>
    Strata Copilot
    Enable and Verify FIPS-CC Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect FIPS-CC Certification
    5. Enable and Verify FIPS-CC Mode
    Download PDF
    GlobalProtect

    Enable and Verify FIPS-CC Mode

    Table of Contents

    Enable and Verify FIPS-CC Mode

    Enable FIPS-CC mode for the GlobalProtect app on devices running Windows, macOS, iOS, Android,and Linux.
    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect app 6.0.7 or a later 6.0.x version. For iOS and Android, GlobalProtect for Governments app 6.0.7 or a later GlobalProtect for Governments app 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on Windows and macOS, ARM-based devices running on Windows and macOS, iOS, Android, and Linux.
    You can enable and verify FIPS-CC mode for the GlobalProtect app:
    • On Windows Endpoints
    • On macOS Endpoints
    • Using Workspace ONE on iOS Endpoints
    • On Linux EndPoints with Ubuntu or RHEL
    • Using Microsoft Intune on Android Endpoints
    The GlobalProtect app -FIPS-CC mode is supported on x86 and ARM-based platforms.
    We recommend that you enable FIPS-CC mode on the GlobalProtect portal/gateway to efficiently operate FIPS-CC mode on endpoints.
    To modify the Windows Registry or macOS plist, you must have an administrator account in Windows or macOS.

    Enable and Verify FIPS-CC Mode on Windows Endpoints

    Enable and verify FIPS-CC mode for GlobalProtect using the Windows Registry.
    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect app 6.0.7 or a later 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on Windows and ARM-based devices running on Windows.
    On Windows endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the Windows Registry:
    1. Enable FIPS mode for the Windows operating system.
      To enable FIPS-CC mode for GlobalProtect, you must first enable FIPS-CC mode for the Windows operating system.
      1. Launch the Command Prompt.
      2. Enter regedit to open the Windows Registry.
      3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\.
      4. Right-click the Enabled registry value and Modify it.
      5. To enable FIPS mode, set the Value Data to 1. The default value of 0 indicates that FIPS mode is disabled.
      6. Click OK.
      7. Restart your endpoint.
    2. Enable FIPS-CC mode for GlobalProtect.
      You cannot disable FIPS-CC mode after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the Windows Registry.
      1. Launch the Command Prompt.
      2. Enter regedit to open the Windows Registry.
      3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\.
      4. Click Edit and then select NewString Value.
      5. When prompted, specify the Name of the new registry value as enable-fips-cc-mode.
      6. Right-click the new registry value and Modify it.
      7. To enable FIPS-CC mode, set the Value Data to yes.
      8. Click OK.
    3. Restart GlobalProtect.
      To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
      • Reboot your endpoint.
      • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
        1. Launch the Command Prompt.
        2. Enter services.msc to open the Windows Services manager.
        3. From the Services list, select PanGPS.
        4. Restart the service.
    4. Alternatively, you can enable FIPS-CC mode using the following msiexec syntax through the Microsoft Windows Installer (Msiexec): msiexec /i GlobalProtect64.msi ENABLEFIPSCCMODE=YES
    5. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.

    Enable and Verify FIPS-CC Mode on macOS Endpoints

    Enable and verify FIPS-CC mode for GlobalProtect using the macOS property list.
    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect app 6.0.7 or a later 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on macOS and ARM-based devices running on macOS.
    On macOS endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the macOS plist (property list):
    To enable FIPS-CC mode for GlobalProtect, your must first enable FIPS-CC mode for macOS operating system. By default, FIPS mode for the macOS operating system is automatically enabled on endpoints running macOS 10.8 and later releases.
    1. Open the GlobalProtect plist file and locate the GlobalProtect customization settings.
      1. Launch a plist editor, such as Xcode.
      2. In the plist editor, open the following plist file: /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist.
      3. Locate the GlobalProtect Settings dictionary: /Palo Alto Networks/GlobalProtect/Settings.
        If the Settings dictionary does not exist, create it. You can add each key to the Settings dictionary as a string.
    2. Enable FIPS-CC mode for GlobalProtect.
      You cannot disable FIPS-CC after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the macOS plist.
      In the Settings dictionary, add the following key-value pair to enable FIPS-CC mode:
      <key>enable-fips-cc-mode</key>
      <string>yes</string>
    3. Restart GlobalProtect.
      To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
      • Reboot your endpoint.
      • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
        1. Launch the Finder.
        2. Open the Applications folder:
          • From the Finder sidebar, select Applications.
          • If you do not see Applications in the Finder sidebar, select GoApplications from the Finder menu bar.
            To display Applications in the Finder sidebar, select FinderPreferences from the Finder menu bar. From the Finder Preferences, select Sidebar and then enable the option to display Applications.
        3. Open the Utilities folder.
        4. Launch Terminal.
        5. Execute the following commands:
          username>$ launchctl unload -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist     
username>$ launchctl unload -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua 
/Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
    4. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.
    5. View the logs to view the GlobalProtect app logs related to FIPS-CC mode on endpoints running macOS.
    6. View, collect, and send the logs to administrator to troubleshoot and resolve the issues related to FIPS-CC mode on devices running macOS.

    Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL

    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect app 6.0.7 or a later 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on ARM-based devices running on Linux.
    Use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ on Linux endpoints running Ubuntu or Red Hat Enterprise Linux (RHEL) 8.1 platforms.
    1. Ensure that FIPS-CC mode is disabled on the Linux endpoints with Ubuntu or Red Hat Enterprise Linux (RHEL) 8.1.
    2. Install the GlobalProtect app on your Linux endpoint.
    3. (Optional) If a client certificate is used for authentication, install and set up client certificate.
    4. Modify pangps.xml to enable FIPS-CC mode.
      On Linux endpoints, the pre-deployment configuration file (pangps.xml) is located in /opt/paloaltonetworks/globalprotect.
      In pangps.xml file, under Settings, add <enable-fips-cc-mode>yes</enable-fips-cc-mode>
      For example:
      <?xml version="x.x" encoding="UTF-8"?><GlobalProtect>
         <Settings>
			    <enable-fips-cc-mode>yes</enable-fips-cc-mode>
 	               <disable-globalprotect>0</disable-globalprotect>
         </Settings>
    5. Enable FIPS-CC mode on the Linux endpoint with Ubuntu or Red Hat Enterprise Linux (RHEL) 8.1.
    6. Reboot the Linux endpoint in order for the pre-deployment configuration changes to take effect.
    7. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status. For CLI version, you can use the CLI command globalprotect show --version.
        If FIPS-CC mode could not be enabled successfully, the About dialog displays the FIPS-CC Mode Failed status.
    8. View the logs to view the GlobalProtect app logs related to FIPS-CC mode on Linux endpoints.
    9. View, collect, and send the logs to the administrator to troubleshoot and resolve the issues related to FIPS-CC mode on Linux devices.

    Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints

    Provides information on enabling and verifying FIPS-CC mode using Workspace ONE
    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect for Governments app 6.0.7 or a later GlobalProtect for Governments app 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on ARM-based devices running on iOS.
    Use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ on iOS endpoints using Workspace ONE.
    To enable FIPS-CC for iOS and Android endpoints, you must use the GlobalProtect version GlobalProtect for Governments. Contact Palo Alto Support and create a case to access the GlobalProtect for Governments version, which is privately distributed.
    1. Enable FIPS mode for iOS endpoints.
      1. Configure Workspace ONE for iOS Endpoints. for iOS endpoints.
      2. Download the GlobalProtect app for iOS endpoints and Deploy the GlobalProtect Mobile App Using Workspace ONE.
      3. From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.
        To add a new profile:
        • Select ResourcesProfiles & BaselinesProfilesADD, then Add Profile.
        • Select iOS from the platform list.
        • Select Device Profile from the Select Context Window.
      4. On the ResourcesProfiles & BaselinesProfiles page, select the <iOS profile> for which you want to enable FIPS-CC mode.
      5. Configure the General, VPN, and Credentials (Optional) settings for the <iOS profile> that you want to create.
      6. On the VPN page, under Custom Data:
        • Specify the Key value as enable-fips-cc-mode.
        • Set the Value to Yes.
      7. Save and Publish your changes.
        After you enable the FIPS-CC mode on the Workspace ONE console, the console pushes the updated FIPS-CC mode configuration to the iOS endpoints.
      8. Ensure that the updated configuration is pushed from the console to the iOS endpoints. On the iOS endpoint, select SettingsGeneralVPN & Device ManagementVPN. The VPN Configuration screen displays the latest configuration.The following screenshot shows an example of VPN configuration.
    2. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.
        If FIPS-CC mode could not be enabled successfully, the About dialog displays the FIPS-CC Mode Failed status.
      You cannot disable the FIPS-CC mode on iOS endpoints. To disable the FIPS-CC mode, you must remove the iOS device from the respective configuration profile through the Workspace ONE console.
    3. View the logs to view the GlobalProtect app logs related to FIPS-CC mode on iOS endpoints.
    4. View, collect, and send the logs to the administrator to troubleshoot and resolve the issues related to FIPS-CC mode on iOS devices.

    Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints

    Enabling and verifying FIPS-CC mode using Microsoft Intune and Android endpoints.
    Where Can I Use This?What Do I Need?
    NGFW (managed by Panorama)
    • GlobalProtect™ Subscription License
    • PAN-OS 8.1 or a later PAN-OS version.
    • GlobalProtect for Governments app 6.0.7 or a later GlobalProtect for Governments app 6.0.x version.
    • FIPS-CC Mode for GlobalProtect on ARM-based devices running on Android.
    Use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ on Android endpoints using Microsoft Intune
    To enable FIPS-CC for iOS and Android endpoints, you must use the GlobalProtect version GlobalProtect for Governments. Contact Palo Alto Support and create a case to access the GlobalProtect for Governments version, which is privately distributed.
    1. Enable FIPS mode on Android endpoints.
      1. Download the GlobalProtect app for Android and Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune.
      2. From the Microsoft Intune console, add Configuration Settings to enable FIPS-CC mode.
        To add configuration settings for Enable fips-cc-mode:
        1. Select APPSPolicyApp configuration policies<policy>Properties.
        2. Edit the Settings.
        3. On the Edit app configuration policies page, Add the Configuration Settings for enabling FIPS-CC mode.
        4. From the list of configuration keys, select Enable fips-cc mode.
        5. Set the Configuration Value to Yes for Enable fips-cc mode configuration key.
        6. Click Review and Save. The Edit app configuration policies page displays the newly added Enable-fips-cc-mode configuration settings.
        The configuration setting for Enable fips-cc mode is also displayed under the Configuration Settings area (APPSPolicyApp configuration policies<policy>Properties.
      After you enable the FIPS-CC mode on the Microsoft Intune console and synchronize the device with the Microsoft Intune, the console pushes the updated FIPS-CC mode configuration to the Android endpoints.
    2. Verify that FIPS-CC mode is enabled is enabled successfully on an Android endpoint.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.
      If FIPS-CC mode could not be enabled successfully, the About dialog displays the FIPS-CC Mode Failed status.
    3. View the logs to view the GlobalProtect app logs related to FIPS-CC mode on Android endpoints.
    4. View, collect, and send the logs to the administrator to troubleshoot and resolve the issues related to FIPS-CC mode on Android devices.

    © 2025 Palo Alto Networks, Inc. All rights reserved.