ssh access to mgmt interface after enabling fips mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ssh access to mgmt interface after enabling fips mode

L2 Linker

i am checking documentation and knowledgebase and it seems only ui access to https://192.168.1.1 is available after fips is enabled and firewall reboots.

Can anyone confirm if ssh to 192.168.1.1 will work as well or not?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite
Fips/cceal4 disables the console port, ssh is still available
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite
Fips/cceal4 disables the console port, ssh is still available
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks

my change is dependent on having ssh access to 192.168.1.1 after enabling fips and firewall is wiped. Needed confirmation before attempting it

Confirming the @reaper is correct. 

 

SSH will be still be enabled/accessible.

 

Here are all changes when going into FIPS mode.

 

  • To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 compatible.
  • All passwords on the firewall must be at least six characters.
  • Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out. However, in FIPS mode, the lockout time is required.
  • The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.
  • When configuring IPSec, a subset of the normally available cipher suites is available.
  • Self-generated and imported certificates must contain public keys that are 2048 bits (or more).
  • The exporting of CSRs (Certificate Signing Request) is not supported while in FIPS mode. The following error will appear:
    Error: download -> certificate -> format 'pkcs10' is not an allowed keyword' be generated
  • SSH key-based authentication must use RSA public keys that are 2048 bits or higher.
  • The serial port is disabled.
  • Management port IP address cannot be changed via maintenance mode console.
  • Telnet, TFTP, and HTTP management connections are unavailable.
  • Surf control is not supported.
  • High availability (HA) encryption is required.
  • PAP authentication is disabled.
  • Kerberos support is disabled.

 

Help the community: Like helpful comments and mark solutions
  • 1 accepted solution
  • 4286 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!