Fabric OS Administrator’s Guide 529
53-1002446-01
Preparing the switch for FIPS
C
ipfilter --addrule policyname -rule rule_number -sip source_IP -dp
dest_port -proto protocol -act deny
• The -sip option can be given as any.
• The -dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898,
respectively.
• The -proto option should be set to tcp.
c. Activate each IP Filter policy. Refer to “Activating an IP Filter policy” on page 154.
d. Save each IP Filter policy. Refer to “Saving an IP Filter policy” on page 154.
Example
ipfilter --create http_block_v4 -type ipv4
ipfilter --addrule http_block_v4 -rule 1 -sip any -dp 80 -proto tcp -act deny
ipfilter --activate http_block_v4
7. Use the snmpConfig --set seclevel command to turn on SNMP security. When prompted to
Select SNMP SET Security Level, enter 3, for no access.
Example
switch:FID128:admin> snmpconfig --set seclevel
Select SNMP GET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =
No Access): (0..3) [0]
Select SNMP SET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =
No Access): (0..3) [0] 3
8. Enter the fipsCfg --disable bootprom command to block access to the boot PROM.
This command can be entered only from the root account. It must be entered before disabling
the root account.
9. Enter the configure command and respond to the following prompts to enable signed firmware:
• System services: No
• cfgload attributes: Yes
• Enforce secure config Upload/Download: Press Enter to accept the default
• Enforce firmware signature validation: Yes
Example
switch:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]
…
cfgload attributes (yes, y, no, n): [no] yes
Enforce secure config Upload/Download (yes, y, no, n): [no]
Enforce firmware signature validation (yes, y, no, n): [no] yes
10. Enter the userConfig --change root -e no command to block access to the root account.
By disabling the root account, RADIUS and LDAP users with root permissions are also blocked
in FIPS mode.
To Next Page
Loading...
Need help?
General