Local administrator accounts pushed in template from non-FIPS Panorama to FIPS-CC firewall do not function

Local administrator accounts pushed in template from non-FIPS Panorama to FIPS-CC firewall do not function

4339
Created On 02/22/21 23:05 PM - Last Modified 07/26/25 03:54 AM


Symptom


Local administrator accounts configured and pushed from a normal mode Panorama to a FIPS-CC mode firewall fail login with message "Invalid username/password".

Environment


  • PAN-OS 9.0 or later
  • Panorama in operational mode "normal"
  • Firewall in operational mode "fips-cc"

Cause


  • When Panorama generates the local user password in the template, it uses a non-FIPS method which is not allowed on the FIPS-CC firewall.
  • Therefore the configured password will not be accepted for the template-pushed administrator accounts when attempting to log in on the firewall.
  • This is expected behavior because mixed operational modes between Panorama and firewalls is not supported and may not function as expected.

Resolution


  1. Change the operational mode of Panorama to FIPS-CC mode.
  2. This is required to secure password hashes for local admin passwords pushed from Panorama.

    Note from documentation:
    If you change the operational mode of a firewall or Dedicated Log Collector managed by a Panorama management server to FIPS-CC mode, you must also change the operational mode of Panorama to FIPS-CC mode. This is required to secure password hashes for local admin passwords pushed from Panorama.

Additional Information


Change the Operational mode to FIPS mode.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCyTCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language