How to Enable or Disable (Common Criteria) CCEAL4 Mode

Overview

This document describes the steps to enable and disable CCEAL4 mode on a Palo Alto Networks firewall.

Warning: Enabling or disabling CCEAL4 mode will delete the current configuration and reset the firewall back to its default configuration.

Steps

To enable CCEAL4 mode

1. Reboot the firewall, using the console cable, enter into maintenance mode by typing "maint" at this boot screen:
   
2. The following screen should appear on the screen, press enter to continue into Maintenance Mode.
   
3. Choose "Set CCEAL4 Mode" to Enable CCEAL4 mode, as shown here:
   
   Note: At this point, the firewall will reset to its default configuration. The management IP address will revert to 192.168.1.1, and the admin password will revert to "paloalto".
4. As soon as you enable CCEAL4 mode, Console access will be limited to Maintenance mode ONLY. In order to configure the Firewall, webGUI is the only supported method, and you will need a workstation with an IP address in the 192.168.1.0/24 range, gateway pointing to 192.168.1.1, and then open the web UI by accessing https://192.168.1.1/ in a browser.

To disable CCEAL4 Mode

1. Open both an SSH connection and a console (terminal) connection to the firewall. Nothing will be visible from the console port at this time.
2. From the SSH connection, run the following command: request restart system.
3. The console should now display information on the firewall as it boots up.
4. Enter maintenance mode while booting. (see step 1 above)
5. Perform a factory reset.
6. Reconfigure the firewall using Console port, CLI or WebUI.

See Also

Console Access with Palo Alto Networks Devices in FIPS or CCEAL4 Mode

owner: kadak