Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-FIPS Commands | 51 KB |
FIPS configuration commands
display fips status
Syntax
display fips status
View
Any view
Default level
1: Monitor level
Parameters
None
Description
Use display fips status to display FIPS state.
Related commands: fips mode enable.
Examples
# Display FIPS state.
<Sysname> display fips status
FIPS mode is enabled
fips mode enable
Syntax
fips mode enable
undo fips mode enable
View
System view
Default level
2: System level
Parameters
None
Description
Use fips mode enable to enable FIPS mode.
Use undo fips mode enable to disable FIPS mode.
By default, the FIPS mode is disabled.
The FIPS mode complies with FIPS 140-2.
After enabling FIPS mode, you must restart the device to validate the configuration. Before the restart, complete the following tasks:
· Configure the login username and password. The password must comprise no less than 8 characters and must contain uppercase and lowercase letters, digits, and special characters.
· Delete all MD5-based digital certificates.
· Delete all key pairs.
After you enable FIPS mode and restart the device, the following changes occur:
· FTP/TFTP is disabled.
· Telnet is disabled.
· HTTP is disabled.
· SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
· SSL only supports TLS1.0.
· SSH does not support SSHv1 clients.
· SSH only supports RSA.
· Generated RSA key pairs must have a modulus length of 2048 bits. Generated DSA key pairs must have a modulus of at least 1024 bits.
· SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
Related commands: display fips status.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet FIPS mode requirements, save the configuration
to the next-startup configuration file, and then reboot to enter FIPS mode.
fips self-test
Syntax
fips self-test
View
System view
Default Level
3: Manage level
Parameters
None
Description
Use fips self-test to trigger a self-test on the password algorithms.
To verify whether the cryptography modules operate correctly, use this command to trigger a self-test on the password algorithms. The triggered self-test is the same as the power-up self-test when the device starts up.
If the self-test fails, the device automatically reboots.
Example
# Trigger a self-test on the password algorithms.
<Sysname> system-view
[Sysname] fips self-test
Self-tests are running. Please wait...
Self-tests succeeded.
