FIPS command

fips mode

To set the device FIPS (Federal Information Processing Standards 140-2) operating mode after device reboot, use the fips mode command in Privileged EXEC mode.

Syntax

fips mode {disable | enable}

Parameters

  • disable — Sets the device mode to FIPS non-compliant mode.

  • enable — Sets the device mode to FIPS compliant mode.

Default Configuration

By default the device operates in FIPS non-compliant mode.

Command Mode

Privileged EXEC mode

User Guidelines

FIPS mode setting takes effect only after device reboot, and switching between FIPS modes will initiate a device reboot. When changing FIPS mode a confirmation message is displayed, informing the user that the change of FIPS mode will reboot the device and remove configuration related to SSH and HTTPS keys and certificates. Following the device reboot the user may need to reconfigure these settings.

If the device configuration includes unsaved settings, then the user will be prompted to save these changes.

Examples

Example 1. The following example sets the mode after device reload to FIPS compliant mode:

switchxxxxxx# fips mode enable
WARNING: Changing FIPS mode will reboot the device.
SSH keys, HTTPS keys, HTTPS certificates and trusted remote SSH server
fingerprints will be deleted.
In addition, SSH DSA key types will not be supported.
Do you wish to continue ? (Y/N)[N] Y
You haven't saved your changes. Are you sure you want to continue ? (Y/N)[N] Y
This command will reset the whole system and disconnect your current session.
Do you want to continue ? (Y/N)[N] Y
Shutting down ...
Shutting down ...

Example 2. The following example sets the mode after device reload to FIPS non-compliant mode:

switchxxxxxx# fips mode disable
WARNING: Changing FIPS mode will reboot the device.
SSH keys, HTTPS keys, HTTPS certificates and trusted remote SSH server
fingerprints will be deleted.
Do you wish to continue ? (Y/N)[N] Y
You haven't saved your changes. Are you sure you want to continue ? (Y/N)[N] Y
This command will reset the whole system and disconnect your current session.
Do you want to continue ? (Y/N)[N] Y
Shutting down ...
Shutting down ...

show fips status

To display if the device is operating in FIPS (Federal Information Processing Standards 140-2) compliant mode, use the show fips status command in Privileged EXEC mode.

Syntax

show fips status

Command Mode

Privileged EXEC mode

Examples

Example 1. The following example displays FIPS mode information when the device is operating in FIPS compliant mode:

switchxxxxxx# show fips status
FIPS mode: enabled
FIPS version: 140-2
Self-Tests: Passed
FIPS (Default) Library Context Providers:
name: OpenSSL Base Provider
version: 3.0.14
status: active
name: OpenSSL FIPS Provider
version: 3.0.9
status: active

Example 2. The following example displays FIPS mode information when the device is operating in FIPS non-compliant mode:

switchxxxxxx# show fips status
FIPS mode: disabled 
Non-FIPS (Default) Library Context Providers: 
name: OpenSSL Default Provider
version: 3.0.14
status: active