>
    Strata Copilot
    Switch From Non-FIPS to FIPS Mode
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Sites and Devices
    4. Set Up Devices
    5. FIPS and FIPS-CC Security
    6. Switch From Non-FIPS to FIPS Mode
    Download PDF
    Prisma SD-WAN

    Switch From Non-FIPS to FIPS Mode

    Table of Contents

    Switch From Non-FIPS to FIPS Mode

    You can switch between non-FIPS to FIPS mode.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN license
    With Prisma SD-WAN release 5.6.1, you can switch between FIPS and non-FIPS modes. You can change the mode on the Prisma SD-WAN Controller. The ION device has to be either in the Claimed or Assigned state. If the mode change is done in the claimed state, the device comes back in the claimed state, and if changed in the assigned state, it comes back in the assigned state.
    Do not make any other operations when the mode change is in progress.
    1. Select the device.
    2. From the device drop-down, select FIPS to non-FIPS.
    3. Confirm the mode change.
      This process takes a few minutes to boot the device. The following information is deleted from the device:
      • CIC keys and certificates
      • All users passwords
      • All device configuration:
        • Registration
        • Interface Configuration
        • VPN Link Configuration
        • Routing Configuration
        • Policy Configuration
        The device, however, retains the following configuration and reboots:
        • Controller Interface with Static or DHCP
        • Used for Public and Private with Static or DHCP
        • PPPoE Interface
        • Controller Connection Cipher
        • ION-KEY & Secret KEY, and the FIPS change_mode request

    Upgrade or Downgrade Scenarios

    Pre-6.5.1 to 6.5.x (FIPS to FIPS-CC)
    • Ensure Cipher key size requirements for IKE and standard IPSec VPN are adhered to.
    • NTP authentication needs to be enabled on the web interface after the upgrade.
    • Disable BGP MD5 authentication. The controller checks this setting before the upgrade.
    • Upgrade to 6.2.3, 6.3.1, 6.3.2, and 6.3.3 in FIPS mode is not supported.
    Upgrading from 6.1.x to 6.2.x, or 6.3.x, 6.4.1, or 6.5.1 is not supported. Palo Alto Networks suggests upgrading to either of these releases 6.3.6, 6.4.2, 6.4.3, >= 6.5.2.
    6.5.x to pre-6.5.1 (FIPS-CC to FIPS)
    • Disable NTP authentication from the web interface. You will be notified on the web interface to disable NTP authentication before the downgrade.
    • Downgrading to 6.2.3, 6.3.1, 6.3.2, and 6.3.3 in FIPS mode is not supported. For upgrading or downgrading the virtual form factor in FIPS mode, refer here

    © 2025 Palo Alto Networks, Inc. All rights reserved.