When you enable the FIPS mode, any secure communication to or from the NSX Manager will use cryptographic algorithms and protocols that are allowed by the United States Federal Information Processing Standards (FIPS).

  • In a Cross-vCenter NSX environment, you should enable the FIPS mode on each NSX Manager separately.
  • If one of the NSX Managers is not configured for FIPS, you must still ensure that it uses a secure communication method which complies with the FIPS standards.
  • Both primary and secondary NSX Managers must be on the same TLS version for universal synchronization to work correctly.

Important: Changing FIPS mode reboots the NSX Manager virtual appliance.


  • Verify that any partner solutions are FIPS mode certified. See the VMware Compatibility Guide at http://www.vmware.com/resources/compatibility/search.php?deviceCategory=security.
  • If you have upgraded from an earlier version of NSX, do not enable FIPS mode until the upgrade to NSX 6.3.0 is complete. See Understand FIPS Mode and NSX Upgrade in the NSX Upgrade Guide.
  • Verify that the NSX Manager is NSX 6.3.0 or later.
  • Verify that the NSX Controller cluster is NSX 6.3.0 or later.
  • Verify that all host clusters running NSX workloads are prepared with NSX 6.3.0 or later.
  • Verify that all NSX Edge appliances are version 6.3.0 or later, and that FIPS mode has been enabled on the required NSX Edge appliances. See Change FIPS Mode on NSX Edge.


  1. Log in to the NSX Manager virtual appliance.
  2. Under Appliance Management, click Manage Appliance Settings.
  3. From the Settings panel, click General.
  4. Click Edit next to FIPS Mode and TLS settings.
    Warning message informs you that changing FIPS mode will restart the NSX Manager Appliance automatically.
  5. To enable FIPS mode, select the Enable FIPS Mode check box.
  6. For Server and Client, select the check boxes for the required TLS protocol version.
    • When FIPS mode is enabled, NSX Manager disables the TLS protocols that are not compliant to the FIPS standards. 
    • In NSX 6.4.0 or later, TLS 1.0 is disabled by default.

      If you upgrade to NSX 6.4.0 or later, the TLS settings before upgrade remains unchanged.

  7. Click OK.
    The NSX Manager appliance reboots, and FIPS is enabled.