Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

Learn

Splunk FIPS Compatibility Guide

FIPS compliance is a deployment constraint, not a feature toggle. This guide explains what FIPS mode means for Splunk, which operating systems are supported, and how the 140 2 to 140 3 transition impacts Splunk 9.x and 10.x. It also includes OS specific steps for RHEL, Ubuntu, and Windows.

TL;DR

  1. Enable FIPS at the OS before installing Splunk
  2. All nodes must use TLS 1.2 or newer
  3. Splunk 10 supports FIPS 140-2 and 140-3

What FIPS means for Splunk

FIPS mode requires validated cryptographic modules and disallows weak algorithms. It’s not enough to flip a Splunk setting — the OS must be in FIPS mode, and apps must avoid unsupported crypto (for example MD5 or RC4). Splunk requires TLS 1.2 and newer between all nodes.

Important: Splunk FIPS must be enabled before the first start. If Splunk was installed without FIPS, you cannot enable it later without reinstalling on a FIPS-enabled OS.

Do you need FIPS?

  1. Policy required? If yes, proceed. If not, avoid FIPS unless mandated.
  2. Apps vetted? FIPS can break apps with legacy crypto dependencies.
  3. All nodes TLS 1.2 or newer? Fix transport first if not.

Supported operating systems in FIPS mode

Splunk Enterprise FIPS mode requires x86_64 and an OS that supports FIPS mode. Splunk’s 10.0 FIPS list includes Windows 10/11, Windows Server 2019/2022, Ubuntu 20.04/22.04, RHEL 8/9, and CentOS 8.

Always verify the exact minor OS version against the official Splunk system requirements before upgrading or enabling FIPS.

Enable FIPS by OS

Enable OS-level FIPS before installing or reinstalling Splunk. These are the standard steps used in most environments.

RHEL 8/9

# Enable FIPS
sudo fips-mode-setup --enable
sudo reboot

# Verify
sudo fips-mode-setup --check

RHEL recommends enabling FIPS during installation where possible.

Ubuntu 20.04 / 22.04 (Pro)

sudo apt update
sudo apt install ubuntu-advantage-tools
sudo pro attach <token>
sudo pro enable fips-updates
sudo reboot

# Verify
cat /proc/sys/crypto/fips_enabled

Ubuntu FIPS requires Ubuntu Pro and a reboot into the FIPS kernel.

Windows 10/11 / Server 2019/2022

gpedit.msc
Computer Configuration > Windows Settings > Security Settings
Local Policies > Security Options
System cryptography: Use FIPS compliant algorithms
Set to Enabled, then reboot

Often set via Group Policy in domain environments.

What changes in Splunk 10.0

Splunk 10 introduces dual FIPS mode. Both a 140 2 module and a 140 3 module are available, so you can upgrade to 10.x while remaining in 140 2 and then switch to 140 3 later.

Splunk 10 moves to OpenSSL 3.0 and Python 3.9, both relevant to app compatibility.

Splunk 10 FIPS upgrades require AVX-capable CPUs and KV Store on MongoDB 4.2+.

Deadlines and timelines

NIST deprecates FIPS 140 2 in September 2026. Splunk’s guidance notes that the FIPS 140 2 certification for Splunk versions below 10 is valid until March 8, 2026, and the 140 2 certification for Splunk 10 is valid until September 21, 2026.

Practical takeaway: if you run 9.x in FIPS mode, plan a 10.x upgrade and 140 3 migration before the 2026 deadlines.

Preflight checklist for FIPS deployments

  1. Confirm the OS is in FIPS mode and on the supported Splunk 10.0 FIPS OS list.
  2. Ensure all nodes use TLS 1.2 or newer for intra cluster communication.
  3. Audit apps and add ons for FIPS certification and crypto dependencies.
  4. Plan for OpenSSL 3.0 and Python 3.9 changes in Splunk 10.
  5. Ensure KV Store is on MongoDB 4.2 or newer and CPUs support AVX.
  6. Enable FIPS during install only. Reinstall is required if missed.
  7. Complete Phase 1 upgrade to 10.x before Phase 2 switch to 140 3.

Role and cluster order

FIPS applies to all roles. That includes search heads, indexers, forwarders, the deployment server, and the cluster manager. For clustered upgrades, follow Splunk’s rolling upgrade order and maintenance mode guidance.

Ad slot: bottom