Manual Chapter : Platform FIPS Overview

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Platform FIPS Overview

About the Platform FIPS installation kit

The Platform FIPS system includes the Full-Box FIPS add-on license, which includes tamper evidence seals that you must apply to the chassis for it to be FIPS-compliant. For more information, see the
F5 Platforms: FIPS Kit Installation
guide at
support.f5.com
.

Platform FIPS self-test requirement

The NIST 140-2 FIPS standards require that the system must pass a series of self tests during operation and at initial startup. If any of these self-tests fail, the BIG-IP system restarts and will not be able to boot into that volume at startup.
One of the self-tests that the system performs is a system integrity test. This test watches for unauthorized changes to the system. Making changes to the system using tmsh, the Configuration utility, and the F5 APIs does not cause this test to fail. Making any changes to the underlying operating system or any BIG-IP files directly, however, might cause the test to fail.
If the FIPS enabled BIG-IP system is downgraded to an earlier version or running
big3d_install
from a BIG-IP DNS configuration pointing to FIPS licensed BIG-IP LTM configuration, where BIG-IP DNS is running a higher software version than BIG-IP LTM, then the system fails during the boot-up process. The system integrity check reports a
libcrypto
validation error, and the system halts. To avoid this issue, delete the
/shared/bin/big3d
before downgrading the version.
If the system boots to a halted state, then refer the instructions in K25205233: BIG-IP System halted while booting. Halt at boot after FIPS Integrity Check Result FAIL, in addition to deleting

Platform FIPS best practices

F5 recommends these best practices for working with your Platform FIPS system:
Backup partitions
To recover from a self-test failure, F5 recommends that you have at least two volumes configured and set up with the software version that you are using on the BIG-IP system. If possible, you should avoid installing the Platform FIPS add-on license on the backup volume. This provides recovery options from a failed self-test.
The BIG-IP system should have multiple volumes set up from the factory, but the software versions installed might not support the Platform FIPS license. Be sure to verify the versions before placing the BIG-IP system into production use.
The
sys-eicheck
utility
Use the
sys-eicheck
utility to determine, without rebooting and locking the volume, if anything has happened that might cause the integrity test to fail. Run this utility before and after any administrative actions to identify anything that might cause a self-test failure by typing this command sequence on the command line:
/usr/libexec/sys-eicheck.py
.
FIPS compliant vCMP Guests
On certain BIG-IP platforms and VIPRION platforms that are licensed with the Platform FIPS add-on license, any vCMP guests are also considered vCMP compliant. Unless the platform is also an Embedded FIPS platform, no additional administration is needed. For more information, see the
About FIPS multi-tenancy for vCMP guests
section under
Hardware HSM Setup and Administration
.