>
    Enable and Verify FIPS-CC Mode on Windows Endpoints
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect FIPS-CC Certification
    4. Enable and Verify FIPS-CC Mode
    5. Enable and Verify FIPS-CC Mode on Windows Endpoints
    Download PDF
    GlobalProtect

    Enable and Verify FIPS-CC Mode on Windows Endpoints

    Table of Contents

    Enable and Verify FIPS-CC Mode on Windows Endpoints

    Enable and verify FIPS-CC mode for GlobalProtect using the Windows Registry.
    On Windows endpoints, use the following steps to enable and verify FIPS-CC mode for GlobalProtect™ using the Windows Registry:
    1. Enable FIPS mode for the Windows operating system.
      To enable FIPS-CC mode for GlobalProtect, you must first enable FIPS-CC mode for the Windows operating system.
      1. Launch the Command Prompt.
      2. Enter regedit to open the Windows Registry.
      3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\.
      4. Right-click the Enabled registry value and Modify it.
      5. To enable FIPS mode, set the Value Data to 1. The default value of 0 indicates that FIPS mode is disabled.
      6. Click OK.
      7. Restart your endpoint.
    2. Enable FIPS-CC mode for GlobalProtect.
      You cannot disable FIPS-CC mode after you enable it. To run GlobalProtect in non-FIPS-CC mode, end users must uninstall and then reinstall the GlobalProtect app. This clears all FIPS-CC mode settings from the Windows Registry.
      1. Launch the Command Prompt.
      2. Enter regedit to open the Windows Registry.
      3. In the Windows Registry, go to: HKEY_LOCAL_MACHINE\SOFTWARE\Palo Alto Networks\GlobalProtect\Settings\.
      4. Click Edit and then select NewString Value.
      5. When prompted, specify the Name of the new registry value as enable-fips-cc-mode.
      6. Right-click the new registry value and Modify it.
      7. To enable FIPS-CC mode, set the Value Data to yes.
      8. Click OK.
    3. Restart GlobalProtect.
      To enable the GlobalProtect app to initialize in FIPS-CC mode, you must restart GlobalProtect using one of the following methods:
      • Reboot your endpoint.
      • Restart the GlobalProtect application and GlobalProtect service (PanGPS):
        1. Launch the Command Prompt.
        2. Enter services.msc to open the Windows Services manager.
        3. From the Services list, select PanGPS.
        4. Restart the service.
    4. Alternatively, you can enable FIPS-CC mode using the following msiexec syntax through the Microsoft Windows Installer (Msiexec): msiexec /i GlobalProtect64.msi ENABLEFIPSCCMODE=YES
    5. Verify that FIPS-CC mode is enabled on the GlobalProtect app.
      1. Launch the GlobalProtect app.
      2. From the status panel, open the settings dialog (
        ).
      3. Select About.
      4. Verify that FIPS-CC mode is enabled. If FIPS-CC mode is enabled, the About dialog displays the FIPS-CC Mode Enabled status.

    © 2024 Palo Alto Networks, Inc. All rights reserved.