FIPS-CC Security Functions
When FIPS-CC mode is enabled, the following security functions are enforced on all firewalls and appliances:
- To log in, the browser must be TLS 1.1 (or later) compatible; on a WF-500 appliance, you manage the appliance only through the CLI and you must connect using an SSHv2-compatible client application.
- All passwords must be at least six characters.
- You must ensure that Failed Attempts and Lockout Time (min) are greater than 0 in authentication settings. If an administrator reaches the Failed Attempts threshold, the administrator is locked out for the duration defined in the Lockout Time (min) field.
- You must ensure that the Idle Timeout is greater than 0 in authentication settings. If a login session is idle for more than the specified time, the administrator is automatically logged out.
- The firewall or appliance automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
- Unapproved FIPS-CC algorithms are not decrypted—they are ignored during decryption.
- When configuring an IPSec VPN, the administrator must select a cipher suite option presented to them during the IPSec setup.
- Self-generated and imported certificates must contain public keys that are either RSA 2,048 bits (or more) or ECDSA 256 bits (or more); you must also use a digest of SHA256 or greater.
- Telnet, TFTP, and HTTP management connections are not available.
- You must enable encryption for the HA1 control link. You must set automatic rekeying parameters; you must set the data parameter to a value no greater than 1000 MB (you cannot let it default) and you must set a time interval (you cannot leave it disabled).
- The serial console port in FIPS-CC mode functions as a limited status output port only; CLI access is not available.
- The serial console port on hardware and private-cloud VM-Series firewalls booted into the MRT provides interactive access to the MRT.
- Interactive console access is not supported in the hypervisor environment private-cloud VM-Series firewalls booted into the MRT; you can access the MRT only using SSH.
FIPS-CC Security Functions
Security functions are enforced for the GlobalProtect app when you enable FIPS-CC mode. ...
Change the Operational Mode to FIPS-CC Mode
Change the Operational Mode to FIPS-CC Mode The following procedure describes how to change the operational mode of a Palo Alto Networks product from normal ...
Refresh HA1 SSH Keys and Configure Key Options
If you enable encryption over the HA1 control link, you can refresh the SSH host keys, change various key options, and re-establish HA1 sessions between ...
Refresh SSH Keys and Configure Key Options for Management Interface Connection
Regenerate SSH keys and configure other key options for the connection to the management interface on the firewall. ...
Access the Maintenance Recovery Tool (MRT)
Access the Maintenance Recovery Tool (MRT) The Maintenance Recovery Tool (MRT) enables you to perform several tasks on Palo Alto Networks firewalls and appliances. For ...
PAN-OS 9.0 Administrative Session Cipher Suites
List of cipher suites supported for administrative sessions on firewalls running PAN-OS® 9.0 in normal operation mode. ...
PAN-OS 9.0 IKE and Web Certificate Cipher Suites
List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 9.0 in normal operation mode. ...
PAN-OS 9.0 HA1 SSH Cipher Suites
List of cipher suites supported for HA1 SSH connections on firewalls running PAN-OS 9.0. ...
Cipher Suites Supported in PAN-OS 9.0
Cipher suites supported on firewalls running a PAN-OS® 9.0 release in normal operation mode. ...