Configure Global FIPS Compliance Mode for Load Balancer

There is a global setting for FIPS compliance for load balancers. By default, the setting is turned off to improve performance.

Changing the global configuration for FIPS compliance for load balancers affects new load balancer instances, but does not affect any existing load balancer instances.

If the global setting for FIPS for load balancer (lb_fips_enabled) is set to true, new load balancer instances use modules that comply with FIPS 140-2. Existing load balancer instances might be using non-compliant modules.

To make the change take effect on existing load balancers, you must detach and reattach the load balancer from the tier-1 gateway.

You can check the global FIPS compliance status for load balancer using GET /policy/api/v1/compliance/status.

        ...
        {
            "non_compliance_code": 72024,
            "description": "Load balancer FIPS global setting is disabled.",
            "reported_by": {
                "target_id": "971ca477-df1a-4108-8187-7918c2f8c3ba",
                "target_display_name": "971ca477-df1a-4108-8187-7918c2f8c3ba",
                "target_type": "FipsGlobalConfig",
                "is_valid": true
            },
            "affected_resources": [
                {
                    "path": "/infra/lb-services/LB_Service",
                    "target_id": "/infra/lb-services/LB_Service",
                    "target_display_name": "LB_1",
                    "target_type": "LBService",
                    "is_valid": true
                }
            ]
        },
        ...

Note: The compliance report displays the global setting for FIPS compliance for load balancer. Any given load balancer instance can have a FIPS compliance status that is different from the global setting.

Procedure

Retrieve the global FIPS setting for load balancer.

GET https://nsx-mgr1/policy/api/v1/infra/global-config

Example response body:

{
    "fips": {
        "lb_fips_enabled": false
    },
    "resource_type": "GlobalConfig",
    "id": "global-config",
    "display_name": "global-config",
    "path": "/infra/global-config",
    "relative_path": "global-config",
    "marked_for_delete": false,
    "_create_user": "system",
    "_create_time": 1561225479619,
    "_last_modified_user": "admin",
    "_last_modified_time": 1561937915337,
    "_system_owned": true,
    "_protection": "NOT_PROTECTED",
    "_revision": 2
}

Change the global FIPS setting for load balancer.

The global setting is used when you create new load balancer instances. Changing the setting does not affect existing load balancer instances.

PUT https://nsx-mgr1/policy/api/v1/infra/global-config

Example request body:

{
    "fips": {
        "lb_fips_enabled": true
    },
    "resource_type": "GlobalConfig",
    "_revision": 2
}

Example response body:

{
    "fips": {
        "lb_fips_enabled": true
    },
    "resource_type": "GlobalConfig",
    "id": "global-config",
    "display_name": "global-config",
    "path": "/infra/global-config",
    "relative_path": "global-config",
    "marked_for_delete": false,
    "_create_user": "system",
    "_create_time": 1561225479619,
    "_last_modified_user": "admin",
    "_last_modified_time": 1561937960950,
    "_system_owned": true,
    "_protection": "NOT_PROTECTED",
    "_revision": 3
}

If you want any existing load balancer instances to use this global setting, you must detach and reattach the load balancer from the tier-1 gateway.

Caution: Detaching a load balancer from the tier-1 gateway results in a traffic interruption for the load balancer instance.
1. Navigate to Networking > Load Balancing.
2. On the load balancer you want to detach, click the three dots menu ( ), then click Edit.
3. Click , then click Save to detach the load balancer from the tier-1 gateway.
4. Click the three dots menu ( ), then click Edit.
5. Select the correct gateway from the Tier-1 Gateway drop-down menu, then click Save to reattach the load balancer to the tier-1 gateway.