FIPS-CC Mode Initial Setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

FIPS-CC Mode Initial Setup

L1 Bithead

We are now required to switch to FIPS-CC mode for compliance. I have read the Admin Guide section about switching the operation mode to FIPS-CC but have a question about a FIPS security function.

The guide states that I can save my current running-config since this change will revert the FW back to factory defaults and all configs will be lost but also states that the config file will need to be edited for FIPS-CC security functions or the import will fail.

Then, one of the security functions states "You are required to use a RADIUS server profile configured with an authentication protocol
leveraging TLS encryption". We are not using a RADIUS server for anything now but this is worded in a way that sounds like we will be required to, so if this one control isn't set in my exported running-config file will it cause the import to fail? Not sure what authentication it is requiring this for? Am I just reading the security function wrong?

One other question, is it possible to set all of the FIPS security functions while in normal mode and then export that running-config so the config file is already good to import or would there be some options missing in normal mode that are only available in FIPS-CC mode?

Thanks,

1 accepted solution

Accepted Solutions

@B.Vance,

Correct. One you import and load the saved configuration file it's just a candidate config just like when you make any other changes; the firewall will have all of the changes visible and they won't go into effect until you commit them. You'll be able to see all of the administrators that you have specified and modify their passwords as needed.

The validation errors that you'll see once you load the configuration file will detail everything you need to modify and these changes can be made while in the GUI, you don't need to modify the XML file and load it back in. I'm not aware of any documents that detail everything that needs to be modified; the biggest change from a configuration standpoint is going to be the FIPS-CC cipher suites versus what you can utilize right now. You can preemptively align your ciphers with those that are allowed in FIPS-CC mode, but I'm not sure I'd take the time to do this preemptively versus just loading the saved configuration and working through the errors. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

I'll try to break down the different questions, please let me know if I missed something:

1. YES backup the config as enabling fips wipes the config. There is no other special setting to change on the config. Just work through any errors you get. I've done this a few times so know its possible. Obviously get approval in writing and change control, etc.

2. If you dont use RADIUS, dont worry about this. you can use local auth etc.

3. Sorry no there is no other way :(.

 

Just remember again to backup your config!

Regards,

Cyber Elite
Cyber Elite

The guide states that I can save my current running-config since this change will revert the FW back to factory defaults and all configs will be lost but also states that the config file will need to be edited for FIPS-CC security functions or the import will fail.

Loading the config that you exported won't be an issue, however if you're using anything that you aren't allowed to utilize anymore it won't pass validation. Utilize the validation errors to strip those elements out of your configuration until you can pass validation and commit the config. You can drastically speed this up by ensuring that you're using cipher suites that are actually supported in FIPS mode.
One really important aspect of this import to take note of is that the phash value from your old config isn't going to work when you switch to FIPS, so before you commit the configuration ensure that you change at least one superuser account password to ensure that you know that the password will actually work. Failure to do this will lose access to the box. 

 

Then, one of the security functions states "You are required to use a RADIUS server profile configured with an authentication protocol
leveraging TLS encryption". We are not using a RADIUS server for anything now but this is worded in a way that sounds like we will be required to, so if this one control isn't set in my exported running-config file will it cause the import to fail? Not sure what authentication it is requiring this for? Am I just reading the security function wrong?

This could be better worded. If you're utilizing a RADIUS server profile you must use an authentication profile that uses TLS, so you won't be able to utilize PAP or CHAP if you were using a radius. Since you aren't you don't need to worry about this. 

BPry, Thanks for your reply. Just to clarify, are you saying that once I import my saved running-config I should be able to see the admins in the web UI even before I commit so I can change the password?

Also, is the a document you know of that will show how to edit the config file if I need to strip anything out? Thanks again for your help.

OtakarKlier, Thanks for your reply. When you say work through the errors, is this something I can do on the firewall after importing the config file or do I have to edit the config file to fix the errors and then import again?

@B.Vance,

Correct. One you import and load the saved configuration file it's just a candidate config just like when you make any other changes; the firewall will have all of the changes visible and they won't go into effect until you commit them. You'll be able to see all of the administrators that you have specified and modify their passwords as needed.

The validation errors that you'll see once you load the configuration file will detail everything you need to modify and these changes can be made while in the GUI, you don't need to modify the XML file and load it back in. I'm not aware of any documents that detail everything that needs to be modified; the biggest change from a configuration standpoint is going to be the FIPS-CC cipher suites versus what you can utilize right now. You can preemptively align your ciphers with those that are allowed in FIPS-CC mode, but I'm not sure I'd take the time to do this preemptively versus just loading the saved configuration and working through the errors. 

BPRY,

That is exactly what I wanted to hear. Thanks for all of your help!!!

Hello,

Sorry for not clarifying, What I meant to say is 'if' there are any errors work through those during the commit phase. BPry did a better job of explaining it than I did :).

Regards,

  • 1 accepted solution
  • 2402 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!