https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/fips-mode-in-azure-government/m-p/449294#M1392 <P>We use FIPS-CC mode in the Azure Government Cloud, using&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certifications/enable-fips-and-common-criteria-support/change-the-operational-mode-to-fips-cc-mode.html" target="_self">this article</A>&nbsp;to set it. Basically:</P><OL><LI>SSH into the FW (using your username and ssh key file)</LI><LI>Enter the commands to put the firewall into maintenance mode (debug system maintenance-mode) - this will cause a reboot</LI><LI>SSH into the FW again, and set the FW to FIPS-CC mode using the article linked above, then reboot the firewall again</LI><LI>Once the firewall is back and in FIPS-CC mode, it should still allow you to SSH in using the same credentials. We then make an admin user so that we can log into the GUI for the firewall</LI></OL><P>As to your second question, we don't use an ARM template, but use Terraform instead, specifically the "tls" provider (<A href="https://registry.terraform.io/providers/hashicorp/tls/latest" target="_blank">hashicorp/tls | Terraform Registry</A>), which lets you make a private/public key pair, which we then import into Azure Key Vault.</P><P>&nbsp;</P><P>Hope that all helps!</P> Wed, 24 Nov 2021 18:52:07 GMT StevenRogers 2021-11-24T18:52:07Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/fips-mode-in-azure-government/m-p/412578#M1210 <P>Has anyone been successful in converting their VM-series appliances running in Azure Government to FIPS-CC mode? The SSH keys I created and allowed for FW management prior to the conversion were wiped out and resetting the keys via the Azure portal doesn't work (although the agent is running). I cannot get into the GUI either since admin is not a supported username in Azure.</P><P>&nbsp;</P><P>Second question, does anyone have a ARM template that successfully installs a SSH public key on a newly provisioned firewall? I can't seem to find the proper syntax.</P><P>&nbsp;</P><P>Any help would be greatly appreciated, thank you in advance!</P> Fri, 11 Jun 2021 15:03:48 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/fips-mode-in-azure-government/m-p/412578#M1210 cl625410 2021-06-11T15:03:48Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/fips-mode-in-azure-government/m-p/449294#M1392 <P>We use FIPS-CC mode in the Azure Government Cloud, using&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certifications/enable-fips-and-common-criteria-support/change-the-operational-mode-to-fips-cc-mode.html" target="_self">this article</A>&nbsp;to set it. Basically:</P><OL><LI>SSH into the FW (using your username and ssh key file)</LI><LI>Enter the commands to put the firewall into maintenance mode (debug system maintenance-mode) - this will cause a reboot</LI><LI>SSH into the FW again, and set the FW to FIPS-CC mode using the article linked above, then reboot the firewall again</LI><LI>Once the firewall is back and in FIPS-CC mode, it should still allow you to SSH in using the same credentials. We then make an admin user so that we can log into the GUI for the firewall</LI></OL><P>As to your second question, we don't use an ARM template, but use Terraform instead, specifically the "tls" provider (<A href="https://registry.terraform.io/providers/hashicorp/tls/latest" target="_blank">hashicorp/tls | Terraform Registry</A>), which lets you make a private/public key pair, which we then import into Azure Key Vault.</P><P>&nbsp;</P><P>Hope that all helps!</P> Wed, 24 Nov 2021 18:52:07 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/fips-mode-in-azure-government/m-p/449294#M1392 StevenRogers 2021-11-24T18:52:07Z