Enable and verify FIPS-CC mode for GlobalProtect using
the macOS property list.
On macOS endpoints, use the following steps
to enable and verify FIPS-CC mode for GlobalProtect™ using the macOS plist (property
list):
To enable FIPS-CC mode for GlobalProtect, your
must first enable FIPS-CC mode for macOS operating system. By default,
FIPS mode for the macOS operating system is automatically enabled
on endpoints running macOS 10.8 and later releases.
Open the GlobalProtect plist file and locate the
GlobalProtect customization settings.
Launch a plist editor, such as Xcode.
In the plist editor, open the following plist file:
If the Settings dictionary does not exist, create it. You
can add each key to the Settings dictionary as a string.
Enable FIPS-CC mode for GlobalProtect.
You cannot disable FIPS-CC after you enable it. To
run GlobalProtect in non-FIPS-CC mode, end users must uninstall
and then reinstall the GlobalProtect app. This clears all FIPS-CC
mode settings from the macOS plist.
In the Settings dictionary, add
the following key-value pair to enable FIPS-CC mode:
<key>enable-fips-cc-mode</key>
<string>yes</string>
Restart GlobalProtect.
To enable the GlobalProtect app to initialize in FIPS-CC
mode, you must restart GlobalProtect using one of the following
methods:
Reboot your endpoint.
Restart the GlobalProtect application and GlobalProtect service (PanGPS):
Launch the Finder.
Open the Applications folder:
From the Finder
sidebar, select
Applications
.
If you do not see
Applications
in
the Finder sidebar, select
Go
Applications
from the Finder
menu bar.
To
display
Applications
in the Finder sidebar,
select
Finder
Preferences
from
the Finder menu bar. From the Finder Preferences, select
Sidebar
and
then enable the option to display
Applications.
Open the Utilities folder.
Launch Terminal.
Execute the following commands:
username>$ launchctl unload -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
username>$ launchctl unload -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
username>$ launchctl load -S Aqua
/Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
Verify that FIPS-CC mode is enabled on the GlobalProtect app.
Launch the GlobalProtect app.
From the status panel, open the settings dialog (
).
Select
About
.
Verify that FIPS-CC mode is enabled. If FIPS-CC mode
is enabled, the About dialog displays the
FIPS-CC Mode Enabled
status.
View the logs to view
the GlobalProtect app logs related to FIPS-CC mode on endpoints
running macOS.
View, collect, and
send the logs to administrator to troubleshoot and resolve
the issues related to FIPS-CC mode on devices running macOS.