How to enable FIPS-CC Mode on GlobalProtect App for macOS?
10223
Created On 05/21/21 23:45 PM - Last Modified 05/21/21 23:54 PM
Objective
How to enable FIPS-CC Mode on GlobalProtect App for macOS?
Environment
GlobalProtect App
macOS
Procedure
The general process of Enable and Verify FIPS-CC Mode Using the macOS Property List is already documented in the GlobalProtect Administrator's Guide:
However, this Knowledge Base (KB) article explains the procedure and gives an example of how to accomplish the task through Terminal.
Step#1: Verify the GlobalProtect App status
If GlobalProtect App is already installed on the macOS but it's in FIPS-CC mode failed state, where GP App's main panel UI is showing "GlobalProtect App, has been disabled as it has failed to enter FIPS-CC mode. Please contact your IT Administrator." or the GP App's About page is showing "FIPS-CC Mode Failed", it needs to be uninstalled. Once uninstalled, please follow Step#2
If GlobalProtect App is not installed, please follow Step#2
If GlobalProtect App is not installed, please follow Step#2
Step#2: Verify GP App is uninstalled and no file is there
When GP App is uninstalled, it automatically removes all the files (except some log files), please verify the GP App related files and if any exists, remove it:
ls -lth /Applications/GlobalProtect.app ls -lth /Library/Application Support/PaloAltoNetworks/GlobalProtect/ ls -lth /Users/$USER/Library/Application Support/PaloAltoNetworks/GlobalProtect/ ls -lth /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ls -lth /Users/$USER/Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist ls -lth /Users/$USER/Library/Preferences/com.paloaltonetworks.GlobalProtect.client.plist Example removal: rm /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
Step#3: Install GP App
If GlobalProtect App is already installed on the macOS and it's in a good status (i.e. Connected to GP Portal & Gateway), skip this step and follow Step#5
If GlobalProtect App is not installed, install it
If GlobalProtect App is not installed, install it
Step#4: Connect GP App to a Portal and Gateway
After successful installation, add the Portal address in the GP App and make sure it's Connected to the Portal and Gateway
This step is just to make sure that GP App is working in non-FIPS mode and also getting the Portal configuration
This step is just to make sure that GP App is working in non-FIPS mode and also getting the Portal configuration
Step#5: Add FIPS-CC mode key & string in plist
If GP App is in Connected state (i.e. Connected to the Portal & Gateway), Disconnect or Disable it
Open the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file and add the following key & string under the Settings dictionary:
As an example, nano is used on Terminal to add the key & string
Open the /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist file and add the following key & string under the Settings dictionary:
<key>enable-fips-cc-mode</key> <string>yes</string>
As an example, nano is used on Terminal to add the key & string
sudo nano /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist
Once the file is opened in nano, add the key & string, save the file (Ctrl+O) and exit from nano (Ctrl+X), for example:
Step#6: Check the GP App processes, Unload them & Verify unloaded
Check the GP App processes (e.g. from Terminal)
Unload PanGPS and PanGPA (i.e. GlobalProtect) processes:
Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are unloaded
ps -ef | grep GlobalProtect
Unload PanGPS and PanGPA (i.e. GlobalProtect) processes:
launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are unloaded
ps -ef | grep GlobalProtect
Example:
Step#7: Load GP App processes and Verify
Load PanGPS and PanGPA (i.e. GlobalProtect) processes:
Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are loaded
Example:
launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist
Verify the PanGPS and PanGPA (i.e. GlobalProtect) processes are loaded
ps -ef | grep GlobalProtect
Example:
Step#8: Check the GP App > About page to verify FIPS-CC Mode Enabled
Additional Information
This is an example of Enable and Verify FIPS-CC Mode Using the macOS Property List: https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/certifications/enable-and-verify-fips-cc-mode/enable-fips-cc-mode-using-the-macos-property-list.html