>
    Enable and Verify FIPS-CC Mode Using the macOS Property List
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. Certifications
    4. Enable and Verify FIPS-CC Mode
    5. Enable and Verify FIPS-CC Mode Using the macOS Property List
    Download PDF
    GlobalProtect

    Enable and Verify FIPS-CC Mode Using the macOS Property List

    Table of Contents
    End-of-Life (EoL)

    Enable and Verify FIPS-CC Mode Using the macOS Property List

    Enable and verify FIPS-CC mode for GlobalProtect using the macOS property list.
    On macOS endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the macOS plist (property list):
    To enable FIPS-CC mode for GlobalProtect, your macOS endpoint must be FIPS 140-2 compliant. By default, FIPS mode for the macOS operating system is automatically enabled on endpoints running macOS 10.8 and later releases.
    1. Open the GlobalProtect plist file and locate the GlobalProtect customization settings.
      1. Launch a plist editor, such as Xcode.
      2. In the plist editor, open the following plist file: /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist.
      3. Locate the GlobalProtect Settings dictionary: /Palo Alto Networks/GlobalProtect/Settings.
        If the Settings dictionary does not exist, create it. You can add each key to the Settings dictionary as a string.
    2. Enable FIPS-CC mode for GlobalProtect.
      You cannot disable FIPS-CC after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the macOS plist.
      In the Settings dictionary, add the following key-value pair to enable FIPS-CC mode:
      <key>enable-fips-cc-mode</key>
      <string>yes</string>
    3. Restart GlobalProtect.
      To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
      • Reboot your endpoint.
      • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
        1. Launch the Finder.
        2. Open the Applications folder:
          • From the Finder sidebar, select Applications.
          • If you do not see Applications in the Finder sidebar, select GoApplications from the Finder menu bar.
            To display Applications in the Finder sidebar, select FinderPreferences from the Finder menu bar. From the Finder Preferences, select Sidebar and then enable the option to display Applications.
        3. Open the Utilities folder.
        4. Launch Terminal.
        5. Execute the following commands:
          username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist       
username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
    4. Verify that FIPS-CC mode is enabled on your GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.

    © 2024 Palo Alto Networks, Inc. All rights reserved.