ssh access to mgmt interface after enabling fips mode

Reply
Highlighted
L2 Linker

ssh access to mgmt interface after enabling fips mode

i am checking documentation and knowledgebase and it seems only ui access to https://192.168.1.1 is available after fips is enabled and firewall reboots.

Can anyone confirm if ssh to 192.168.1.1 will work as well or not?


Accepted Solutions
Highlighted
L7 Applicator

Re: ssh access to mgmt interface after enabling fips mode

Fips/cceal4 disables the console port, ssh is still available
reaper - PANgurus.com
I drink and I know things

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: ssh access to mgmt interface after enabling fips mode

Fips/cceal4 disables the console port, ssh is still available
reaper - PANgurus.com
I drink and I know things

View solution in original post

Highlighted
L2 Linker

Re: ssh access to mgmt interface after enabling fips mode

Thanks

my change is dependent on having ssh access to 192.168.1.1 after enabling fips and firewall is wiped. Needed confirmation before attempting it

Highlighted
Cyber Elite

Re: ssh access to mgmt interface after enabling fips mode

Confirming the @reaper is correct. 

 

SSH will be still be enabled/accessible.

 

Here are all changes when going into FIPS mode.

 

  • To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 compatible.
  • All passwords on the firewall must be at least six characters.
  • Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out. However, in FIPS mode, the lockout time is required.
  • The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.
  • Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.
  • When configuring IPSec, a subset of the normally available cipher suites is available.
  • Self-generated and imported certificates must contain public keys that are 2048 bits (or more).
  • The exporting of CSRs (Certificate Signing Request) is not supported while in FIPS mode. The following error will appear:
    Error: download -> certificate -> format 'pkcs10' is not an allowed keyword' be generated
  • SSH key-based authentication must use RSA public keys that are 2048 bits or higher.
  • The serial port is disabled.
  • Management port IP address cannot be changed via maintenance mode console.
  • Telnet, TFTP, and HTTP management connections are unavailable.
  • Surf control is not supported.
  • High availability (HA) encryption is required.
  • PAP authentication is disabled.
  • Kerberos support is disabled.

 

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!