Platform and VE FIPS Module and Upgrade Notes
Updated Date: 02/13/2026
Only certain F5 modules are included in the FIPS validated F5 Device and F5 vCMP Cryptographic Modules. This means that only those F5 modules might be licensed and running to have traffic processed as FIPS approved..
These F5 modules are included in the F5 Device and F5 vCMP Cryptographic Modules:
- Local Traffic Manager (LTM)
- Advanced Firewall Manager (AFM)
Before you install any software updates or hot fixes, verify the FIPS validation status of that version on the F5 Certifications page (www.f5.com/company/certifications). The system allows you to apply all updates, but if the version has not been validated, your device will no longer be considered FIPS validated.
If you want to maintain your F5 system’s FIPS device compliance with the National Institute of Standards and Technology (NIST) or want to ensure that the system’s FIPS protected internal hardware security module (HSM) is running the latest firmware version without updating the BIG-IP software, you can use the n3fips-firmware-upgrade utility provided by F5.
Important: The n3fips-firmware-upgrade utility is available only for supported platforms. For other platforms, see K26061560: Updating the firmware for a FIPS protected internal HSM
Because the firmware upgrade process requires a system reboot, F5 recommends that you perform this upgrade only during a planned maintenance period. The upgrade does not affect your current HSM configuration.
These platforms support the use of the FIPS firmware upgrade utility (n3fips-firmware-upgrade).
| Platform family | Model |
|---|---|
| BIG-IP | i5820-DF |
| BIG-IP | i7820-DF |
| BIG-IP | 10350-F |
| BIG-IP | i15820-DF |
Before you upgrade the firmware on your F5 FIPS platform with an embedded hardware HSM, you must meet these prerequisites:
- You have CLI access to the F5 system.
- You have root access to the system.
- You have the FIPS HSM Security Officer (SO) password.
- You have the HSM security domain.
- You are running firmware version 1.0-52. If your system is not running this version, you must upgrade to the required BIG-IP software version and then upgrade the firmware. For more information, see K26061560: Updating the firmware for a FIPS protected internal HSM.
- Create a UCS archive and store the backup file off site in a secure location. For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive
- Back up the FIPS key. For more information, see Back up a FIPS key using the n3fipsutil utility.
You can download the n3fips-firmware-upgrade and n3fipsutil utilities from F5 to upgrade the firmware on your F5 FIPS system.
Important: If the FIPS card re-initialized with a new or different password, then the n3fipsutil will return error while performing firmware upgrade, export of FIPS keys, and backup of FIPS keys. It is recommended to check the security officer (SO) password health using the command n3fipsutil -passwordCheck before using the n3fipsutil utility.
-
On your management workstation, log in to my.f5.com/manage/s/downloads.
-
Read the End User License Agreement and Program Terms and select the check box.
You must accept the license agreement and program terms before you can proceed.
-
Click Next.
-
Under Select a product family, select Hardware-Specific.
-
Under Tell us more about your product, for Product Line, select FIPS_firmware_upgrade.
-
For Product Version, select the version to download.
-
Under Select a product container, select the software that you want to download.
-
Under Select a download file, select n3fips-firmware-upgrade.
-
For Download locations, select a download location.
-
Click Download.
-
Under Select a download file, select n3fipsutil.
-
For Download locations, select a download location.
-
Click Download.
-
Download the corresponding checksum file and README files.
The corresponding checksum file has the same name, except that .md5 is the file extension. After the download completes, verify the integrity of the file by checking the MD5 checksum.
After you download the latest version of the upgrade utilities, you back up the FIPS key for the system.
Before you can back up the FIPS key for the BIG-IP system, you must use SCP to move the n3fipsutil file to a directory on the system, such as /shared/fw-upgrade.
You back up the FIPS key for the F5 system using the n3fipsutil utility.
Important: To back up a FIPS key on a vCMP system, log in to the vCMP guest and perform a backup. If there are multiple guests, perform a FIPS key backup from each guest running on the vCMP system.
-
Connect to the system using the serial console or by opening an SSH session to the management IP address.
-
Log in to the command line of the system using an account with admin access.
-
Stop all services.
tmsh stop sys service all
-
Create an empty directory for the backup.
-
Run the n3fipsutil utility.
./n3fipsutil -backup <directory-name> [ -n <partition-name> ]
The [ -n partition-name ] option is optional and applicable only if the system uses custom partition names.
-
Restart all services.
tmsh start sys service all
-
Use SCP to copy the entire backup directory, without modifying the contents of the directory, off site to a secure location.
Important: The backup directory contains the encrypted FIPS keys and also contains okbk.key and pokbk.key, which are generated during backup process. Be sure to secure these keys using your best standard process to secure the confidentiality of HSM FIPS keys.
After you have backed up the FIPS key and copied the backup to a secure location, you can install upgrade the HSM firmware for the system.
Before you upgrade the firmware, you must use SCP to move the n3fips-firmware-upgrade file to a directory on the BIG-IP system, such as /shared/fw-upgrade.
Important: Be sure that you have also backed up the FIPS key.
You upgrade the firmware for the embedded HSM on a supported F5 system using the n3fips-firmware-upgrade utility.
-
Connect to the system using the serial console or by opening an SSH session to the management IP address.
-
Log in to the command line of the system using an account with admin access.
-
Change to the directory where the utility is located.
cd /shared/fw-upgrade
-
Run the n3fips-firmware-upgrade utility.
./n3fips-firmware-upgrade
-
Reboot the system to load the HSM with upgraded firmware.
reboot
The embedded HSM in the system is now running the latest firmware.
In the event that you need to recover your system, you can restore a previously-backed up FIPS key and restore BIG-IP configuration files.
Before you can restore a FIPS key for the BIG-IP system, you must use SCP to move the directory that you previously backed up to a directory on the system, such as /shared/fw-upgrade/backups.
If you ever need to restore a FIPS key, you can do this using the n3fipsutil utility after you have initialized the hardware security module (HSM). For more information on initializing the HSM, see the procedure for your platform model in the Embedded HSM initialization and synchronization overview section.
Important: FIPS key backup is not supported in vCMP mode.
-
Connect to the system using the serial console or by opening an SSH session to the management IP address.
-
Log in to the command line of the system using an account with admin access.
-
Stop all services.
tmsh stop sys service all
-
Run the n3fipsutil utility.
./n3fipsutil -restore <dir-name> -host <management-ip-address> [ -n <partition-name> ]
The [ -n partition-name ] option is optional and applicable only if the system uses custom partition names.
-
Reset the FIPS login information.
fipsutil loginreset -r
-
Restart all services.
tmsh start sys service all
After you have restored the FIPS key, you can also restore a backup UCS archive for the system, if needed. For more information, see K13132: Backing up and restoring BIG-IP configuration files with a UCS archive.