Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I enable or disable FIPS mode on the IPS/TPS device?

    • Updated:
    • 23 Mar 2021
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint TPS All
    • TippingPoint TX-Series All
    • Platform:
Summary
Configuring FIPS mode on the IPS/TPS device is accomplished from the Security Management System (SMS) management interface. There is no equivalent FIPS configuration from the device Local Security Manager (LSM). Depending on the device management configuration, you can enable FIPS mode via the device CLI.

The Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to accredit cryptographic modules. The FIPS 140-2 publication coordinates requirements and standards for cryptography modules that include both hardware and software components. United States federal agencies and departments may require its software, including the SMS, to comply with the 140-2 standards.

Additional Resources:
Details
Public
Operational Support:
TippingPoint devices support the following levels of FIPS 140-2 Level 1 operation.
DisabledNo FIPS-compliant actions or restrictions are active in the device.
Crypto Only
  1. Only the connection between the SSH client and the SMS server is affected by this mode.
  2. When a connection is made from an SSH client to the SMS server, the SSH client negotiates connections using only FIPS 140-2 approved algorithms.
  3. You must reboot the device for the system to operate in FIPS Cryptography mode.
Full-FIPS
(certain models only)
Devices operate in a manner that is fully compliant with the FIPS 140-2 publication.
 
TippingPoint devices support FIPS 140-2 Level 1.
DeviceCrypto-ModeFIPS-Mode
10/110/330XX
660N, 1400N, 2500N, 5100N, 6100NXX
2600NX, 5200NX, 6200NX, 7100NX, 7500NXXX
Security Management System (SMS)XX
Virtual Security Management System (vSMS)X 
Threat Protection System (TPS/vTPS) X

CAUTION: Transitioning a device to operate in FIPS mode implements changes to core elements. The transition:

  • Deletes all existing device users.
  • Removes all device snapshots stored on the device.
  • Regenerates SSH and HTTPS security keys.

Because security must be tightened while the device is operating in FIPS mode, the following restrictions are in effect:

  • Snapshots created on devices with FIPS mode enabled are not compatible with other devices that have FIPS mode disabled, or vice versa.
  • The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
  • You cannot roll back to a previous TOS version if the device is currently in Full-FIPS mode and the previous TOS version was not.
  • The password recovery option is no longer available. In case of a password failure, a "Factory Reset" will have to be performed.
  • The user password security is restricted to a minimum level of 1.
  • Both RADIUS and TACACS+ authentication use protocols that are not FIPS-compliant. Do not enable FIPS mode if you have remote authentication configured.
  • Stand-alone devices in FIPS mode require manual installation of an authorized SSL key package that will enable TMC access. Each package is unique to each customer. SMS devices will automatically download the SSL key package, which can then be applied to any FIPS-supporting devices that are managed by the SMS.

Enable FIPS on an IPS device

Note: Before you can enable FIPS on a managed device, you must make sure that FIPS mode is disabled on the SMS. If the SMS does have FIPS mode enabled, enable FIPS on the device using the IPS CLI command fips-mode-enable.

  1. On the SMS, select Devices> All Devices > device, and then click Device Configuration.
  2. Select FIPS Settings.
  3. For FIPS Mode, select the Full radio button, and then click OK.
  4. Click Next when the Changing FIPS Mode wizard is displayed.
  5. Enter a username, enter and confirm your password, and then click Next.
  6. Review your choices and click Finish.
    1. If the SMS can communicate with the TMC, it will download and install the FIPS key package.
    2. If the SMS cannot communicate with the TMC, an error message instructs you to manually rekey the device:
  7. Close the message and download the FIPS key package from the TMC to your computer.
  8. After the device completes rebooting, navigate to System > Update > Install Package on the device LSM.
  9. In Step 4 of the Install Package page, browse to your FIPS key package and click Install Package.
    1. If you receive an error message, click OK, manually reboot the device, and repeat the previous two steps. The IPS should accept this second attempt to install the FIPS key package.

Verify that the device is in Full FIPS mode by doing any of the following:

  • Enter sh fips on the CLI, or from the SMS UI, select the Device Configuration for your device and view the FIPS Mode status under Management Services.
    • If you see a Socket Closed SMS error message when trying to add an IPS in FIPS mode, run the fips restore-ssl command from the IPS CLI.
    • After running this command, navigate to the System > Update > Install Package on the device LSM to reinstall the FIPS key package. This ensures that the IPS will use keys that meet FIPS strength requirements.


Enable FIPS on a TPS device

Note: When enabling FIPS mode on the device, review all the warning messages that display on the SMS.

  1. On the SMS, select Devices > All Devices > device, and then click Device Configuration.
  2. Select FIPS Settings.
  3. Select FIPS Mode Enabled
  4. Click OK
Premium
Internal
Partner
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000286009
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.