STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020: STIGQter: STIG Summary: Palo Alto Networks ALG Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:SV-228835r557387_rule
V-228835
SRG-NET-000063-ALG-000012
PANW-AG-000020
CAT II
10
If the Palo Alto Networks security platform is used as a TLS gateway/decryption point or VPN concentrator, it must use NIST FIPS-validated cryptography.
Power off the device by unplugging it from the electrical outlet.
Connect a console cable from the console port to a computer serial port, and use a terminal program to connect to the Palo Alto Networks device.
The serial parameters are 9600 baud, 8 data bits, no parity, and 1 stop bit.
A USB to serial adapter will be necessary if the computer does not have a serial port.
During the boot sequence, this message will appear:
"Autoboot to default partition in 5 seconds".
Enter "maint" to boot to "maint" partition.
Enter "maint" to enter maintenance mode.
Press "Enter", and the "Maintenance Recovery tool" menu will appear.
Select "Set FIPS Mode" (or select fips-cc for more recent versions) from the menu; once the device has finished rebooting, it will be in FIPS mode.
Note: This will remove all installed licenses and disable the serial port.
If the Palo Alto Networks security platform is not used as a TLS gateway/decryption point or VPN concentrator, this is not applicable.
Use the command line interface to determine if the device is operating in FIPS mode. Enter the CLI command "show fips-mode" or the command show fips-cc (for more recent releases).
V-228835
False
PANW-AG-000020
If the Palo Alto Networks security platform is not used as a TLS gateway/decryption point or VPN concentrator, this is not applicable.
Use the command line interface to determine if the device is operating in FIPS mode. Enter the CLI command "show fips-mode" or the command show fips-cc (for more recent releases).
M
4233