https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153584#M34354 <P>Hi there!</P> <P>&nbsp;</P> <P>This page shows the output of "security config show" when FIPS is enabled -&nbsp;<A href="https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html" target="_blank">https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html</A></P> <P>&nbsp;</P> <P>Which includes the line you suspected it would show, as well as showing tls1.1 is enabled.</P> <P>&nbsp;</P> <PRE class="pre screen" space="preserve">ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4</PRE> <P>&nbsp;Hope this helps!</P> Fri, 17 Jan 2020 02:42:30 GMT AlexDawson 2020-01-17T02:42:30Z https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153565#M34348 <P>Has anyone enabled FIPS mode? We have several FAS 8060 nodes in a cluster with ONTAP 9.3P15 and we are looking to enable FIPS mode.</P> <P>I am looking at this document:&nbsp;</P> <P><A href="https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548.html" target="_blank">https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-nmg%2FGUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548.html</A></P> <P>&nbsp;</P> <P>So if I run and reboot:</P> <P><SPAN style="background-color: #333333; color: #ffffff; font-family: Menlo, Monaco, Consolas, 'Courier New', monospace; font-size: 14.4px;">security config modify -interface SSL -is-fips-enabled true</SPAN></P> <P>&nbsp;</P> <P>Does the security config looks like this?</P> <DIV class="body taskbody"> <DIV id="GUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548__GUID-03F8085D-6BC5-47E4-93BF-5BC30B222F4B" class="section context"> <UL id="GUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548__UL_F20D03846B1044019CD848F51F3DC64E" class="ul"> <LI id="GUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548__LI_B86EE41BF03A4E6CA46296A97083B73A" class="li">FIPS: <SPAN class="ph synph"><SPAN class="keyword kwd">on</SPAN></SPAN></LI> <LI id="GUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548__LI_4001632DBEA04441809AF57B3571BC33" class="li"><SPAN class="div_linebreak"><KBD class="ph userinput">SSL protocol = {TLSv1.2}</KBD></SPAN></LI> <LI id="GUID-A799B86D-B1B5-4AB6-B610-D0651D7C1548__LI_5F06071593714E8FA3C0DD07B9D8F876" class="li"><SPAN class="div_linebreak"><KBD class="ph userinput"> SSL ciphers = {ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4}</KBD></SPAN></LI> </UL> <P><SPAN class="div_linebreak">Any issue anyone experience?</SPAN></P> <P><SPAN class="div_linebreak">What if we need TLS v1.1?</SPAN></P> </DIV> </DIV> Thu, 16 Jan 2020 12:41:01 GMT https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153565#M34348 duanebachi 2020-01-16T12:41:01Z https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153584#M34354 <P>Hi there!</P> <P>&nbsp;</P> <P>This page shows the output of "security config show" when FIPS is enabled -&nbsp;<A href="https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html" target="_blank">https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-950%2Fsecurity__config__show.html</A></P> <P>&nbsp;</P> <P>Which includes the line you suspected it would show, as well as showing tls1.1 is enabled.</P> <P>&nbsp;</P> <PRE class="pre screen" space="preserve">ALL:!LOW:!aNULL:!EXP:!eNULL:!RC4</PRE> <P>&nbsp;Hope this helps!</P> Fri, 17 Jan 2020 02:42:30 GMT https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153584#M34354 AlexDawson 2020-01-17T02:42:30Z https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153598#M34357 <P>Hi Alex,</P> <P>&nbsp;</P> <P>Thanks for your reply. That page you showed me is for 9.5 and also that is the default when FIPS is disabled. One of the things I need to know is that if I enable FIPS, does it only allow TLS1.2? Will it let me add TLS 1.1 or would that invalidate FIPS?</P> Fri, 17 Jan 2020 12:46:35 GMT https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153598#M34357 duanebachi 2020-01-17T12:46:35Z https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153687#M34390 <P>Hi there! The page for 9.3 is the same -&nbsp;<A href="https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fsecurity__config__show.html" target="_blank" rel="noopener">https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-930%2Fsecurity__config__show.html&nbsp;</A>- which includes showing TLS 1.1 is enabled with FIPS mode on, so you won't need to change anything.</P> Wed, 22 Jan 2020 02:56:16 GMT https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/153687#M34390 AlexDawson 2020-01-22T02:56:16Z https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/460350#M44922 <P>This document states that for ONTAP versions prior to 9.11.1, if the FIPS 140-2 compliance mode is enabled, both TLSv1 and SSLv3 will be disabled, while only TLSv1.1 and TLSv1.2 will remain enabled. However, TLSv1.1 has been regarded as an insecure protocol</P><P><A href="https://docs.netapp.com/us-en/ontap-technical-reports/ontap-security-hardening/tls-ssl.html" target="_blank">FIPS mode and TLS and SSL management in ONTAP</A></P><P><A href="https://kb.netapp.com/on-prem/ontap/Ontap_OS/OS-KBs/How_to_harden_ONTAP_9_TLS_configuration" target="_blank">How to harden ONTAP 9 TLS configuration - NetApp Knowledge Base</A></P> Sun, 27 Apr 2025 09:05:54 GMT https://community.netapp.com/t5/ONTAP-Discussions/ONTAP-9-3P15-Enabling-FIPS-Mode/m-p/460350#M44922 liu 2025-04-27T09:05:54Z