FIPS-CC Security Functions
Focus
Focus

FIPS-CC Security Functions

Table of Contents

FIPS-CC Security Functions

When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances:
  • To log in, the browser must be TLS 1.2 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
  • All passwords must be at least eight characters.
  • You must ensure that Failed Attempts and Lockout Time (min) are greater than 0 in authentication settings. If an administrator reaches the Failed Attempts threshold, the administrator is locked out for the duration defined in the Lockout Time (min) field.
    (Panorama managed firewalls) You must ensure that Failed Attempts and Lockout Time (min) are greater than 0 in the authentication settings (DeviceSetupManagement) in the template or template stack configuration with which your managed firewalls in FIPS-CC mode are associated. This is required prevent commit failures when you push configuration changes from Panorama to your managed firewalls in FIPS-CC mode.
  • You must ensure that the Idle Timeout is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
  • You can configure the Absolute Session Length to set the maximum length of time in minutes that a user can be logged in. The minimum length that can be set is 60 minutes. You will receive a session termination warning 5 minutes before timeout. This feature cannot be disabled in FIPS-CC mode and defaults at a session of 30 days.
  • You can configure the Max No. of Sessions to set how many users can be concurrently logged in to the same administrator account.
  • The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
  • You are required to use a RADIUS server profile configured with an authentication protocol leveraging TLS encryption.
    PAP and CHAP authentication protocols are not compliant protocols and shall not be used in FIPS-CC mode.
  • When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
  • (For Panorama and WildFire only) IPSec can be enabled on the management interface to protect protocols such as NTP, RADIUS, TACACS, and DNS.
  • Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or greater) or ECDSA 256 bits (or greater); you must also use a digest of SHA256 or greater.
  • Telnet, TFTP, and HTTP management connections are not available.
  • (New HA Deployments) You must enable encryption for the HA1 control link when you set up high availability (HA) for firewalls in FIPS-CC mode. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
  • (Existing HA Deployment) Before you change the operational mode to FIPS-CC mode for firewalls in a high availability (HA) configuration, you must first disable HA (DeviceHigh AvailabilityGeneral) before changing the operational mode to FIPS-CC mode.
    After you change the operational mode to FIPS-CC mode for both HA peers, re-enable HA and enable encryption for the HA1 control link as described above.
  • The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
  • The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
  • Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
  • You must manually configure a new master key before the old master key expires; Auto Renew Master Key is not supported in FIPS-CC mode.
    If the master key expires, the firewall or Panorama automatically reboots in Maintenance mode. You must then Reset the Firewall to Factory Default Settings.
  • Zero Touch Provisioning (ZTP) mode is disabled on Palo Alto Networks Firewalls if FIPS-CC mode is enabled.
  • (Panorama managed devices) Review the Panorama support of firewalls and Log Collectors when FIPS-CC is enabled.
    Panorama
    Firewall
    Log Collector
    FIPS-CC Enabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    FIPS-CC Enabled
    FIPS-CC Disabled
    Supported
    Supported
    Supported
    Supported
    FIPS-CC Disabled
    Not Supported
    Supported
    Not Supported
    Supported
  • (Panorama managed devices) Upgrading Panorama and managed devices in FIPS-CC mode to PAN-OS 11.0 or later release requires you to reset the secure connection status of the devices in FIPS-CC mode if added to Panorama management while running a PAN-OS 10.2 release.
  • (PA-7000 Series Firewalls only) Review the Palo Alto Networks Hardware End of Life Dates and Compatibility Matrix to confirm you have a supported line card. Line cards that have reached End-of-Life or are running an unsupported PAN-OS release may cause the PA-7000 Series firewall to enter maintenance mode.
  • Review the requirements to import certificates in FIPS-CC mode.
    • To import a certificate and corresponding private key, the private key must be in PKCS8 standard syntax (PEM format) and encrypted with a FIPS compliant cipher.
    • To import a leaf certificate, you must first successfully import the entire Certificate Authority (CA) chain.