Changes that Occur if FIPS Mode is Enabled

Changes that Occur if FIPS Mode is Enabled

Created On 09/26/18 13:48 PM - Last Modified 02/07/19 23:48 PM



  • To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 compatible.
  • All passwords on the firewall must be at least six characters.
  • Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out. However, in FIPS mode, the lockout time is required.
  • The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.
  • When configuring IPSec, a subset of the normally available cipher suites is available.
  • Self-generated and imported certificates must contain public keys that are 2048 bits (or more).
  • The exporting of CSRs (Certificate Signing Request) is not supported while in FIPS mode. The following error will appear:
    Error: download -> certificate -> format 'pkcs10' is not an allowed keyword' be generated
  • SSH key-based authentication must use RSA public keys that are 2048 bits or higher.
  • The serial port is disabled.
  • Management port IP address cannot be changed via maintenance mode console.
  • Telnet, TFTP, and HTTP management connections are unavailable.
  • Surf control is not supported.
  • High availability (HA) encryption is required.
  • PAP authentication is disabled.
  • Kerberos support is disabled.


See Also

How to Enable or Disable (Common Criteria) CCEAL4 Mode



owner: mzhou

  • Print
  • Copy Link

Choose Language