Filter by:
  • Solution
  • Technology


F5 LTM VE - FIPS level 1

Updated 12/6/2012 • Originally posted on 06-Dec-2012 by MW 101

Can anyone advise if it is possible to achieve FIPS level 1 compliancy (or above) when using the LTM VE product ?


We have had a request come in from a client that they would like us to become FIPS compliant however our long term design we were moving to us F5 VE (for our LTM/GTM deployments). I realise there is the HSM for the higher devices BIG-IP 6400 to 11050 to achieve FIPS l2/l3, and that it is possible to set up the supported ciphers when doing SSL decryption for a web site so that it just supports the FIPS approved range.

I am just wondering if it is at all possible to achieve level 1 FIPS compliancy on devices that do not support the HSM?


thanks in avance


Rate this Question

Answers to this Question

3 Answers:

Updated 06-Dec-2012 • Originally posted on 06-Dec-2012 by hoolio 2066
Hi MW,

Can you contact your local F5 or partner SE to get info on our plans for this?

Thanks, Aaron
Updated 07-Dec-2012 • Originally posted on 07-Dec-2012 by MW 101
Thanks Aaron - I'll reach out and see if I can find out. I guess if not I could possibly explore the option of using ESX servers with hardware based encrypted drives to hold the virtual F5's. This said I am far from knowledgeable on FIPS so only presuming this would achieve the same as the HSM.

Updated 11-Dec-2012 • Originally posted on 11-Dec-2012 by MW 101
Unfortunately my reseller and a different area F5 rep has drawn a blank on any word on future plans which does pose quite a big issue for me/my company - if anyone for F5 happens to see this post and can offer any better news please advise!

Re-reading what the HSM does I am presuming it does more than securely store the key but the F5 calls via api's my initial thought that I could achieve FIPS level by running a F5 LTM VE on a ESX server that is using FIPS certified hardware based encrypted drives I presume is wrong.

I presume that my only option to run a VE in FIPS mode is (per
The Thales nShield™ HSM is a network-attached HSM (netHSM™) that is available for use with BIG-IP® systems. Because it is software-based rather than hardware-based, you can use the netHSM FIPS solution with all BIG-IP platforms, including VIPRION® Series chassis. You can also use the netHSM solution with BIG-IP Virtual Edition (VE).

Unfortunately this means in many ways I lose the benefit of going to a virtual as I will need to replace the physical LTM with a physical stand alone HSM.

Comments on this Answer
Comment made 27-Sep-2014 by Eduardo N. 3

This is not true, the Thales HSM is networked and can be configured to work on VE LTMs. It can actually be clustered for HA and be shared among passive and active nodes alike.

Edit your comment
Comment made 28-Sep-2014 by MW 101

Eduardo - I am not following your comment. I stated I could use the Thales with the VE, however I lose the benefit of the load balancing being all virtual (e.g. migration of the setup to a different geographical location solely by copying the VE over the network to a different site etc. Can you clarify your comment, or did you mis-understand something I stated originally?

Edit your comment
Comment made 24-Nov-2014 by Andras Kis-Szabo 107

Dear Eduardo, In case of VE LTM cluster with nCipher Connect clusters: where should I put the RFS and how should I sync them with the HSMs, please? Thank you in advance, Best regards, Andras

Edit your comment