510_builder_junos_222_r2_s2] JUNOS Routing aggregated [20230225.062510_builder_junos_222_r2_s2] JUNOS probe utility [20230225.062510_builder_junos_222_r2_s2] JUNOS pppoe [20230225.062510_builder_junos_222_r2_s2] JUNOS Openconfig [22.2R2-S2.3] JUNOS mtx network modules [20230225.062510_builder_junos_222_r2_s2] JUNOS modules [20230225.062510_builder_junos_222_r2_s2] JUNOS srx libs [20230225.062510_builder_junos_222_r2_s2] JUNOS L2 RSI Scripts [20230225.062510_builder_junos_222_r2_s2] JUNOS hsm [20230225.062510_builder_junos_222_r2_s2] JUNOS srx Data Plane Crypto Support [20230225.062510_builder_junos_222_r2_s2] JUNOS daemons [20230225.062510_builder_junos_222_r2_s2] JUNOS srx daemons [20230225.062510_builder_junos_222_r2_s2] JUNOS cloud libs [20230225.062510_builder_junos_222_r2_s2] JUNOS cloud init [20230225.062510_builder_junos_222_r2_s2] JUNOS SRX TVP AppQos Daemon [20230225.062510_builder_junos_222_r2_s2] JUNOS Extension Toolkit [20230225.062510_builder_junos_222_r2_s2] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20230225.062510_builder_junos_222_r2_s2] JUNOS J-Insight [20230225.062510_builder_junos_222_r2_s2] JUNOS jfirmware [20230208.031534_builder_junos_222_r2_s2] JUNOS Online Documentation [20230225.062510_builder_junos_222_r2_s2] JUNOS jail runtime [20230120.775b907_builder_stable_12_222] JUNOS FIPS mode utilities [20230225.062510_builder_junos_222_r2_s2] JUNOS dsa dsa [22.2R2-S2.3]
The fips keyword next to the hostname in the output indicates that the
module is operating in FIPS mode for Junos Software Release 22.2R2S2.
user@host-vSRX3.0:fips> show configuration security ike
proposal ike-proposal1 {
authentication-method pre-shared-keys;
dh-group group14;
encryption-algorithm aes-256-gcm;
}
policy ike-policy1 {
mode main;
proposals ike-proposal1;
pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA
}
gateway gw1 {
ike-policy ike-policy1;
address 198.51.100.0;
local-identity inet 203.0.113.0;
external-interface ge-0/0/3;
version v2-only;
}
user@host-vSRX3.0:fips> show configuration security ipsec
proposal ipsec-proposal1 {
protocol esp;
encryption-algorithm aes-128-gcm;
}
policy ipsec-policy1 {
perfect-forward-secrecy {
keys group14;
}
proposals ipsec-proposal1;
}
vpn vpn1 {
bind-interface st0.0;
ike {
gateway gw1;
ipsec-policy ipsec-policy1;