| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/6/2029 |
| Caveat | The tamper evident seals installed as indicated in the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
flowchart LR
%% Deterministic review-risk graph for Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>Self-Test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>linux<br/>kernel<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>Self-Test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>linux<br/>kernel<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 Firmware Version: 5.6.3 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: May 31, 2024 Document Version: 1.3
| # | Section | Page |
|---|
General The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 with firmware version 5.6.3 (hereinafter referred to as the Module or ION module). The Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of a WAN. Built with the intent to reduce remote infrastructure, Palo Alto Networks SD-WAN ION devices enable the cloud-delivered branch. ISO/IEC 24759 Section 6. FIPS 140-3 Section Title Security Level [Number Below]
1 General 2
2 Cryptographic Module Specification 2
3 Cryptographic Module Interfaces 2
4 Roles, Services, and Authentication 2
5 Software/Firmware Security 2
6 Operational Environment N/A
7 Physical Security 2
8 Non-invasive Security N/A
9 Sensitive Security Parameter Management 2
10 Self-tests 2
11 Life-Cycle Assurance 2
12 Mitigation of Other Attacks N/A
Table 1 - Security Levels The module is designed to meet an overall security level 2. Cryptographic Module Specification FIPS 140-3 conformance testing was performed at Security Level 2 with the following configurations noted in the table 2 below. Cryptographic Boundary The module is a hardware multiple-chip standalone cryptographic module. The cryptographic boundary is defined as the entire modules’ chassis unit encompassing the "top," "front," "left," "right," “rear” and "bottom" surfaces of the case, and shown in the Physical Security section. These modules are described in more detail in the Cryptographic Module Interfaces section. Figure 1 - ION 1200 Figure 2 - ION 9000 © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 3
Figure 3 - ION 1200 (Top), ION 1200-C-NA/ION 1200-C-ROW (Middle), and ION 1200-C-5G-WW (Bottom) Front Interfaces Figure 4 - ION 1200 (Top), ION 1200-C-NA/ION 1200-C-ROW (Middle), and ION 1200-C-5G-WW (Bottom) Rear Interfaces Figure 5 - ION 9000 Front Interfaces
4 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Figure 6 - ION 9000 Rear Interfaces Model Hardware [Part Number and Version] Firmware Version Distinguishing Features ION ION 1200 5.6.3 See Cryptographic Module
1200 ION 1200-C-NA Interfaces section
ION 1200-C-ROW ION 1200-C-5G-WW ION ION 9000 5.6.3 9000 Table 2 - Cryptographic Module Tested Configuration Note: The part number for Tamper Evidence Label (TEL) can be found in section Physical security of this document. Modes of operation By default, the module is delivered with a non-Approved mode of operation but supports an Approved mode of operation. Once the module is configured to operate in the Approved mode of operation by following the steps in section "Secure Operation" of this document by the Crypto Officer, the module can only operate in the Approved mode. The module does not claim implementation of a degraded mode of operation. The tables below list all Approved or Vendor-affirmed security functions of the module, including specific key size(s) (in bits unless noted otherwise) employed for Approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in these tables. CAVP Algorithm and Mode/Method Description/Key Size(s) / Key Use / Function Cert Standard Strength(s) A2385 AES: ECB 128, 192, and 256 bits Data
CAVP Algorithm and Mode/Method Description/Key Size(s) / Key Use / Function Cert Standard Strength(s) A2385 CVL (KDF-SNMP): SNMPv3 KDF N/A SP800-135rev1
6 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
CAVP Algorithm and Mode/Method Description/Key Size(s) / Key Use / Function Cert Standard Strength(s) Key establishment methodology provides between 128 and 256 bits of encryption strength A2385 KTS KTS (AES Cert. 128, 192, and 256 bits Key Transport using
CAVP Algorithm and Mode/Method Description/Key Size(s) Use / Function Cert Standard / Key Strength(s) A2386 AES: CBC 128 or 256 bits Data
encryption strength A2386 KTS KTS (AES Cert. #A2386 128 or 256 bits Key Transport using AES
8 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
CAVP Algorithm and Mode/Method Description/Key Size(s) Use / Function Cert Standard / Key Strength(s)
encryption strength A2386 RSA RSA SigVer Modulus: 2048 bits Digital Signature
A2387 SHS SHA2-512 N/A Hashing
10 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established.
Power 1 1 1 1 Table 9 - ION 1200 Interface Quantity Physical Port Logical Interface Data that passes over port/interface AUX, Controller, Data Input Data input into the module for all services defined in Tables Internet/LAN/WAN, SFP+ 12 and 13, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs AUX, Controller, Data Output Data output from the module for all services defined in Internet/LAN/WAN, SFP+ Tables 12 and 13, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs AUX, Controller, Control Input Control Data input into the module for all services defined Internet/LAN/WAN, SFP+ in Tables 12 and 13, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data LEDs, AUX, Controller, Status Output Status Information output from the module Internet/LAN/WAN, SFP+ and LEDs N/A Control Output N/A Power N/A Provides the power supply to the module Table 10 - Ports and Interface (ION 9000 Interface Descriptions) Note: USB ports on each ION 9000 module are functionally disabled Physical Port ION 9000 Qty LEDs 4 USB Ports 2 x Type-A (Functionally Disabled) AUX Port 1 x RJ-45 Controller Ports 2 x RJ-45 Internet/LAN/WAN Ports 8 SFP+ Ports 8 Power Port 1 Table 11 - ION 9000 Interface Quantity Roles, Services, and Authentication The modules all support role-based authentication, and provide a Crypto Officer and User role. The Crypto Officer role has the ability to perform all tasks and administrative actions while the User is read-only. Role Service Input Output Crypto Officer Self-Test Command to trigger Self-Test Status of the self-tests results Crypto Officer Zeroize Command to zeroize the Status of the SSPs zeroization module Crypto Officer CO Authentication CO role authentication Status of the CO role authentication request Crypto Officer Firmware Update Command to upload a new Status of the updated firmware installation validated firmware Crypto Officer Show Version Command to show version Module’s name/ID and versioning information Crypto Officer Show Status Command to show status Module’s status information Crypto Officer Configure SSHv2 Commands to configure Status of the completion of SSHv2 Function SSHv2 configuration Crypto Officer Configure TLSv1.2 Commands to configure Status of the completion of TLSv1.2 Function TLSv1.2 configuration
12 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Role Service Input Output Crypto Officer Configure Network Commands to configure the Status of the completion of network and Create User module related configuration Account Crypto Officer Configure SNMPv3 Commands to configure Status of the completion of SNMPv3 Function SNMPv3 configuration Crypto Officer Configure Commands to configure Status of the completion of IPSec/IKEv2 IPsec/IKEv2 IPSec/IKEv2 configuration Function Table 12 - Roles, Service Commands, Input and Output (Crypto Officer) Role Service Input Output User User Authentication User role authentication Status of the User role authentication request User Show Status Command to show status Module’s status information User Run SSHv2 Function Initiate SSHv2 tunnel Status of SSHv2 tunnel establishment establishment request User Run TLSv1.2 Initiate TLSv1.2 tunnel Status of TLSv1.2 tunnel establishment Function establishment request User Run SNMPv3 Initiate SNMPv3 tunnel Status of SNMPv3 tunnel establishment Function establishment request User Run IPsec/IKEv2 Initiate IPsec/IKEv2 tunnel Status of IPSec/IKEv2 tunnel Function establishment request establishment Table 13 - Roles, Service Commands, Input and Output (User) Role Authentication Method Authentication Strength Crypto Officer, RSA The security modules support public-key based authentication using a User minimum of RSA 2048 bits. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2^112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 1,020,000/(2^112), which is less than 1/100,000. The module at its highest can support at most 17,000 new sessions per second to authenticate in a one-minute period. User ECDSA When configuring the smallest curve P-256, the probability that a random attempt will succeed, or a false acceptance will occur is 1/2^128, which is less than 1/1,000,000. 17,000 attempts are allowed in a one-minute period. Therefore, the probability of a random success in a one-minute period is 1,020,000/2^128, which is less than 1/100,000. User Password/Pre-shared Secret The minimum length is eight (8) characters (94 possible characters). The probability that a random attempt will succeed or a false acceptance will occur is 1/(94^8) which is less than 1/1,000,000. The probability of successfully authenticating to the module within one minute is 3/(94^8), which is less than 1/100,000. The configuration supports at most 3 failed attempts to authenticate in a one-minute period. This calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 13
Table 14 - Roles and Authentication Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs Self-Test The module runs N/A Firmware Integrity Test Crypto N/A Global pre-operational Key (non-SSP) Officer indicator and self-tests and Self-test conditional completion algorithm Self-tests message (CASTs) Zeroize Zeroize service N/A All Crypto Z N/A destroys all SSPs in Officer the module Firmware Update The module’s RSA SigVer Firmware update test key Crypto E Global firmware is (non-SSP) Officer indicator and updated to a new Firmware version update completion message CO Authentication CO role RSA SigVer Crypto Officer Crypto G/R/W/E Global authentication Authentication RSA Public Officer indicator and Key CO role authentication status User Authentication User role N/A User Password User G/R/W/E N/A authentication Show Version Provides Module’s N/A N/A Crypto N/A N/A current name/ID Officer and versioning information Show Status Provides Module’s N/A N/A Crypto N/A N/A current status Officer, information User Configure SSHv2 Create a secure AES-CTR DRBG Entropy Input; Crypto G/R/W/E Global Function SSHv2 channel CKG DRBG Seed, Internal State Officer indicator and CTR_DRBG V value, and DRBG Key; SSH ECDSA KeyGen, SSH ECDHE Private Key; connection ECDSA KeyVer SSH ECDHE Public Key; success log ECDSA SigGen SSH ECDHE Shared message ECDSA SigVer Secret; HMAC-SHA-1 SSH Host Public Key; HMAC-SHA2-256 SSH Host Private Key; HMAC-SHA2-512 SSH Session Encryption KAS-SSC (ECC) Key; KAS (ECC) SSH Session SSH-KDF Authentication Key Configure TLSv1.2 Create a secure AES-CBC DRBG Entropy Input; Crypto G/R/W/E Global Function TLSv1.2 channel AES-GCM DRBG Seed, Internal State Officer indicator and CKG V value, and DRBG Key; TLS CTR_DRBG TLS RSA Private Key; connection HMAC_DRBG TLS RSA Public Key; success log HMAC-SHA2-256 TLS Pre-Master Secret; message HMAC-SHA2-384 TLS Master Secret; KAS-SSC (ECC) TLS ECDHE Private Key; KAS (ECC) TLS ECDHE Public key; RSA KeyGen TLS ECDHE Shared Secret; RSA SigGen TLS Session Encryption RSA SigVer Keys; TLS Session TLS-KDF Authentication Key Configure Network Configuration is RSA SigVer, Crypto Officer Crypto G/R/W/E Global and Create User sent/updated for SHA-1 Authentication RSA Public Officer indicator and Account the module SHA2-256 Key; Configuration User Password logs Configure SNMPv3 Create a secure AES-CFB SNMPv3 Authentication Crypto G/R/W/E Global Function SNMPv3 channel HMAC-SHA-1 Secret; SNMPv3 Session Officer indicator and SNMP-KDF Encryption Key; SNMP
14 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs SNMPv3 Session connection Authentication Key success log message Configure Create AES-CBC, DRBG Entropy Input; Crypto G/R/W/E Global IPsec/IKEv2 Function IPSec/IKEv2 tunnel AES-GCM, DRBG Seed, Internal State Officer indicator and CKG, V value, and DRBG Key; IPSec/IKE CTR_DRBG IPSec Pre-Shared Secret; connection HMAC-SHA-1 IPSec/IKE RSA Private success log HMAC-SHA2-256 Key; IPSec/IKE RSA Public message HMAC-SHA2-384 Key; HMAC-SHA2-512 IPSec/IKE ECDHE Private KAS-SSC (ECC), Key; IPSec/IKE ECDHE KAS (ECC), Public Key; IPSec/IKE RSA KeyGen, ECDHE Shared Secret; RSA SigGen, IPSec/IKE Session RSA SigVer, Encryption Key; IKE-KDF IPSec/IKE Session Authentication Key Run SSHv2 Function Negotiation and AES-CTR, DRBG Entropy Input; User G/R/W/E Global encrypted data CKG, DRBG Seed, Internal State indicator and transport via SSH CTR_DRBG, V value, and DRBG Key; SSHv2 ECDSA KeyGen, SSH ECDHE Private Key; Function ECDSA KeyVer SSH ECDHE Public Key; running status ECDSA SigGen SSH ECDHE Shared message ECDSA SigVer Secret; HMAC-SHA-1 SSH Host Public Key; HMAC-SHA2-256 SSH Host Private Key; HMAC-SHA2-512 SSH Session Encryption KAS-SSC (ECC) Key; KAS (ECC) SSH Session KTS; Authentication Key SSH-KDF Run TLSv1.2 Function Negotiation and AES-CBC, DRBG Entropy Input; User G/R/W/E Global encrypted data AES-GCM, DRBG Seed, Internal State indicator and transport via TLS CKG, V value, and DRBG Key; TLSv1.2 CTR_DRBG TLS RSA Private Key; Function HMAC_DRBG TLS RSA Public Key; running status HMAC-SHA2-256 TLS Pre-Master Secret; message HMAC-SHA2-384 TLS Master Secret; KAS-SSC (ECC), TLS ECDHE Private Key; KAS (ECC), TLS ECDHE Public key; KTS; TLS ECDHE Shared Secret; RSA KeyGen, TLS Session Encryption RSA SigGen, Keys; RSA SigVer, TLS Session Authentication TLS-KDF Key Run SNMPv3 Negotiation and AES-CFB SNMPv3 Authentication User G/R/W/E Global Function encrypted data HMAC-SHA-1 Secret; SNMPv3 Session indicator and transport via SNMP-KDF Encryption Key; SNMPv3 SNMPv3 SNMPv3 Session Function Authentication Key running status message Run IPSec/IKEv2 Negotiation and AES-CBC, DRBG Entropy Input; User G/R/W/E Global Function encrypted data AES-GCM, DRBG Seed, Internal State indicator and transport via IPSec CKG, V value, and DRBG Key; IPSec/IKEv2 CTR_DRBG IPSec Pre-Shared Secret; Function HMAC-SHA-1 IPSec/IKE RSA Private running status HMAC-SHA2-256 Key; message HMAC-SHA2-384 IPSec/IKE RSA Public Key; HMAC-SHA2-512 IPSec/IKE ECDHE Private KAS-SSC (ECC), Key; IPSec/IKE ECDHE KAS (ECC), Public Key; IPSec/IKE RSA KeyGen, ECDHE Shared Secret; RSA SigGen, IPSec/IKE Session RSA SigVer, Encryption Key; © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 15
Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs IKE-KDF IPSec/IKE Session Authentication Key Table 15
16 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Physical Security The module’s physical security includes tamper evident labels that are utilized to meet FIPS 140-3 Level 2 requirements. Details regarding the label placement are noted below: Physical Security Recommended Frequency Inspection/Test Guidance Details Mechanism of Inspection/Test Tamper Evident Labels 30 days Verify integrity of tamper-evident seals in the locations identified in the FIPS Kit Installation Guide. Label integrity to be verified within the module’s operating temperature range. TEL Quantity Required on each Module: Qty. 3 on ION 1200 Qty. 4 on ION 1200-C-NA, ION 1200-C-ROW, and ION 1200-C-5G-WW Qty. 6 on ION 9000 Table 16
Figure 7
18 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Figure 12
Figure 15
20 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Figure 18
Figure 22
22 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Key/SSP Strength Security Generation Import/ Export Establish Storage Zeroization Use & Related Keys Name/Type Function and ment Cert. Number Diffie-Hellman key generation method, and the random value used in key generation is generated using SP80090Arev1 DRBG TLS ECDHE P-256, P- CKG Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive TLS ECDHE Public key 384, P-521 DRBG internally per the EC (plaintext) (CSP/PSP) Shared Secret (PSP) KAS-ECC-SSC Diffie-Hellman key Export: to the TLS Zeroization Cert. #A2386 agreement Peer application Command (SP800-56Arev3) TLS ECDHE P-256, P- CKG Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive TLS Session Shared Secret 384, P-521 DRBG using Export: No (plaintext) (CSP/PSP) Encryption Keys, TLS (CSP) KAS-ECC-SSC SP800-56A rev3 Zeroization Session Authentication KAS (ECC) EC Diffie-Hellman shared Command Keys. Cert. #A2386 secret computation TLS Session 128 or 256 AES-CBC; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure TLS session Encryption Key bits AES-GCM; derivation function Export: No (plaintext) (CSP/PSP) confidentiality (CSP) CVL (TLS KDF) defined in SP 800- Zeroization KTS; 135rev1 KDF (TLSv1.2) Command Cert. #A2385 AES-CBC; Cert. #A2387 TLS Session 256 -512 HMAC-SHA2- Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure the TLS Authentication bits 256; derivation function Export: No (plaintext) (CSP/PSP) session integrity Key HMAC-SHA2- defined in SP800- Zeroization (CSP) 384; 135rev1 KDF (TLSv1.2) Command CVL (TLS KDF) KTS; Cert. #A2386 HMAC-SHA2256; HMAC-SHA2384; Cert. #A2387 IPSec/IKEv2 Protocol SSPs IPSec Pre- 2048 bits N/A N/A Import: Encrypted MD/EE HDD Zeroized by SSP Used for IPSec/IKE peer Shared Secret by using TLS/SSH (plaintext) (CSP/PSP) authentication (CSP) session key Zeroization Export: No Command IPSec/IKE RSA 2048, CKG; Internally generated Import: No N/A HDD Zeroized by SSP Used for IPSec/IKE peer Private Keys 3072 bits DRBG; conformant to SP800- Export: No (plaintext) (CSP/PSP) authentication (CSP) RSA SigGen 133rev2 (CKG) using FIPS Zeroization Cert# A2385 186-4 RSA key generation Command method, and the random value used in key generation is generated using SP800-90Arev1 DRBG IPSec/IKE RSA 2048, CKG; Internally derived per the Import: No N/A HDD Zeroized by SSP Used for IPSec/IKE peer Public Keys 3072 bits DRBG; FIPS 186-4 RSA key Export: to the IKE (plaintext) (CSP/PSP) authentication (PSP) RSA SigVer generation method Peer application Zeroization Cert# A2385 Command IPSec/IKE P-256 or CKG; Internally generated Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Private P-384 DRBG; conformant to SP800- Export: No (plaintext) (CSP/PSP) ECDHE Shared Secret Key KAS-ECC-SSC 133rev2 (CKG) using Zeroization (CSP) Cert. #A2385 SP800-56Arev3 EC Command Diffie-Hellman key generation method, and the random value used in key generation is generated using SP80090Arev1 DRBG IPSec/IKE P-256 or CKG; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Public P-38 DRBG; internally per the EC Export: to the IKE (plaintext) (CSP/PSP) ECDHE Shared Secret Key KAS-ECC-SSC Diffie-Hellman key Peer application Zeroization (PSP) Cert. #A2385 agreement Command (SP800-56Arev3) IPSec/IKE P-256 or CKG; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Shared P-384 DRBG; using Export: No (plaintext) (CSP/PSP) Session Encryption Keys, Secret KAS-ECC-SSC SP800-56A rev3 Zeroization IPSec/IKE Authentication (CSP) Cert. #A2385 EC Diffie-Hellman shared Command Keys secret computation IPSec/IKE 128, 192, AES-CBC; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure IPSec/IKEv2 Session or 256 bits CVL (IKEv2 KDF) derivation function Export: No (plaintext) (CSP/PSP) session confidentiality, Encryption Key Certs. #A2385 defined in SP800- Zeroization (CSP) and #A2385; 135rev1 KDF (IKEv2) Command AES-CBC; Cert. #A2388 IPSec/IKE 160 -512 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure IPSec/IKEv2 Session bits HMAC-SHA2- derivation function Export: No (plaintext) (CSP/PSP) session integrity Authentication 256; defined in SP800- Zeroization Key 135rev1 KDF (IKEv2) Command © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000 23
Key/SSP Strength Security Generation Import/ Export Establish Storage Zeroization Use & Related Keys Name/Type Function and ment Cert. Number (CSP) HMAC-SHA2384; HMAC-SHA2512; CVL (IKEv2 KDF) Cert. #A2385 HMAC-SHA-1; HMAC-SHA2256; HMAC-SHA2384; HMAC-SHA2Cert. #A2388 SNMPv3 Protocol SSPs SNMPv3 8 N/A N/A Import: Encrypted MD/EE HDD Zeroized by SSP Used for SNMPv3 User Authentication characters by using TLS/SSH (plaintext) (CSP/PSP) authentication Secret minimum session key Zeroization (CSP) Export: No Command SNMPv3 128 bits AES-CFB; Internally derived via key Import: No N/A HDD Zeroized by SSP Used to secure SNMPv3 Session CVL (SNMPv3 derivation function Export: No (plaintext) (CSP/PSP) session confidentiality Encryption Key KDF) defined in SP800- Zeroization (CSP) Cert. #A2385 135rev1 KDF (SNMPv3) Command SNMPv3 160 bits HMAC-SHA-1; Internally derived via key Import: No N/A HDD Zeroized by SSP Used to secure SNMPv3 Session CVL (SNMPv3 derivation function Export: No (plaintext) (CSP/PSP) session integrity Authentication KDF) defined in SP800- Zeroization Key Cert. #A2385 135rev1 KDF (SNMPv3) Command (CSP) SSHv2 Protocol SSPs SSH ECDHE P-256, P- CKG; Internally generated Import: No N/A DRAM Zeroized by SSP Used to derive the SSH Private Key 384, or P- DRBG; conformant to SP800- Export: No (plaintext) (CSP/PSP) ECDHE Shared Secret (CSP) 521 KAS-ECC-SSC 133rev2 (CKG) using Zeroization Cert. #A2385 SP800-56Arev3 EC Command Diffie-Hellman key generation method, and the random value used in key generation is generated using SP80090Arev1 DRBG SSH ECDHE P-256, P- CKG; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive the SSH Public Key 384, or P- DRBG; internally per the EC Export: to the SSH (plaintext) (CSP/PSP) ECDHE Shared Secret (PSP) 521 KAS-ECC-SSC Diffie-Hellman key Peer application Zeroization Cert. #A2385 agreement Command (SP800-56Arev3) SSH ECDHE P-256, P- CKG; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive SSH Session Shared Secret 384, or P- DRBG; using Export: No (plaintext) (CSP/PSP) Encryption Keys, SSH (CSP) 521 KAS-ECC-SSC SP800-56A rev3 Zeroization Session Authentication Keys Cert. #A2385 EC Diffie-Hellman shared Command secret computation SSH Host P-256, P- CKG; Internally generated Import: No N/A HDD Zeroized by SSP Used for SSH session Private Key 384, or P- DRBG; conformant to SP800- Export: No (plaintext) (CSP/PSP) authentication (CSP) 521 ECDSA KeyGen; 133rev2 (CKG) using FIPS Zeroization ECDSa KeyVer 186-4 ECDSA key Command ECDSA SigGen generation method, and Cert. #A2385 the random value used in key generation is generated using SP80090Arev1 DRBG SSH Host P-256, P- CKG; Internally derived per the Import: No N/A HDD Zeroized by SSP Used for SSH session Public Key 384, or P- DRBG; FIPS 186-4 ECDSA key Export: to the SSH (plaintext) (CSP/PSP) authentication (PSP) 521 ECDSA KeyGen; generation method Peer application Zeroization ECDSA KeyVer; Command ECDSA SigVer Cert. #A2385 SSH Session 128, 192, AES-CTR; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used for SSH session Encryption Key or 256 bits KTS; derivation function Export: No (plaintext) (CSP/PSP) confidentiality protection (CSP) CVL (SSH KDF) defined in SP 800- Zeroization Cert. #A2385 135rev1 KDF (SSHv2) Command SSH Session 160 -512 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used for SSH session Authentication bits HMAC-SHA2- derivation function Export: No (plaintext) (CSP/PSP) integrity protection Key 256; defined in SP 800- Zeroization (CSP) HMAC-SHA2- 135rev1 KDF (SSHv2) Command 512; CVL (SSH KDF) KTS Cert. #A2385 Table 17 - SSPs Notes: 1. To initiate zeroization, see Section End of Life / Sanitization in this document for more details.
24 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Algorithm Self-Test Details SHS KAT using SHA2-512 HMAC KAT using HMAC-SHA-1 HMAC KAT using HMAC-SHA2-224 HMAC KAT using HMAC-SHA2-256 HMAC KAT using HMAC-SHA2-384 HMAC KAT using HMAC-SHA2-512 RSA SigGen KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) RSA SigVer KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value IKEv2 KDF KAT for IKEv2 KDF SSH KDF KAT for SSHv2 KDF TLS KDF KAT for TLSv1.2 KDF Table 20 –Crypto Library I CASTs Algorithm Self-Test Details SP800-90Arev1 DRBG KAT: HMAC_DRBG (SHA2-512) KAT: Instantiate KAT: Generate KAT: Reseed SHS KAT using SHA-1 HMAC KAT using SHA2-224 HMAC KAT using SHA2-256 HMAC KAT using SHA2-384 HMAC KAT using SHA2-512 AES AES-CBC 256 bits Encryption KAT AES AES-CBC 256 bits Decryption KAT AES-GCM AES-GCM 256 bits Encryption KAT AES-GCM AES-GCM 256 bits Encryption KAT ECDSA SigGen KAT using P-224 with SHA2-256 (ECDSA Signature Generation) ECDSA SigVer KAT using P-224 with SHA2-256 (ECDSA Signature Verification) HMAC_DRBG KAT: CTR_DRBG KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 Section 11.3 are performed) RSA SigGen KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) RSA SigVer KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value TLS KDF KAT for TLSv1.2 KDF Table 21 –Crypto Library II CASTs Algorithm Self-Test Details AES AES-CBC 128 bits Encryption KAT AES AES-CBC 128 bits Decryption KAT HMAC KAT using SHA2-256 HMAC KAT using SHA2-512 SHS KAT using SHA2-256 SHS KAT using SHA2-384 SHS KAT using SHA2-512
26 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Table 22 –Crypto Library III and IV CASTs Algorithm Self-Test Details RSA KAT using 2048 bit key, SHA2-256 (RSA Signature Verification) SHS KAT using SHA2-256 Table 23
Table 28 - Error State Indicators Life-Cycle Assurance All ION devices are designed to handle the various stages of a module’s life-cycle. The sections below highlight the details for each stage. Secure Delivery Procedures The security of the module is maintained during the transfer of these products from production sites to the customer through the following mechanisms: ● Email from Palo Alto Networks, Inc. confirming the order and includes tracking number(s). When the package arrives at the customer site, the customer checks the tracking number on the package with the tracking number supplied by Palo Alto Networks, Inc. ● The customer also checks the integrity of the package by inspecting the integrity of the security tape and the seals of the package for tampering ● The hardware and applicable documentation are delivered in the same package Secure Operation The module meets all the Level 2 requirements for FIPS 140-3, and only includes an Approved mode of operation. Once the module has been received, the Crypto Officer shall follow the secure operations provided below to place the module in the Approved mode. The module runs firmware version 5.6.3. This is the only allowable firmware image for this current Approved mode of operation. The module is initiated into the Approved mode of operation via the following procedure:
28 Palo Alto Networks SD-WAN Instant-On Network © 2024 Palo Alto Networks, Inc.
(ION) Devices ION 1200 and ION 9000
Note: This process will cause the module to no longer function after it has wiped all configurations and keys.