The following procedure describes how to change
the operational mode of a Palo Alto Networks product from normal
mode to FIPS-CC mode.
When the appliance
is in FIPS-CC mode, you will not be able to configure any settings
via the console, including the management interface settings. Before enabling
FIPS-CC mode, make sure that your network is set up to allow access
to the management interface via SSH or the web interface. The management
interface will default to a static address of 192.168.1.1 if using
a PA-Series firewall or to an address retrieved via DHCP if it is
a VM-Series firewall. The WildFire, virtual Panorama, and M-series
Panorama appliances will default to a static address of 192.168.1.1.
Once FIPS-CC mode is enabled, all configurations
and settings are erased. If an administrator has configurations
or settings they would like to reuse after FIPS-CC mode is enabled,
the administrator can save and export the configuration before changing
to FIPS-CC mode. The configuration can then be imported once the
operational mode change is complete. The imported configuration
must be edited per the
FIPS-CC Security Functions or
else the import process will fail.
Keys, passwords,
and other critical security parameters cannot be shared across modes.
If
you change the operational mode of a firewall or Dedicated Log Collector managed
by a Panorama management server to FIPS-CC mode, you must also change
the operational mode of Panorama to FIPS-CC mode. This is required
to secure password hashes for local admin passwords pushed from
Panorama.