Palo Alto Networks Knowledgebase: How to Enable or Disable (Common Criteria) CCEAL4 Mode

How to Enable or Disable (Common Criteria) CCEAL4 Mode

Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM


This document describes the steps to enable and disable CCEAL4 mode on a Palo Alto Networks firewall.

Warning: Enabling or disabling CCEAL4 mode will delete the current configuration and reset the firewall back to its default configuration.



To enable CCEAL4 mode

  1. Reboot the firewall, using the console cable, enter into maintenance mode by typing "maint" at this boot screen:
    User-added image
  2. The following screen should appear on the screen, press enter to continue into Maintenance Mode.
    User-added image
  3. Choose "Set CCEAL4 Mode" to Enable CCEAL4 mode, as shown here:
    User-added image
    Note: At this point, the firewall will reset to its default configuration. The management IP address will revert to, and the admin password will revert to "paloalto".
  4. As soon as you enable CCEAL4 mode, Console access will be limited to Maintenance mode ONLY. In order to configure the Firewall, webGUI is the only supported method, and you will need a workstation with an IP address in the range, gateway pointing to, and then open the web UI by accessing in a browser.


To disable CCEAL4 Mode

  1. Open both an SSH connection and a console (terminal) connection to the firewall. Nothing will be visible from the console port at this time.
  2. From the SSH connection, run the following command: request restart system.
  3. The console should now display information on the firewall as it boots up.
  4. Enter maintenance mode while booting. (see step 1 above)
  5. Perform a factory reset.
  6. Reconfigure the firewall using Console port, CLI or WebUI.


See Also

Console Access with Palo Alto Networks Devices in FIPS or CCEAL4 Mode


owner: kadak

  • Print
  • Copy Link

Choose Language