Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Questions and Answers



F5 LTM VE - FIPS level 1


Can anyone advise if it is possible to achieve FIPS level 1 compliancy (or above) when using the LTM VE product ?


We have had a request come in from a client that they would like us to become FIPS compliant however our long term design we were moving to us F5 VE (for our LTM/GTM deployments). I realise there is the HSM for the higher devices BIG-IP 6400 to 11050 to achieve FIPS l2/l3, and that it is possible to set up the supported ciphers when doing SSL decryption for a web site so that it just supports the FIPS approved range.

I am just wondering if it is at all possible to achieve level 1 FIPS compliancy on devices that do not support the HSM?


thanks in avance


3 Answer(s):

Hi MW,

Can you contact your local F5 or partner SE to get info on our plans for this?

Thanks, Aaron
Thanks Aaron - I'll reach out and see if I can find out. I guess if not I could possibly explore the option of using ESX servers with hardware based encrypted drives to hold the virtual F5's. This said I am far from knowledgeable on FIPS so only presuming this would achieve the same as the HSM.

Unfortunately my reseller and a different area F5 rep has drawn a blank on any word on future plans which does pose quite a big issue for me/my company - if anyone for F5 happens to see this post and can offer any better news please advise!

Re-reading what the HSM does I am presuming it does more than securely store the key but the F5 calls via api's my initial thought that I could achieve FIPS level by running a F5 LTM VE on a ESX server that is using FIPS certified hardware based encrypted drives I presume is wrong.

I presume that my only option to run a VE in FIPS mode is (per http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-platform-fips-administration/1.html)
The Thales nShield™ HSM is a network-attached HSM (netHSM™) that is available for use with BIG-IP® systems. Because it is software-based rather than hardware-based, you can use the netHSM FIPS solution with all BIG-IP platforms, including VIPRION® Series chassis. You can also use the netHSM solution with BIG-IP Virtual Edition (VE).

Unfortunately this means in many ways I lose the benefit of going to a virtual as I will need to replace the physical LTM with a physical stand alone HSM.


This is not true, the Thales HSM is networked and can be configured to work on VE LTMs. It can actually be clustered for HA and be shared among passive and active nodes alike.

Eduardo - I am not following your comment. I stated I could use the Thales with the VE, however I lose the benefit of the load balancing being all virtual (e.g. migration of the setup to a different geographical location solely by copying the VE over the network to a different site etc. Can you clarify your comment, or did you mis-understand something I stated originally?

Dear Eduardo, In case of VE LTM cluster with nCipher Connect clusters: where should I put the RFS and how should I sync them with the HSMs, please? Thank you in advance, Best regards, Andras

Your answer: