Manual Chapter :
Platform FIPS Overview
Applies To:
Show VersionsBIG-IP APM
- 17.1.1, 17.1.0
BIG-IP LTM
- 17.1.1, 17.1.0
BIG-IP DNS
- 17.1.1, 17.1.0
BIG-IP ASM
- 17.1.1, 17.1.0
Platform FIPS Overview
Platform FIPS BIG-IP systems
The FIPS BIG-IP Platform Module solution, also known as
Platform FIPS, is a FIPS validated BIG-IP system. The platform FIPS requires a
F5 Full-Box FIPS add-on license and allows for FIPS 140-3 validation at level
2 while using the full performance capabilities of the BIG-IP system.
The platform FIPS provides device-level FIPS validation at
level 2 for specific BIG-IP platforms with the Full-Box FIPS add-on license
installed. Introduced in BIG-IP 13.1.0, the Full-Box FIPS license includes a
FIPS installation kit that contains tamper-evident stickers that you must
apply to the hardware device in order to be FIPS validated products.
BIG-IP systems with the Full-Box FIPS add-on license
installed enter a FIPS-enabled mode during the boot process. When the BIG-IP
system enters FIPS-enabled mode, the system changes the SSL cipher suites to
be FIPS-compliant and enables the FIPS required self-tests to validate the
integrity and operation of the system. If the system fails any of the
self-tests during the boot process the BIG-IP system halts.
The Full-Box add-on license can be installed on any BIG-IP
hardware platforms running the BIG-IP software version 13.1.0 or later for
FIPS compliance, but only specific BIG-IP platforms and versions have been
validated for FIPS. For more information about FIPS validated platforms and
versions, see the security policy and certificates for your platform at
F5 Certifications.
FIPS module information
When a system is in FIPS-enabled mode, the FIPS module
information displays in the command-line interface and web-based user
interface.
These are the FIPS module names:
- Cryptographic Module for BIG-IP
- F5 Device Cryptographic Module
- F5 vCMP Cryptographic Module
Verify FIPS-enabled mode
These options enable you to verify FIPS-enabled mode on BIG-IP
systems:
- Use the database (db) variablesecurity.fips140.complianceto check if the system is in FIPS-enabled mode.
- Use the Linux commandcaton the/config/f5_public/fips.conffile. If the response is1, then the FIPS-enabled mode is enabled. If the response is0, an empty file, or no file is available, then FIPS-enabled mode is disabled.
Verify FIPS module information
These options enable you to verify FIPS module information on
BIG-IP systems:
- In the BIG-IP Configuration utility, the FIPS module information is displayed in theVersionfield at .
- Use thetmsh show sys versioncommand sequence to display the FIPS module information, along with other system information.
FIPS service indicator
The FIPS service indicator shows whether sessions are established
using FIPS approved or non-approved cryptographic algorithms. The service
indicator session information is collected and logged only when a FIPS 140-3
license is installed on a BIG-IP system. A service indicator is logged in
/var/log/audit
logs, any time an approved service is established using the CLI or the
web-based user interface.With a FIPS 140-3 license, management plane GUI and SSH sessions
are created in FIPS and allow only the usage of FIPS 140-3 approved ciphers.
For more information, see FIPS supported ciphers.
These are supported SSH ciphers:
Ciphers |
MACS |
Kex Algorithms |
---|---|---|
aes128-ctr |
hmac-sha1 |
ecdh-sha2-nistp256 |
aes256-ctr |
hmac-sha2-256 |
ecdh-sha2-nistp384 |
aes128-cbc |
||
aes256-cbc |
Service indicator log configuration overview
You can configure the BIG-IP system to enable service
indicator logs for dataplane services in High-Speed Logging (HSL).
At a high level, these tasks enable service indicator logs:
- Configure a remote syslog server, for example Splunk, rsyslog, ipfix, or ArcSight.
- Configure a high-speed remote logging, which includes these tasks:
- Create a node.
- Create a pool of remote logging servers.
- Create a remote high-speed log destination.
- Create a formatted remote high-speed log destination.
- Create a publisher.
- Verify if the log level is set toNoticeor higher inSSLfield at .
- Verify if the configured log publisher is selected in client SSL and server SSL profiles at.
Create a node
Local traffic pools use nodes as target resources for
load balancing. A node is an IP address or a fully-qualified domain name
(FQDN) that represents a server resource that hosts applications.
An alternate way to create a node is to create a
pool member. When you create a pool member, the BIG-IP system creates the
corresponding node for you.
- On the Main tab, expandLocal Traffic, and clickNodes.The Node List screen opens.
- Click theCreatebutton.The New Node screen opens.
- For theAddressfield:
- If you want to specify the node by its IP address, clickNodesand type an IP address.
- If you want to specify the node by a fully-qualifed domain name (FQDN), clickFQDNand type the node's FQDN.
- In the Configuration area of the screen, configure the settings as needed or retain the default values.
- If you choseFQDNfor theAddresssetting, then in the FQDN area of the screen, configure the settings as needed or retain the default values.
- ClickFinished.The screen refreshes, and the new node appears in the node list.
Create a pool of remote logging servers
Before creating a pool of log
servers, gather the IP addresses of the servers that you want to include in
the pool. Ensure that the remote log servers are configured to listen to and
receive log messages from the BIG-IP system.
Create a pool of remote log servers to
which the BIG-IP system can send log messages.
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- Using theNew Memberssetting, add the IP address for each remote logging server that you want to include in the pool:
- Type an IP address in theAddressfield, or select a node address from theNode List.
- Type a service number in theService Portfield, or select a service name from the list.Typical remote logging servers require port514.
- ClickAdd.
- ClickFinished.
Create a remote high-speed log destination
Before creating a remote high-speed log destination, ensure that at least one pool
of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type to
specify that log messages are sent to a pool of remote log servers.- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, selectRemote High-Speed Log.If you use log servers such as Remote Syslog, Splunk, or ArcSight, which require data be sent to the servers in a specific format, you must create an additional log destination of the required type, and associate it with a log destination of theRemote High-Speed Logtype. With this configuration, the BIG-IP system can send data to the servers in the required format.The BIG-IP system is configured to send an unformatted string of text to the log servers.
- From thePool Namelist, select the pool of remote log servers to which you want the BIG-IP system to send log messages.
- From theProtocollist, select the protocol used by the high-speed logging pool members.
- ClickFinished.
Create a formatted remote high-speed log destination
Ensure that at least one remote high-speed log destination exists on the BIG-IP system.
Create a formatted logging destination to specify that log messages are sent to a
pool of remote log servers, such as Remote Syslog, Splunk, or IPFIX servers.
- On the Main tab, click.The Log Destinations screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this destination.
- From theTypelist, select a formatted logging destination, such asRemote Syslog,Splunk, orIPFIX.The Splunk format is a predefined format of key value pairs.The BIG-IP system is configured to send a formatted string of text to the log servers.
- If you selectedRemote Syslog, then from theSyslog Formatlist select a format for the logs, and then from theHigh-Speed Log Destinationlist, select the destination that points to a pool of remote Syslog servers to which you want the BIG-IP system to send log messages.For logs coming from Access Policy Manager (APM), only the BSD Syslog format is supported.
- If you selectedSplunkorIPFIX, then from theForward Tolist, select the destination that points to a pool of high-speed log servers to which you want the BIG-IP system to send log messages.
- ClickFinished.
Create a publisher
Ensure that at least one destination associated with a pool of remote log servers
exists on the BIG-IP system.
Create a publisher to specify where the BIG-IP system sends log messages for
specific resources.
- On the Main tab, click.The Log Publishers screen opens.
- ClickCreate.
- In theNamefield, type a unique, identifiable name for this publisher.
- For theDestinationssetting, select a destination from theAvailablelist, and click<<to move the destination to theSelectedlist.If you are using a formatted destination, select the destination that matches your log servers, such as Remote Syslog, Splunk, or ArcSight.
- ClickFinished.
Platform FIPS installation kit overview
The Platform FIPS system includes the Full-Box FIPS add-on license, which includes tamper evidence seals that you must apply to the chassis for it to be FIPS-validated. For more information, see F5 Platforms: FIPS Kit Installation at my.f5.com.
Platform FIPS best practices
F5 recommends these best practices for working with your
Platform FIPS system:
- Backup partitions
- To recover from a self-test failure, F5 recommends that you have at least two volumes configured and set up with the software version that you are using on the BIG-IP system. If possible, you should avoid installing the Platform FIPS add-on license on the backup volume. This provides recovery options from a failed self-test.The BIG-IP system should have multiple volumes set up from the factory, but the software versions installed might not support the Platform FIPS license. Be sure to verify the versions before placing the BIG-IP system into production use.
- Thesys-eicheckutility
- Use thesys-eicheckutility to determine, without rebooting and locking the volume, if anything has happened that might cause the integrity test to fail. Run this utility before and after any administrative actions to identify anything that might cause a self-test failure by typing this command sequence on the command line:/usr/libexec/sys-eicheck.py.
- FIPS Validated vCMP Guests
- On certain BIG-IP platforms and VIPRION platforms that are licensed with the Platform FIPS add-on license, any vCMP guests are also considered vCMP validated. Unless the platform is also an Embedded FIPS platform, no additional administration is needed. For more information, see the FIPS multi-tenancy for vCMP guests overview section under Hardware HSM Setup and Administration.
Platform FIPS self-test requirement
The NIST 140-3 FIPS standards require that the system must
pass a series of self tests during operation and at initial startup. If any of
these self-tests fail, the BIG-IP system restarts and will not be able to boot
into that volume at startup.
One of the self-tests that the system performs is a system
integrity test. This test watches for unauthorized changes to the system.
Making changes to the system using the F5 TMOS Shell (
tmsh
), the Configuration
utility, and the F5 APIs does not cause this test to fail. Making any changes
to the underlying operating system or any BIG-IP files directly, however,
might cause the test to fail.FIPS self tests overview
The FIPS validation requires the use of self tests to check
the integrity and operation of the cryptographic module. If any of these tests
fail during the boot process, the BIG-IP system halts. The
fips_monitor
daemon is introduced
in BIG-IP software version 13.1.0 and monitors the /config/f5_public/fipserr
file for any reported errors. The fips_monitor
daemon monitors the BIG-IP system and halts the
system if FIPS-specified issues are found. This table explains the three basic
categories of tests and the action taken when a test fails.Type of self test |
When the self test runs |
Checks performed |
Action on fail |
---|---|---|---|
System Integrity check ( sys-eicheck ) |
|
Checks the system software on the
BIG-IP system to detect unexpected changes to the system
software, such as modified or missing critical and
non-critical files. |
If the test fails during the boot
process, the details are logged to the /config/f5_public/fipserr file, and the BIG-IP
system immediately halts. If the test fails at any other time,
this error message displays in the var/log/secure file, and the system halts on
the next restart:<datetime>
<pid> crit root: BIG-IP Integrity Check: [FAIL]
-- Contact F5 technical support. |
Crypto-Algorithm check |
|
Checks the SSL cryptographic
libraries to ensure they are correctly performing
cryptographic operations. |
Details are logged to the /config/f5_public/fipserr file, and the BIG-IP
system immediately halts. |
TMM check |
|
Checks the Traffic Management
Microkernel (TMM) for problems. |
Details are logged to the /config/f5_public/fipserr |
If the BIG-IP system halts during the boot process, this
message appears on the console indicating the system halted due to a failure
of one of the pre-operational self-tests:
*** FIPS or Common Criteria pre-operational self-test failure. *** This system has been placed in an error state. *** To recover return to the grub menu and select another volume. *** or reinstall the system. *** *** On many devices pressing the escape key followed by the ( *** key will bring up a menu which allows the system to be restarted.
If the BIG-IP system halts during the boot process you must
either boot to another volume or reinstall the system software to recover and
reload the configuration. If your BIG-IP system failed a system integrity
check and is still running, you should run the
sys-eicheck
utility
manually (/usr/libexec/sys-eicheck.py
) and correct any problems before
restarting the system. If you suspect your system is compromised, you should
follow your organization's security policies for suspected compromised
systems.Power-up self-test failures: <specific test failures>
For Platform FIPS systems, output from the
sys-eicheck
utility is included by default in the /fips_module.xml
file when
running the qkview
utility. Other systems can capture the output from the sys-eicheck
utility when
running the qkview
utility by running the qkview
-c
command.FIPS error state mode
A cryptographic module performs power-up self-tests and
conditional self-tests to ensure that the module is functioning properly. The
module performs power-up self-tests when the cryptographic module is powered
up and conditional self-tests when an applicable security function or
operation is invoked, that is, the security functions for which self-tests are
required.
If a cryptographic module fails a self-test, the module
enters an error state mode and outputs an error indicator through the status
output interface. The cryptographic module does not perform any cryptographic
operations while in an error state mode. All data output through the data
output interface is inhibited when an error state exists. If a self-test
fails, make sure that no cryptographic operations are performed.
The BIG-IP system attempts to recover from error state mode
by triggering a reboot. If the error state persists after multiple reboots,
then the system falls back to the
brick the box
state.Compromised system assessment
When determining whether your system is compromised,
consider these factors:
- F5 might not be able to make a final determination whether a device is compromised if it requires deeper forensic analysis than F5 support procedures allow. If this occurs, you should contact a trusted forensic security firm for a final determination of whether the device is compromised.
- For integrity check issues, you should base your final determination on whether your BIG-IP system is compromised based on your organization's security policy. If you are unable to determine any known administrative changes that happened during the failure time window, you should review and follow your organization's policies and procedures for suspected compromised devices.
- For cryptographic and Traffic Management Microkernel (TMM) self-test issues, you should base your final determination on whether your system is compromised based on your organization's security policy; however, these issues are less likely to happen due to your system being compromised than due to other issues. If this occurs, contact F5 Support to determine whether the cause of the issue is due to a known issue or system bug.
FIPS self-test failures
On BIG-IP systems that include the F5 Full-Box FIPS add-on
license, you can manually perform FIPS integrity checks. The system
automatically performs scheduled checks on a regular basis. Manual check
results display on the console, and scheduled checks log to the
/var/log/secure file. If an integrity check fails, the system fails to boot
when restarted.
An integrity check failure indicates that some part of the BIG-IP
software has unexpectedly changed. This might indicate that an attacker
has gained access to your system and changed, installed, or removed
something on the BIG-IP system. You should review your internal security
policies prior to taking any further actions as they might require or
prohibit specific troubleshooting procedures.
Troubleshoot FIPS self-test failures
You should consider running FIPS integrity checks when a BIG-IP system that is licensed for F5 Full-Box FIPS is operating and accessible, and these conditions occur:
- ABIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical supporterror displays in the/var/log/securefile.
- A manual integrity check fails.
If the FIPS integrity check displays a fail status, the BIG-IP system will not boot to the current volume the next time it restarts. Therefore, it is important that you resolve any issues before you restart your system to determine the root cause.
Do not restart your BIG-IP system during these troubleshooting steps. When the BIG-IP system starts, it performs an integrity test again, and if this test fails, the system stops the boot process and disables that volume, restricting further troubleshooting. If this occurs, you must perform a pre-operational self test. For more information, see Troubleshoot FIPS pre-operational self-test failures.
If your system fails an integrity check when you power it on and does not complete the boot procedure, see Troubleshoot FIPS pre-operational self-test failures.
- Back up your system configuration to a user configuration set (UCS) file.For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.Consider including the cause of the failure in your UCS file when you back up your system.
- Create a QKView file using theqkviewutility and upload it to F5 Support using BIG-IP iHealth.For more information, see K12878: Generating diagnostic data using the qkview utility.
- Run thesys-eicheckutility to locate the failed files.For more information, see Full-Box FIPS and the sys-eicheck utility.
- Determine the time window of the failure.BIG-IP systems licensed with the F5 FIPS Full-Box run thesys-eicheckutility daily and log to the/var/log/securefile. Note the time stamp on the firstBIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical supportmessage and the time stamp of the last successful check from the most recentBIG-IP Integrity Check: [ PASS ]message. The period between the two messages is the failure time window.
- Review administrative actions during the failure time window.
- Review the list of changed files to narrow the potential actions that might impact them.For example, if system files were removed or changed, administrative actions are unlikely to impact them.
- Review any known administrative actions that occurred within the time window.To determine this, use information from these sources:
- Internal change control or trouble ticket documentation
- The BIG-IP audit log file at/var/log/audit
- Other BIG-IP logs, as appropriate
Normal administrative actions performed using the Configuration utility or TMOS Shell (tmsh) commands should not cause integrity checks to fail. The most likely causes of failure are actions to troubleshoot problems or actions that might impact the underlying Linux operating system, such as installing or modifying the Linux system software.
- Back out changes made during the failure time window.If any administrative actions occurred during the time window, consider backing out these changes and running the integrity check again. Depending on the actions, you might not be able to back out the changes. If you cannot back out these changes, you might need to reload the system configuration on a new partition using your UCS file.After backing out changes, run thesys-eicheckutility again to determine whether the problem is resolved.
- Reload your backup file on a new partition.Do not use your only remaining backup partition. Doing so might restore the problem along with the UCS on that partition, making it also unusable and potentially making it impossible to restart and boot the system. If this occurs, you need to re-image your system.If the problem is not resolved before booting into the new partition, you will not be able to access the current partition again. You should perform this action only as a last resort if you cannot otherwise resolve the issue.
- Create a new partition with the appropriate software version.For more information, see K34745165: Managing software images on the BIG-IP system.
- Restore your UCS backup to this partition.For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.
If reloading your UCS file on a new partition does not solve the issue, the cause of the problem might be included in your UCS file. - Determine whether your system is compromised using your organization's security policy.If you are unable to determine any known administrative changes that occurred during the failure time window, review and follow your organization's policies for devices that are suspected of being compromised. You can then open a support ticket with F5 Support. For more information, see Compromised system assessment.
Pre-operational FIPS self-test failures
On BIG-IP systems that include the F5 Full-Box FIPS add-on
license, you can manually perform FIPS integrity checks. The system
automatically performs scheduled checks on a regular basis. Manual check
results display on the console, and scheduled checks log to the
/var/log/secure file. If an integrity check fails, the system fails to boot
when restarted.
An integrity check failure indicates that some part of the BIG-IP
software has unexpectedly changed. This might indicate that an attacker
has gained access to your system and changed, installed, or removed
something on the BIG-IP system. You should review your internal security
policies prior to taking any further actions as they might require or
prohibit specific troubleshooting procedures.
Troubleshoot FIPS pre-operational self-tests failures
When a BIG-IP system that is licensed for F5 Full-Box FIPS fails to boot due to failed self tests, you can recover the system. If any of these self-tests fail, the system halts. In addition, the system regularly performs some self-tests and might force an immediate restart, which results in a halted system. Because of this, you might encounter one or more of these symptoms:
- The BIG-IP system fails to boot to the active partition
- An error similar to this example displays on the console:The FIPS or Common Criteria power-up self-test failure. This system has been placed in an error state.
For longer errors, you might have to scroll up to see them.
If your BIG-IP system is operating and you see a log entry for an integrity check failure, see Troubleshoot FIPS self-test failures.
- Change the system boot location and boot to an alternate partition.
- Immediately after you start the system, a screen displays notifying to select a boot partition to use. Select any partition other than the currently-selected one.
- If you need to restore your system configuration from a backup, or if you intend to copy the configuration using thecpcfgcommand, make sure you have another available partition in case the issue is restored along with the backup configuration.For more information about thecpcfgcommand, see K14724: Using the cpcfg command to copy a configuration from one boot location to another.
- If necessary, perform a switchboot operation to make sure that the new partition becomes the default choice.For more information, see K5658: Overview of the switchboot utility.
- Perform a clean installation by re-imaging the BIG-IP system.Re-imaging the BIG-IP system overwrites the entire storage drive. After you re-image the system, you cannot perform any further troubleshooting to determine the cause of the issue.
Full-Box FIPS and the sys-eicheck utility
The
sys-eicheck
utility is the FIPS version of the sys-icheck
utility. The sys-eicheck
utility scans the BIG-IP system for any unexpected changes to the system software.The
sys-eicheck
utility is installed with all BIG-IP systems, but it only runs automatically on systems that are licensed for the F5 Full-Box FIPS add-on. The system runs the sys-eicheck
utility for the power-on and daily self-tests required for FIPS validation.You can also run it manually to determine if the device will pass or fail the tests. Log in to the CLI as an administrator and use the command
/usr/libexec/sys-eicheck.py
to manually run the sys-eicheck
.You can run the
sys-eicheck
command on any system, but results return only for those systems licensed with the F5 Full-Box FIPS add-on.Run | Actions |
---|---|
On power-on | On Pass: No action On Fail: Logs details to the /config/f5_public/fipserr file, stops the boot process, and reports a failure on the console |
Daily | Logs this result to the /var/log/secure file:Pass: BIG-IP Integrity Check: [ PASS ] Fail: BIG-IP Integrity Check: [ FAIL ] -- Contact F5 Networks technical support |
Manually | Displays results and details on the console |
For QKView | Adds detailed results to the QKview /fips_module.xml file |
The
sys-eicheck
output contains these sections:- A summary
- Critical files missing
- Critical files modified
If the
sys-eicheck
utility displays a fail status, the system will not boot to the current volume the next time it restarts. Make sure to resolve any fail issues before you restart the BIG-IP system. For troubleshooting information, refer to Troubleshoot FIPS self-test failures.The utility only considers missing or modified critical files as failures. The output contains non-critical files for informational purposes only.
The system shows
PASS
or FAIL
messages with the output. This shows an example of output displayed:BIG-IP Integrity Check Report - Critical file modifications result in failure. ======================================================= /usr/lib/python2.7/site-packages/rw_lib.py 1 critical file(s) missing ======================================================= 0 critical file(s) modified ======================================================= Integrity Check Result: [ FAIL ] Contact F5 Networks Technical Support.
FIPS-supported ciphers
In the FIPS-enabled mode, the system automatically reorganizes the Secure Sockets Layer (SSL) cipher suites so that the FIPS-approved cipher suites appear at the top of the list as the most preferred ciphers.
These system daemons start in FIPS-enabled mode:
- bigd
- chmand
- devmgmtd
- fipscheck
- httpd
- mcpd
- named
- ntpd
- openssl
- raccoon
- sshd
- tamd
- tmm
In FIPS-enabled mode, the daemons use these ciphers:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
In the FIPS-enabled mode, the Client SSL and Server SSL profiles continue to use the cipher keyword
DEFAULT
.The BIG-IP system has these two cipher string keywords:
- FIPS: This cipher string keyword selects only FIPS-compliant cipher suites.
- @FIPS: This keyword orders cipher suite preference to use FIPS-compliant cipher suites first.
To use only FIPS-compliant cipher suites, from advanced configuration mode for the profile, change the cipher string from
DEFAULT
to FIPS
.To use only FIPS-compliant cipher suites and with the cipher suites sorted from the most to the least recommended, from advanced configuration mode for the profile, use the
FIPS:@FIPS
cipher string in the profile.The FIPS cipher string loads the FIPS-compliant ciphers, and the
@FIPS
action keyword reorders the cipher suites to prefer the strongest FIPS-compliant ciphers first.FIPS-supported ciphers on F5OS platforms
In the
FIPS-enabled mode, the system automatically reorganizes the Secure Sockets
Layer (SSL) cipher suites so that the FIPS-approved cipher suites appear at
the top of the list as the most preferred ciphers.
These system daemons start in FIPS-enabled
mode:
- bigd
- chmand
- devmgmtd
- fipscheck
- httpd
- mcpd
- named
- ntpd
- openssl
- raccoon
- sshd
- tamd
- tmm
In FIPS-enabled mode, the daemons use these ciphers:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES128-SHA
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-SHA
- ECDHE-ECDSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA384
In the FIPS-enabled mode, the Client SSL and Server SSL
profiles continue to use the cipher keyword
DEFAULT
.The BIG-IP system has these two cipher string keywords:
- FIPS: This cipher string keyword selects only FIPS-compliant cipher suites.
- @FIPS: This keyword orders cipher suite preference to use FIPS-compliant cipher suites first.
To use only FIPS-compliant cipher suites, from advanced
configuration mode for the profile, change the cipher string from
DEFAULT
to FIPS
.To use only FIPS-compliant cipher suites and with the cipher
suites sorted from the most to the least recommended, from advanced
configuration mode for the profile, use the
FIPS:@FIPS
cipher string in the
profile.The FIPS cipher string loads the FIPS-compliant ciphers, and
the
@FIPS
action keyword reorders
the cipher suites to prefer the strongest FIPS-compliant ciphers first.