FIPS-CC Security Functions
Focus
Focus

FIPS-CC Security Functions

Table of Contents

FIPS-CC Security Functions

When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances:
  • To log in, the browser must be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
  • All passwords must be at least eight characters.
  • You must ensure that
    Failed Attempts
    and
    Lockout Time (min)
    are greater than 0 in authentication settings. If an administrator reaches the
    Failed Attempts
    threshold, the administrator is locked out for the duration defined in the
    Lockout Time (min)
    field.
    (
    Panorama managed firewalls
    ) You must ensure that
    Failed Attempts
    and
    Lockout Time (min)
    are greater than 0 in the authentication settings (
    Device
    Setup
    Management
    ) in the template or template stack configuration with which your managed firewalls in FIPS-CC mode are associated. This is required prevent commit failures when you push configuration changes from Panorama to your managed firewalls in FIPS-CC mode.
  • You must ensure that the
    Idle Timeout
    is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
  • You can configure the
    Absolute Session Length
    to set the maximum length of time in minutes that a user can be logged in. The minimum length that can be set is 60 minutes. You will receive a session termination warning 5 minutes before timeout. This feature cannot be disabled in FIPS-CC mode and defaults at a session of 30 days.
  • You can configure the
    Max No. of Sessions
    to set how many users can be concurrently logged in to the same administrator account.
  • The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
  • You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption.
    PAP and CHAP authentication protocols are not compliant protocols and shall not be used in FIPS-CC mode.
  • When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
  • (
    For Panorama and WildFire only
    ) IPSec can be enabled on the management interface to protect protocols such as NTP, RADIUS, TACACS, and DNS.
  • Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits (or more); you must also use a digest of SHA256 or greater.
  • Telnet, TFTP, and HTTP management connections are not available.
  • (
    New HA Deployments
    ) You must enable encryption for the HA1 control link when you set up high availability (HA) for firewalls in FIPS-CC mode. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
  • (
    Existing HA Deployment
    ) Before you change the operational mode to FIPS-CC mode for firewalls in a high availability (HA) configuration, you must first disable HA (
    Device
    High Availability
    General
    ) before changing the operational mode to FIPS-CC mode.
    After you change the operational mode to FIPS-CC mode for both HA peers, re-enable HA and enable encryption for the HA1 control link as described above.
  • The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
  • The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
  • Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
  • You must manually configure a new master key before the old master key expires;
    Auto Renew Master Key
    is not supported in FIPS-CC mode.
    If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  • Zero Touch Provisioning (ZTP) mode is disabled on the PA-5450 Firewall and the PA-400 Series Firewalls if FIPS-CC mode is enabled.
  • (
    Panorama managed devices
    ) Review the Panorama support of firewalls and Log Collectors when FIPS-CC is enabled.
    Panorama
    Firewall
    Log Collector
    FIPS-CC Enabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    Supported
    Supported
    Supported
    Supported
    FIPS-CC Disabled
    Not Supported
    Supported
    Not Supported
    Supported
  • (
    PA-7000 Series Firewalls only
    ) Review the Palo Alto Networks Hardware End of Life Dates and Compatibility Matrix to confirm you have a supported line card. Line cards that have reached End-of-Life or are running an unsupported PAN-OS release may cause the PA-7000 Series firewall to enter maintenance mode.
  • Review the requirements to import certificates in FIPS-CC mode.
    • To import a certificate and corresponding private key, the private key must be in PKCS8 standard syntax (
      PEM
      format) and encrypted with a FIPS compliant cipher.
    • To import a leaf certificate, you must first successfully import the entire Certificate Authority (CA) chain.

Recommended For You