Enable and Verify FIPS-CC Mode Using the Windows Registry

Enable and verify FIPS-CC mode for GlobalProtect using the Windows Registry.
On Windows endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the Windows Registry:
  1. Enable FIPS mode for the Windows operating system.
    To enable FIPS-CC mode for GlobalProtect, you must first enable FIPS mode for the Windows operating system to ensure that your Windows endpoint is FIPS 140-2 compliant.
    1. Launch the Command Prompt.
    2. Enter
      regedit
      to open the Windows Registry.
    3. In the Windows Registry, go to:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\
      .
    4. Right-click the
      Enabled
      registry value and
      Modify
      it.
    5. To enable FIPS mode, set the
      Value Data
      to
      1
      . The default value of
      0
      indicates that FIPS mode is disabled.
      enable-fips-mode-windows.png
    6. Click
      OK
      .
    7. Restart your endpoint.
  2. Enable FIPS-CC mode for GlobalProtect.
    You cannot disable FIPS-CC mode after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the Windows Registry.
    1. Launch the Command Prompt.
    2. Enter
      regedit
      to open the Windows Registry.
    3. In the Windows Registry, go to:
      HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\
      .
    4. Click
      Edit
      and then select
      New
      String Value
      .
    5. When prompted, specify the
      Name
      of the new registry value as
      enable-fips-cc-mode
      .
    6. Right-click the new registry value and
      Modify
      it.
    7. To enable FIPS-CC mode, set the
      Value Data
      to
      yes
      .
    8. Click
      OK
      .
      enable-fips-cc-mode-windows.png
  3. Restart GlobalProtect.
    To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
    • Reboot your endpoint.
    • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
      1. Launch the Command Prompt.
      2. Enter
        services.msc
        to open the Windows Services manager.
      3. From the Services list, select
        PanGPS
        .
      4. Restart
        the service.
        restart-pangps-windows.png
  4. Verify that FIPS-CC mode is enabled on your GlobalProtect app.
    1. Launch the GlobalProtect app.
    2. From the status panel, open the settings dialog ( settings-icon.png ).
    3. Select
      About
      .
    4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the
      FIPS-CC Mode Enabled
      status.
      fips-cc-mode-enabled.png

Recommended For You