Accessing monitor mode from FIPS mode

A flexible FIPS policy with the fips policy allow monitor-full-access command configured allows access to monitor mode memory debug commands.

About this task

When the default FIPS policy is applied and the device is in strict FIPS mode, take the following steps to set a more flexible FIPS policy and allow access to debug commands.

Note

Note

Making changes to the default FIPS policy on the device is not recommended and weakens the security of the device. Any modification of the default FIPS policy places the device in a state that is not in compliance with FIPS 140-2.

Procedure

  1. Use the fips zeroize all command to clear the critical security parameters (CSPs). The device zeroizes the CSPs based on the configured FIPS zeroization policy. 
    device(config)# fips zeroize all
  2. Allow access to the restricted memory commands within monitor mode by using the fips policy allow monitor-full-access policy command. 
    device(config)# fips policy allow monitor-full-access

    Syntax: fips policy allow monitor-full-access

What to do next

All commands in monitor mode, specifically the previously restricted memory access commands, are available for use. Refer to Debugging in FIPS mode.

If you do not want to apply any FIPS policy but the default and still need to enter monitor mode, disable FIPS mode on the device using the no fips enable command. Refer to Disabling FIPS mode.

Once FIPS is disabled, all monitor mode commands are available.

9037139-00 Rev AA