Change the Operational Mode to FIPS-CC Mode
Focus
Focus

Change the Operational Mode to FIPS-CC Mode

Table of Contents
End-of-Life (EoL)

Change the Operational Mode to FIPS-CC Mode

The following procedure describes how to change the operational mode of a Palo Alto Networks product from normal mode to FIPS-CC mode.
When the appliance is in FIPS-CC mode, you will not be able to configure any settings via the console, including the management interface settings. Before enabling FIPS-CC mode, make sure that your network is set up to allow access to the management interface via SSH or the web interface. The management interface will default to a static address of 192.168.1.1 if using a PA-Series firewall or to an address retrieved via DHCP if it is a VM-Series firewall. The WildFire, virtual Panorama, and M-series Panorama appliances will default to a static address of 192.168.1.1.
Once FIPS-CC mode is enabled, all configurations and settings are erased. If an administrator has configurations or settings they would like to reuse after FIPS-CC mode is enabled, the administrator can save and export the configuration before changing to FIPS-CC mode. The configuration can then be imported once the operational mode change is complete. The imported configuration must be edited per the FIPS-CC Security Functions or else the import process will fail.
Keys, passwords, and other critical security parameters cannot be shared across modes.
If you change the operational mode of a firewall or Dedicated Log Collector managed by a Panorama management server to FIPS-CC mode, you must also change the operational mode of Panorama to FIPS-CC mode. This is required to secure password hashes for local admin passwords pushed from Panorama.
  1. (
    Existing HA Configuration only
    ) Disable the high availability (HA) configuration.
    This is required to successfully change the operational mode to FIPS-CC mode for firewalls already in an HA configuration.
    1. Log in to the firewall web interface of the primary HA peer.
    2. Select
      Device
      High Availability
      General
      and edit the HA Pair Settings Setup.
    3. Uncheck (disable)
      Enable HA
      and click
      OK
      .
    4. Commit
      .
  2. (
    Public Cloud VM-Series firewalls or Public Cloud Panorama Virtual Appliances only
    ) Create an SSH key and log in to the firewall or Panorama.
    On some public cloud platforms, such as Microsoft Azure, you must have an SSH key to prevent an authentication failure after changing to FIPS-CC mode. Verify that you have deployed the firewall to authenticate using the SSH key. Although on Azure you can deploy the VM-Series firewall or Panorama and log in using a username and password, you will be unable to authenticate using the username and password after changing the operational mode to FIPS-CC. After resetting to FIPS-CC mode, you must use the SSH key to log in and can then configure a username and password that you can use for subsequently logging in to the firewall web interface.
  3. Connect to the firewall or appliance and Access the Maintenance Recovery Tool (MRT).
  4. Select
    Set FIPS-CC Mode
    from the menu.
  5. Select
    Enable FIPS-CC Mode
    . The mode change operation starts and a status indicator shows progress. After the mode change is complete, the status shows
    Success
    .
    All configurations and settings are erased and cannot be retrieved once the mode change is complete.
  6. When prompted, select
    Reboot
    .
    If you change the operational mode on a VM-Series firewall deployed in the public cloud and you lose your SSH connection to the MRT before you are able to
    Reboot
    , you must wait 10-15 minutes for the mode change to complete, log back into the MRT, and then reboot the firewall to complete the operation. After resetting to FIPS-CC mode, on some virtual form factors (Panorama or VM-Series) you can only log in using the SSH key, and if you have not set up authentication using an SSH key, you can no longer log in to the firewall on reboot.
    After you switch to FIPS-CC mode, you see the following status:
    FIPS-CC mode enabled successfully
    .
    In addition, the following changes are in effect:
    • FIPS-CC displays at all times in the status bar at the bottom of the web interface.
    • The default administrator login credentials change to admin/paloalto.
    See FIPS-CC Security Functions for details on the security functions that are enforced in FIPS-CC mode.
  7. (
    Existing HA only
    ) Re-enable HA.
    This step is required for firewalls that were configured in HA before changing to FIPS-CC mode.
    See High Availability for more information on setting up HA for the first time.
    1. Log in to the firewall web interface of the primary HA peer.
    2. Select
      Device
      High Availability
      General
      and edit the HA Pair Settings Setup.
    3. Check (enable)
      Enable HA
      and click
      OK
      .
    4. Commit
      .
  8. Enable encryption for the HA1 control link.
    This is required for all firewalls in FIPS-CC mode in an HA configuration.
    To successfully leverage HA for firewalls in FIPS-CC mode, you must set automatic rekeying parameters and must set the data parameter to a value no greater than 1000 MB. You cannot let the key default and must set a time interval (you cannot leave it disabled).

Recommended For You