Enabling CCEAL4 or FIPS Mode in High Availability
18699
Created On 09/25/18 17:15 PM - Last Modified 06/06/23 16:55 PM
Symptom
This document describes how to enable and disable CCEAL4 mode on a Palo Alto Networks firewall with high availability.
Before attempting this procedure, read the following article to understand the changes and impact of enabling the FIPS/CCEAL4 mode:
Changes that Occur if FIPS Mode is Enabled.
Resolution
If you attempt to change an HA pair into FIPS mode, one by one, this will result in both devices in the HA pair to be in a suspended state. Due to the mismatch in the operational mode, both devices entered a suspended state. This is an expected behavior.
To properly configure an HA pair in FIPS mode:
1. Configure both devices for FIPS mode individually.
Note: If both devices are currently in an HA pair, the HA needs to be broken first and then brought into an HA pair.
2. Then both devices need to be brought into an HA pair. See the following article about HA pairing:
How to Configure High Availability on PAN-OS.