GlobalProtect
Enable and Verify FIPS-CC Mode Using the Windows Registry
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
9.1 (EoL)
- 10.1 & Later
- 9.1 (EoL)
-
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
-
-
- End User Experience
- Management and Logging in Panorama
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
- Monitoring and High Availability
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 10 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows 7 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Enable and Verify FIPS-CC Mode Using the Windows Registry
Enable and verify FIPS-CC mode for GlobalProtect using
the Windows Registry.
On Windows endpoints, use the following steps
to enable and verify FIPS-CC mode for GlobalProtect™ using the Windows Registry:
- Enable FIPS mode for the Windows operating system.To enable FIPS-CC mode for GlobalProtect, you must first enable FIPS mode for the Windows operating system to ensure that your Windows endpoint is FIPS 140-2 compliant.
- Launch the Command Prompt.
- Enter regedit to open the Windows Registry.
- In the Windows Registry, go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\.
- Right-click the Enabled registry value and Modify it.
- To enable FIPS mode, set the Value Data to 1.
The default value of 0 indicates that FIPS
mode is disabled.
- Click OK.
- Restart your endpoint.
- Enable FIPS-CC mode for GlobalProtect.You cannot disable FIPS-CC mode after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the Windows Registry.
- Launch the Command Prompt.
- Enter regedit to open the Windows Registry.
- In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\.
- Click Edit and then select NewString Value.
- When prompted, specify the Name of the new registry value as enable-fips-cc-mode.
- Right-click the new registry value and Modify it.
- To enable FIPS-CC mode, set the Value Data to yes.
- Click OK.
- Restart GlobalProtect.To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
- Reboot your endpoint.
- Restart the GlobalProtect application and GlobalProtect service (PanGPS):
- Launch the Command Prompt.
- Enter services.msc to open the Windows Services manager.
- From the Services list, select PanGPS.
- Restart the service.
- Verify that FIPS-CC mode is enabled on your GlobalProtect app.
- Launch the GlobalProtect app.
- From the status panel, open the settings dialog (
- Select About.
- Verify that FIPS-CC mode is enabled. If FIPS-CC mode
is enabled, the About dialog displays the FIPS-CC Mode Enabled status.