topic Re: FIPS-CC mode default user/password issue in General Topics

FIPS-CC mode default user/password issue

B.Vance — Mon, 04 Mar 2024 19:21:21 GMT

We recently tried switching to FIPS-CC mode but the factory default user/password didn't work.

The Admin guide showed the default user/password to be admin/admin even in FIPS-CC mode. We also found a Palo Alto documentation that for FIPS-CC it should be admin/paloalto but that didn't work as well. There was a mention of using the serial number as the password when logging in via SSH which also didn't work. Does anyone know what this user and password should be?

Thanks,

Re: FIPS-CC mode default user/password issue

kylebrolafski — Mon, 04 Mar 2024 21:14:13 GMT

I've run into this same issue on 11.x.x and opened a ticket. The first recommendation was to validate you haven't locked yourself out with too many failures as FIPS will hard lock that account. And being the only account at this point, the box is now effectively bricked. The second recommendation was to downgrade to a known good OS version, iirc that was 10.2.0 in my experience and convert to FIPS there, then upgrade to 11.x.x within FIPS mode. The engineer made a veiled reference to this being a known issue without any public documentation yet but wouldn't explain further.

Re: FIPS-CC mode default user/password issue

kylebrolafski — Mon, 04 Mar 2024 21:19:27 GMT

However, I am literally doing this right now on a new deployment and run into the same issue again. 10.2.7-h3 appears to also have issues with the default FIPS credentials. Searching the default creds to make sure my memory is intact is actually how I found this thread.

Re: FIPS-CC mode default user/password issue

B.Vance — Tue, 05 Mar 2024 15:44:51 GMT

Hey KevinVanDyke,

Thanks for your response. As a result we are now looking at getting an exemption with our FIPS requirement on the firewall until this issue is resolved by PAN. I'll except this as the solution and post back here if I discover anything further. Thanks,

Re: FIPS-CC mode default user/password issue

kylebrolafski — Thu, 07 Mar 2024 01:33:17 GMT

TAC engineer recommended to install 10.2.5, Enable FIPS here, then once enabled, Upgrade to 10.2.8 to prepare for the Certificate issue coming here in April. Once you're FIPS enabled on a certificate approved image, I have had no issues upgrading further. I also got confirmation that this is a known bug that is being tracked for fixing and affects most (all?) "modern" releases of the PAN-OS image.

My deployment is now active with FIPS enabled following the provided steps.