Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to enable FIPS-CC Mode on GlobalProtect App for macOS? - Knowledge Base - Palo Alto Networks

How to enable FIPS-CC Mode on GlobalProtect App for macOS?

10223
Created On 05/21/21 23:45 PM - Last Modified 05/21/21 23:54 PM


Objective


How to enable FIPS-CC Mode on GlobalProtect App for macOS?

Environment


GlobalProtect App
macOS
 


Procedure


The general process of Enable and Verify FIPS-CC Mode Using the macOS Property List is already documented in the GlobalProtect Administrator's Guide: 

However, this Knowledge Base (KB) article explains the procedure and gives an example of how to accomplish the task through Terminal.

Step#1: Verify the GlobalProtect App status
If GlobalProtect App is already installed on the macOS but it's in FIPS-CC mode failed state, where GP App's main panel UI is showing "GlobalProtect App, has been disabled as it has failed to enter FIPS-CC mode. Please contact your IT Administrator." or the GP App's About page is showing "FIPS-CC Mode Failed", it needs to be uninstalled. Once uninstalled, please follow Step#2

If GlobalProtect App is not installed, please follow Step#2 

Step#2: Verify GP App is uninstalled and no file is there
When GP App is uninstalled, it automatically removes all the files (except some log files), please verify the GP App related files and if any exists, remove it:
 
ls -lth /Applications/GlobalProtect.app
ls -lth /Library/Application Support/PaloAltoNetworks/GlobalProtect/
ls -lth /Users/$USER/Library/Application Support/PaloAltoNetworks/GlobalProtect/
ls -lth /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
ls -lth /Users/$USER/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
ls -lth /Users/$USER/Library/Preferences/com.paloaltonetworks.GlobalProtect.client.plist

Example removal:
rm /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist

Step#3: Install GP App
If GlobalProtect App is already installed on the macOS and it's in a good status (i.e. Connected to GP Portal & Gateway), skip this step and follow Step#5

If GlobalProtect App is not installed, install it

Step#4: Connect GP App to a Portal and Gateway
After successful installation, add the Portal address in the GP App and make sure it's Connected to the Portal and Gateway
This step is just to make sure that GP App is working in non-FIPS mode and also getting the Portal configuration

Step#5: Add FIPS-CC mode key & string in plist
If GP App is in Connected state (i.e. Connected to the Portal & Gateway), Disconnect or Disable it

Open the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file and add the following key & string under the Settings dictionary:
<key>enable-fips-cc-mode</key>
<string>yes</string>

As an example, nano is used on Terminal to add the key & string
 
sudo nano /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist


Once the file is opened in nano, add the key & string, save the file (Ctrl+O) and exit from nano (Ctrl+X), for example:

nano key string added


Step#6: Check the GP App processes, Unload them & Verify unloaded
Check the GP App processes (e.g. from Terminal)
ps -ef | grep GlobalProtect

Unload PanGPS and PanGPA (i.e. GlobalProtect) processes:
launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist

Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are unloaded
ps -ef | grep GlobalProtect

Example:
Unload GP App

Step#7: Load GP App processes and Verify 
Load PanGPS and PanGPA (i.e. GlobalProtect) processes:
launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist
launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist

Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are loaded
ps -ef | grep GlobalProtect

Example: 
Load GP App

Step#8: Check the GP App > About page to verify FIPS-CC Mode Enabled

FIPS-CC Mode Enabled
 
If FIPS-CC Mode Failed, repeat from Step#1 in order. If retry fails, please collect the GP App logs (GlobalProtect > Settings > Troubleshooting > Collect Logs) and open a ticket with Support
 


Additional Information


This is an example of Enable and Verify FIPS-CC Mode Using the macOS Property List: https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list.html

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM7xCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language