Configuration changes in FIPS mode
When the system enters FIPS mode, the following changes occur:
The user login authentication mode can only be scheme.
The FTP/TFTP server and client are disabled.
The Telnet server and client are disabled.
The HTTP server is disabled.
SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
The SSL server only supports TLS1.0, TLS1.1 and TLS1.2.
The SSH server does not support SSHv1 clients and DSA key pairs.
The generated RSA and DSA key pairs must have a modulus length of 2048 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of 2048 bits.
The generated ECDSA key pairs must have a modulus length of more than 256 bits.
When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of more than 256 bits.
SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
The password control function cannot be disabled globally. The undo password-control enable command does not take effect.
The keys must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters. This requirement applies to the following passwords:
AAA server's shared key.
IKE pre-shared key.
SNMPv3 authentication key.
The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.