Prisma Cloud Compute Edition Administrator’s Guide
    : Deploy Console and Defenders in FIPS140-2 Level 1 mode
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Howto
    6. Deploy Console and Defenders in FIPS140-2 Level 1 mode
    Download PDF

    Prisma Cloud Compute Edition Administrator’s Guide

    Deploy Console and Defenders in FIPS140-2 Level 1 mode

    Table of Contents

    Deploy Console and Defenders in FIPS140-2 Level 1 mode

    With the Lagrange release the Console, Defender and twistcli Compute components can run using FIPS140-2 Level 1 validated cryptographic modules. The Compute GoLang components are statically compiled with the BoringCrypto module, using the built-in mechanism introduced in Go1.19 GOEXPERIMENT.
    The cipher suites used are:
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    The following procedures are for self-hosted deployments only.
    1. Download the Lagrange (22.12+) release tar bundle from the Palo Alto Networks Customer Support Portal.
    2. Untar the release
      $ tar -xzf prisma_cloud_compute_<VERSION>.tar.gz
    3. Modify twistlock.cfg and set the FIPS_ENABLED flag to "true."
      ##### FIPS configuration #####
# Forces Console and Defender to use FIPS-compliant cryptography, https://csrc.nist.gov/projects/cryptographic-module-validation-program
FIPS_ENABLED=true
    4. Deploy the Console either via the Onebox or Kubernetes deployment methods.
    5. To confirm the Console is running in FIPS mode, login to the Console and go to Manage > Logs > Console and search for "FIPS." FIPSEnabled: true is confirmation that the Console has started in FIPS mode.
      manager.go:73 Starting Console manager: ConsoleCN: STIG.lomsgaupfzzurnlkzzmxivmymh.cx.internal.cloudapp.net, ConsoleSAN: [IP:127.0.0.1 IP:10.0.1.4 IP:172.17.0.1], IsProd: true, DataRecoveryEnabled: true, DefenderPort: 8084, MgmtPortHTTPS: 8083, Version: 22.12.415, FIPSEnabled: true
    6. To confirm that the Defender is running in FIPS mode, login to the Console and go to Manage > Defenders > Deployed Defenders in the Actions column of the Defender(s) click Logs and search for "FIPS."
      defender.go:778 FIPS mode enabled true
    7. When using the twistcli command line tool use the
      FIPS_ENABLED=true
       variable to enforce FIPS validated TLS communication to the Console, for example:
      $ FIPS_ENABLED=true ./twistcli images scan --address https://127.0.0.1:8083 0c413668ee0d
    8. The Jenkins plug-in communication to the Console can enforce FIPS compliant TLS traffic, enable
      FIPS mode
       in the Prisma Cloud Jenkins plug-in’s configuration.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.