GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
Enable and Verify FIPS-CC Mode on Windows Endpoints
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. GlobalProtect FIPS-CC Certification
  4. Enable and Verify FIPS-CC Mode
  5. Enable and Verify FIPS-CC Mode on Windows Endpoints
Download PDF
GlobalProtect

Enable and Verify FIPS-CC Mode on Windows Endpoints

Table of Contents

Enable and Verify FIPS-CC Mode on Windows Endpoints

Enable and verify FIPS-CC mode for GlobalProtect using the Windows Registry.
On Windows endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the Windows Registry:
  1. Enable FIPS mode for the Windows operating system.
    To enable FIPS-CC mode for GlobalProtect, you must first enable FIPS-CC mode for the Windows operating system.
    1. Launch the Command Prompt.
    2. Enter regedit to open the Windows Registry.
    3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\.
    4. Right-click the Enabled registry value and Modify it.
    5. To enable FIPS mode, set the Value Data to 1. The default value of 0 indicates that FIPS mode is disabled.
    6. Click OK.
    7. Restart your endpoint.
  2. Enable FIPS-CC mode for GlobalProtect.
    You cannot disable FIPS-CC mode after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the Windows Registry.
    1. Launch the Command Prompt.
    2. Enter regedit to open the Windows Registry.
    3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\.
    4. Click Edit and then select NewString Value.
    5. When prompted, specify the Name of the new registry value as enable-fips-cc-mode.
    6. Right-click the new registry value and Modify it.
    7. To enable FIPS-CC mode, set the Value Data to yes.
    8. Click OK.
  3. Restart GlobalProtect.
    To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
    • Reboot your endpoint.
    • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
      1. Launch the Command Prompt.
      2. Enter services.msc to open the Windows Services manager.
      3. From the Services list, select PanGPS.
      4. Restart the service.
  4. Alternatively, you can enable FIPS-CC mode using the following msiexec syntax through the Microsoft Windows Installer (Msiexec): msiexec /i GlobalProtect64.msi ENABLEFIPSCCMODE=YES
  5. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
    1. Launch the GlobalProtect app.
    2. From the status panel, open the settings dialog (
      ).
    3. Select About.
    4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.