Last Modified: Nov 22, 2021
Affected Product(s):
BIG-IP All
Fixed In:
13.0.0
Opened: Jun 25, 2015 Severity: 3-Major Related Article:
K06270324
On BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards, the FIPS firmware version 2.1 has been moved to the Legacy list by NIST as the RNG function does not meet modern-day FIPS standards. For more information, see the external resource, available here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
All platforms shipped prior to June 30th, 2016, contain an older firmware version and must be updated to run the NIST-approved version. To comply with current NIST requirements, the new firmware has deprecated support for 1024-bit key creation. Existing 1024-bit keys in the device can still be used normally.
This impacts BIG-IP 5250, 7200F, 10200F, and 11050F FIPS platforms running FIPS firmware 2.1 or earlier. You can tell what firmware you have installed by running the following command at the command line: fipsutil info The firmware version listed should be the following: CN16XX-NFBE-FW-2.2-130013.
F5 Networks has released a downloadable firmware installer that you can download and apply to the platforms containing the FIPS firmware 2.1 or earlier. For more information about FIPS compliance, see K7837: Overview of FIPS 140-2 EAL Level 2 and 3 RoHS Certification Status, available here: https://support.f5.com/csp/article/K7837.
FIPS firmware v2.2 update on BIG-IP 5250, 7200F, 10200F, and 11050F platforms running the Cavium Nitrox XL FIPS cards.