Enabling FIPS Mode
When you first enable the FIPS mode, the device automatically performs zeroization, which eventually causes a restart. Zeroization completely wipes out all sensitive content stored on the device (but retains configuration):
|
■
|
Security secrets (e.g., private keys for SSH and TLS) |
|
■
|
Debug and Core dump files |
When operating in FIPS mode, the device removes all secret keys from generated syslog and debug recording messages. It also performs many internal security tests during runtime. As soon as any one of these tests fail, connection to the device is lost and the device automatically performs zeroization, disables FIPS mode, and then restarts.
|
●
|
After the device performs zeroization, it automatically generates new secrets (private key) for the self-signed certificate. You can then use this certificate to connect to the device over HTTPS, if needed. |
|
●
|
If the device is operating in FIPS mode and you disable FIPS, the device automatically performs zeroization and then restarts. |
|
a.
|
Open the Security Settings page (Setup menu > IP Network tab > Security folder > Security Setting). |
|
b.
|
Click the Enable FIPS button: |
A message appears warning you that a device restart, and private key zeroization, debug file deletion, and snapshot deletion will occur.
|
c.
|
Confirm to enable FIPS mode. |
# fips on
After enabling the FIPS mode, the device performs zeroization and then restarts. When the restart is completed, verify that FIPS mode is enabled:
|
a.
|
Open the Security Settings page (Setup menu > IP Network tab > Security folder > Security Setting). |
|
b.
|
The text next to the button that enables and disables FIPS (Enable FIPS or Disable FIPS) indicates the FIPS mode: |
|
◆
|
'FIPS Mode is Disabled' |
show system security status