Change the Operational Mode to FIPS-CC Mode

The following procedure describes how to change the operational mode of a Palo Alto Networks product from normal mode to FIPS-CC mode.
  1. Connect to the firewall or appliance and Access the Maintenance Recovery Tool (MRT).
  2. Select Set FIPS-CC Mode from the menu.
  3. Select Enable FIPS-CC Mode. The mode change operation starts and a status indicator shows progress. After the mode change is complete, the status shows Success.
  4. When prompted, select Reboot.
    If you change the operational mode on a VM-Series firewall deployed in the public cloud (AWS or Azure) and you lose your SSH connection to the MRT before you are able to Reboot, you must wait 10-15 minutes for the mode change to complete, log back into the MRT, and then reboot the firewall to complete the operation.
    After you switch to FIPS-CC mode, you see the following status: FIPS-CC mode enabled successfully.
    In addition, the following changes are in effect:
    • FIPS-CC displays at all times in the status bar at the bottom of the web interface.
    • The default administrator login credentials change to admin/paloalto.
    See FIPS-CC Security Functions for details on the security functions that are enforced in FIPS-CC mode.

Related Documentation