Login
- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-FIPS Commands | 51.09 KB |
FIPS configuration commands
display fips status
Syntax
display fips status
View
Any view
Default level
1: Monitor level
Parameters
None
Description
Use the display fips status command to display FIPS state.
Related commands: fips mode enable.
Examples
# Display FIPS state.
<Sysname> display fips status
FIPS mode is enabled
fips mode enable
Syntax
fips mode enable
undo fips mode enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the fips mode enable command to enable FIPS mode.
Use the undo fips mode enable command to disable FIPS mode.
By default, the FIPS mode is disabled.
The FIPS mode complies with FIPS 140-2.
After enabling FIPS mode, you must restart the device to validate the configuration. Before the restart, complete the following tasks:
· Configure the login username and password. The password must comprise no less than 6 characters and must contain uppercase and lowercase letters, digits, and special characters.
· Delete all MD5-based digital certificates
· Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
After you enable FIPS mode and restart the device, the following changes occur.
· The FTP/TFTP server is disabled.
· The Telnet server is disabled.
· The HTTP server is disabled.
· SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
· The SSL server only supports TLS1.0.
· The SSH server does not support SSHv1 clients
· Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.
· SSH, SNMPv3, IPsec and SSL do not support DES, RC4, or MD5.
Related commands: display fips status.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
fips self-test
Syntax
fips self-test
View
System view
Default Level
3: Manage level
Parameters
None
Description
Use the fips self-test command to trigger a self-test on the password algorithms.
To verify whether the cryptography modules operate normally, use this command to trigger a self-test on the password algorithms. The triggered self-test is the same as the power-up self-test when the device starts up.
If the self-test fails, the device automatically reboots.
Example
# Trigger a self-test on the password algorithms.
<Sysname> fips self-test
Self-tests are running. Please wait...
Self-tests succeeded.
