Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices Access Control Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
291292293294295296297298299300
286
Follow these steps to enable FIPS mode:
To do… Use the command…
Remarks
Enter system view system-view
Enable FIPS mode fips mode enable
Required
Not enabled by default.
254BSettings changed by enabling FIPS mode
After you enable FIPS mode and restart the device, the following changes occur.
The FTP/TFTP server is disabled.
The Telnet server is disabled.
The HTTP server is disabled.
SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
The SSL server only supports TLS1.0.
The SSH server does not support SSHv1 clients
The SSH only supports RSA.
RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length from 1024 to 2048 bits.
SSH, SNMPv3, IPsec and SSL do not support DES, RC4, 3DES, or MD5.
93B
FIPS self-tests
When the device enters FIPS mode, power-up self-tests and conditional self-tests automatically run to
ensure the normal operation of cryptography modules. If either type of tests fails, the device will restart.
255BPower-up self-tests
Power-up self-tests, also called “known-answer tests, check the availability of FIPS-allowed cryptographic
algorithms. A cryptographic algorithm runs on data for which the correct output is already known. The
calculated output is compared with the known answer. If they are not identical, the known-answer test
fails.
Power-up self-tests fall into the following types.