Changes that Occur if FIPS Mode is Enabled

Printer Friendly Page


  • To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 compatible.
  • All passwords on the firewall must be at least six characters.
  • Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out. However, in FIPS mode, the lockout time is required.
  • The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.
  • When configuring IPSec, a subset of the normally available cipher suites is available.
  • Self-generated and imported certificates must contain public keys that are 2048 bits (or more).
  • The exporting of CSRs (Certificate Signing Request) is not supported while in FIPS mode. The following error will appear:
    Error: download -> certificate -> format 'pkcs10' is not an allowed keyword' be generated
  • SSH key-based authentication must use RSA public keys that are 2048 bits or higher.
  • The serial port is disabled.
  • Management port IP address cannot be changed via maintenance mode console.
  • Telnet, TFTP, and HTTP management connections are unavailable.
  • Surf control is not supported.
  • High availability (HA) encryption is required.
  • PAP authentication is disabled.
  • Kerberos support is disabled.


See Also

How to Enable or Disable (Common Criteria) CCEAL4 Mode



owner: mzhou

Tags (6)

It's also important to realize they are only talking about FIPS 140-2 also, you will still fail to meet your FIPS 180-4 requirement; i.e. it's not really "FIPS" mode but "FIPS 140-2 mode"

Hi PeterT

Serial connection is not available in FIPS mode and that is expected.

We will update the KB to reflect the management interface IP address issue as well.

Thank you.

FYI ran into a issue (and confirmed by support), please update to also reflect RSA keys must use sha256 or bigger.  RSAsha1 keys won't work even if 2048 bits or larger.

What is surf control? URL filtering?

Surf control is the legacy URL filtering Palo Alto used to sell prior to moving to the BrightCloud solution; see the 2009 EOL annoucement  (End-of-Sale Announcement).  If you bought or renewed after that, you are most likely using BrightStar and it's not applicable (Surf Control) to you.

Ok, thank you for info!

Also, third party vpn client support (cisco, vpnc...) is no longer an option with FIPS enabled.