03-04-2024 11:21 AM
We recently tried switching to FIPS-CC mode but the factory default user/password didn't work.
The Admin guide showed the default user/password to be admin/admin even in FIPS-CC mode. We also found a Palo Alto documentation that for FIPS-CC it should be admin/paloalto but that didn't work as well. There was a mention of using the serial number as the password when logging in via SSH which also didn't work. Does anyone know what this user and password should be?
Thanks,
03-04-2024 01:14 PM
I've run into this same issue on 11.x.x and opened a ticket. The first recommendation was to validate you haven't locked yourself out with too many failures as FIPS will hard lock that account. And being the only account at this point, the box is now effectively bricked. The second recommendation was to downgrade to a known good OS version, iirc that was 10.2.0 in my experience and convert to FIPS there, then upgrade to 11.x.x within FIPS mode. The engineer made a veiled reference to this being a known issue without any public documentation yet but wouldn't explain further.
03-04-2024 01:14 PM
I've run into this same issue on 11.x.x and opened a ticket. The first recommendation was to validate you haven't locked yourself out with too many failures as FIPS will hard lock that account. And being the only account at this point, the box is now effectively bricked. The second recommendation was to downgrade to a known good OS version, iirc that was 10.2.0 in my experience and convert to FIPS there, then upgrade to 11.x.x within FIPS mode. The engineer made a veiled reference to this being a known issue without any public documentation yet but wouldn't explain further.
03-04-2024 01:19 PM
However, I am literally doing this right now on a new deployment and run into the same issue again. 10.2.7-h3 appears to also have issues with the default FIPS credentials. Searching the default creds to make sure my memory is intact is actually how I found this thread.
03-05-2024 07:44 AM
Hey KevinVanDyke,
Thanks for your response. As a result we are now looking at getting an exemption with our FIPS requirement on the firewall until this issue is resolved by PAN. I'll except this as the solution and post back here if I discover anything further. Thanks,
03-06-2024 05:33 PM
TAC engineer recommended to install 10.2.5, Enable FIPS here, then once enabled, Upgrade to 10.2.8 to prepare for the Certificate issue coming here in April. Once you're FIPS enabled on a certificate approved image, I have had no issues upgrading further. I also got confirmation that this is a known bug that is being tracked for fixing and affects most (all?) "modern" releases of the PAN-OS image.
My deployment is now active with FIPS enabled following the provided steps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
