When attempting to restore a configuration to a FIPS enabled firewall from Panorama, FIPS related errors are displayed about encryption keys.
Resolution:
When configuring FIPS mode, the firewall will perform a factory reset to ensure that non-compliant FIPS configuration cannot occur on the device. It is not possible to load a non -FIPS compliant configuration onto a FIPS enabled device. When pushng from Panorama to a FIPS enabled device IKE crypto errors are received because FIPS mode disables certain ciphers ( Group 2 in IKE/IPSec is one such cipher). Only Group 14 is allowed in this mode. To ensure that a configuration is FIPS compliant, configure the device and save the config when it is already in FIPS mode.