topic Re: What is fips-gated? in General Topics

What is fips-gated?

SteveSanford — Fri, 28 Jul 2017 20:12:12 GMT

can't find a definition for the setting fips-gated = true, what is fips-gated?

Re: What is fips-gated?

jdelio — Fri, 28 Jul 2017 20:15:14 GMT

This topic was posted inside Community Feedback and not in the General Discussion.. Moving topic.

Re: What is fips-gated?

BPry — Sat, 29 Jul 2017 07:05:30 GMT

@SteveSanford

Correct me if I'm wrong but your seeing this on your management interface correct? cfg.net.eth0.cfg and cfg.net.eth1.cfg?

Re: What is fips-gated?

SteveSanford — Mon, 31 Jul 2017 18:02:36 GMT

Yes it's the management interface. Can't seem to find a definition for it in the documentation.

Re: What is fips-gated?

BPry — Mon, 31 Jul 2017 20:12:58 GMT

@SteveSanford

To the best of my knowledge it's essentially a flag checked by the maintenance console that either enables or disabled the ability to modify the mangement port IP address by booting into mainenance mode. When you enable FIPS you get blocked out of modifying this directly from the maintenance console due to the security risk associated with the ability to do so.

Re: What is fips-gated?

SteveSanford — Mon, 31 Jul 2017 20:26:01 GMT

Ah, thanks, makes sense. Wonder why it's not documented very well.

I searched for maintenence mode and found a procedure to recover if you have forgot your IP (not sure how you would forget that).

I see the setting on the example page (link below) , but no definition.

I'm seeing it set to true on my setup, so I assume that is the default.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Management-Interface-from-Maintenance-Mode/ta-p/53004

Re: What is fips-gated?

gwesson — Mon, 31 Jul 2017 20:43:25 GMT

FIPS certification requires that self-tests complete before the interfaces can be used.

The FIPS-Gated flag on an interface that ensures that, while in FIPS-CC mode, the interface does not come up before FIPS mode self-tests have completed. You may see some systems with fips-disabled, which similarly means that in that mode the interface will not be available at all.

If you're not in FIPS mode, the flag isn't used for anything. It's not something that can be modified, so that is likely why there is not much documentation on it. The output of the system state has a lot of things that probably aren't all that useful but are there for debug purposes.

Re: What is fips-gated?

BPry — Mon, 31 Jul 2017 21:16:34 GMT

@gwesson,

good to know. Glad to know I wasn't terribly off then 😉