Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
271272273274275276277278279280
264
Default level
2: System level
Parameters
None
Description
Use the fips mode enable command to enable FIPS mode.
Use the undo fips mode enable command to disable FIPS mode.
By default, the FIPS mode is disabled.
The FIPS mode complies with FIPS 140-2.
The way for using FIPS mode:
Delete all MD5-based digital certificates
Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Enable FIPS mode.
Enable password-control function.
Configure the login user name and password. The password must comprise no less than 8
characters and must contain uppercase and lowercase letters, digits, and special characters. You
can use the password-control functions to manage and protect the password.
Configure the login user service-type.
Save the configuration and reboot the device. After the reboot, the device is working in FIPS 140-2 mode.
In CC certificate, this is equal to work according to CC standard.
After you enable FIPS mode and restart the device, the following changes occur:
The FTP/TFTP server is disabled.
The Telnet server is disabled.
The HTTP server is disabled.
SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
The SSL server only supports TLS1.0.
The SSH server does not support SSHv1 clients
The SSH only supports RSA.
RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length from 1024 to 2048 bits.
SSH, SNMPv3, IPsec and SSL do not support DES, RC4, 3DES, or MD5.
Related commands: display fips status.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable