https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285818#M76484 <P>Thanks</P><P>my change is dependent on having ssh access to 192.168.1.1 after enabling fips and firewall is wiped. Needed confirmation before attempting it</P> Thu, 29 Aug 2019 17:17:41 GMT josggf 2019-08-29T17:17:41Z https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285569#M76443 <P>i am checking documentation and knowledgebase and it seems only ui access to <A href="https://192.168.1.1" target="_blank">https://192.168.1.1</A> is available after fips is enabled and firewall reboots.</P><P>Can anyone confirm if ssh to 192.168.1.1 will work as well or not?</P> Wed, 28 Aug 2019 17:32:51 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285569#M76443 josggf 2019-08-28T17:32:51Z https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285636#M76452 Fips/cceal4 disables the console port, ssh is still available Wed, 28 Aug 2019 22:12:16 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285636#M76452 reaper 2019-08-28T22:12:16Z https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285818#M76484 <P>Thanks</P><P>my change is dependent on having ssh access to 192.168.1.1 after enabling fips and firewall is wiped. Needed confirmation before attempting it</P> Thu, 29 Aug 2019 17:17:41 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285818#M76484 josggf 2019-08-29T17:17:41Z https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285857#M76495 <P>Confirming the <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a> is correct.&nbsp;</P><P>&nbsp;</P><P>SSH will be still be enabled/accessible.</P><P>&nbsp;</P><P>Here are all changes when going into FIPS mode.</P><P>&nbsp;</P><UL><LI>To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 compatible.</LI><LI>All passwords on the firewall must be at least six characters.</LI><LI>Accounts are locked after the number of failed attempts that is configured on the Device &gt; Setup &gt; Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out. However, in FIPS mode, the lockout time is required.</LI><LI>The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.</LI><LI>Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.</LI><LI>When configuring IPSec, a subset of the normally available cipher suites is available.</LI><LI>Self-generated and imported certificates must contain public keys that are 2048 bits (or more).</LI><LI>The exporting of CSRs (Certificate Signing Request) is not supported while in FIPS mode. The following error will appear:<BR /><SPAN>Error: download -&gt; certificate -&gt; format 'pkcs10' is not an allowed keyword' be generated</SPAN></LI><LI>SSH key-based authentication must use RSA public keys that are 2048 bits or higher.</LI><LI>The serial port is disabled.</LI><LI>Management port IP address cannot be changed via maintenance mode console.</LI><LI>Telnet, TFTP, and HTTP management connections are unavailable.</LI><LI>Surf control is not supported.</LI><LI>High availability (HA) encryption is required.</LI><LI>PAP authentication is disabled.</LI><LI>Kerberos support is disabled.</LI></UL><P>&nbsp;</P> Thu, 29 Aug 2019 20:10:44 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-access-to-mgmt-interface-after-enabling-fips-mode/m-p/285857#M76495 S.Cantwell 2019-08-29T20:10:44Z