| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 6/6/2029 |
| Caveat | When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2244 |
| AES-CCM | A2244 |
| AES-CFB128 | A2244 |
| AES-CTR | A2244 |
| AES-GCM | A2244 |
| Conditioning Component AES-CBC-MAC SP800-90B | A1791 |
| Counter DRBG | A2244 |
| ECDSA KeyGen (FIPS186-4) | A2244 |
| ECDSA KeyVer (FIPS186-4) | A2244 |
| ECDSA SigGen (FIPS186-4) | A2244 |
| ECDSA SigVer (FIPS186-4) | A2244 |
| HMAC-SHA-1 | A2244 |
| HMAC-SHA2-224 | A2244 |
| HMAC-SHA2-256 | A2244 |
| HMAC-SHA2-384 | A2244 |
| HMAC-SHA2-512 | A2244 |
| KAS-ECC-SSC Sp800-56Ar3 | A2244 |
| KAS-FFC-SSC Sp800-56Ar3 | A2244 |
| KDF IKEv2 | A2244 |
| KDF SNMP | A2244 |
| KDF SSH | A2244 |
| KDF TLS | A2244 |
| RSA KeyGen (FIPS186-4) | A2244 |
| RSA SigGen (FIPS186-4) | A2244 |
| RSA SigVer (FIPS186-4) | A2244 |
| Safe Primes Key Generation | A2244 |
| Safe Primes Key Verification | A2244 |
| SHA-1 | A2244 |
| SHA2-224 | A2244 |
| SHA2-256 | A2244 |
| SHA2-384 | A2244 |
| SHA2-512 | A2244 |
flowchart LR
%% Deterministic review-risk graph for PAN-OS 10.1 VM-Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for PAN-OS 10.1 VM-Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;PAN-OS 10.1 VM-Series Version: 1.2 Revision Date: April 18, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
7 Physical Security N/A
8 Non-Invasive Security N/A
12 Mitigation of Other Attacks N/A
Overall Level 1 2. Cryptographic Module Specification Table 2 - Tested Operational Environments Operating System Hardware Platform Processor PAA/Acceleration Vmware ESXi v7.0 Dell PowerEdge R740 Intel Gold 6248 N/A KVM 4 on Ubuntu 20.04 Dell PowerEdge R740 Intel Gold 6248 N/A Hyper-v 2019 on Microsoft Dell PowerEdge R740 Intel Gold 6248 N/A Hyper-V Server 2019 © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 3
Table 3 - Vendor Affirmed Operational Environments Operating System Hardware Platform Amazon Web Services (AWS)* x86 Architecture Microsoft Azure* (Note: Specific processor/hardware is dependent on Google Cloud Platform (GCP)* Instance/Machine Type selected for operation system) *Note: These operational environments are Vendor Affirmed. Operator Porting Rules The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run a VM-series firewall on any general purpose computer (GPC) or platform using the specified hypervisor and operating system on the validation certificate or other compatible operating and/or hypervisor system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate. `Approved Mode of Operation The following procedure will put the module into the Approved mode of operation:
Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To perform the zeroization service, follow the procedure below:
AES-GCM GCM** Encryption A2244 [SP 800-38D] Decryption AES 256 bits with Counter DRBG A2244 CTR DRBG Derivation Function Random Bit Generator [SP 800-90Arev1] Enabled ECDSA KeyGen Key Generation A2244 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) ECDSA KeyVer (FIPS Public Key Validation A2244 ECDSA KeyVer P-256, P-384, P-521 186-4) P-256, P-384, P-521 with ECDSA SigGen (FIPS Signature Generation A2244 ECDSA SigGen SHA2-224, SHA2-256, 186-4) SHA2-384, and SHA2-512 P-256, P-384, P-521 with SHA-1, SHA2-224, A2244 ECDSA SigVer (FIPS 186-4) ECDSA SigVer Signature Verification SHA2-256, SHA2-384, and SHA2-512 © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 5
A2244 HMAC-SHA-1 with λ=96, Authentication for HMAC-SHA-1 [FIPS 198-1] HMAC
A2244 HMAC-SHA2-224 with HMAC-SHA2-224 Authentication for HMAC λ=224 [FIPS 198-1] protocols A2244 HMAC-SHA2-256 HMAC-SHA2-256 with Authentication for HMAC [FIPS 198-1] λ=256 protocols A2244 HMAC-SHA2-384 HMAC-SHA2-384 with Authentication for HMAC [FIPS 198-1] λ=384 protocols A2244 HMAC-SHA2-512 HMAC-SHA2-512 with Authentication for HMAC [FIPS 198-1] λ=512 protocols KAS-ECC-SSC KAS P-256/P-384/P-521 A2244 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A2244 KAS MODP-2048 Key Exchange 800-56Ar3 KDF IKEv2 [SP SHA2-256, SHA2-384, A2244 IKEv2 KDF IKEv2 800-135rev1] (CVL) SHA2-512 Engine ID: KDF SNMP [SP A2244 SNMPv3 KDF 80001F88043030303030 SNMPv3 800-135rev1] (CVL) 343935323630 KDF SSH [SP 800-135rev1] SHA-1, SHA2-256, A2244 SSHv2 KDF SSH (CVL) SHA2-512 TLS 1.0/1.1 KDF, TLS1.2 TLS v1.0/1.1 KDF TLS A2244 KDF TLS v1.2 Hash Algorithm: TLS [SP 800-135rev1] (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A2244 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) 2048, 3072, and 4096-bit RSA SigGen RSA SigGen Signature Generation A2244 with hashes (FIPS 186-4) (FIPS 186-4) SHA2-256/384/512 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/SHA2-224+++/256 /384/512 (Signature RSA SigVer RSA SigVer A2244 Verification) Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A2244 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2244 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2244 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A2244 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Generation/Verification © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 6
Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2244 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key Safe Primes Key A2244 MODP-2048 Generation [RFC 3526] Generation Generation Safe Primes Key Safe Primes Key Safe Primes Key A2244 MODP-2048 Verification [RFC 3526] Verification Verification AES-CBC or AES-CTR plus SP 800-38A, FIPS 198-1, HMAC AES Cert. A2244 and KTS and SP 800-38F. KTS (key 128, 192, and 256-bit keys Key Wrapping HMAC Cert. A2244 [SP 800-38F] wrapping and unwrapping) providing 128, 192, or 256 per IG D.G. bits of encryption strength SP 800-38C and SP AES-CCM KTS 800-38F. KTS (key AES-CCM Cert. A2244 128-bit keys providing 128 Key Wrapping [SP 800-38F] wrapping and unwrapping) bits of encryption strength per IG D.G. SP 800-38D and SP AES-GCM KTS 800-38F. KTS (key 128 and 256-bit keys AES-GCM Cert. A2244 Key Wrapping [SP 800-38F] wrapping and unwrapping) providing 128 or 256 bits per IG D.G. of encryption strength KAS-ECC-SSC Cert. SP 800-56Arev3. KAS-FFC P-256 and P-384 curves Key Exchange with #A2244, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128 or 192 bits protocol KDF #A2244 (2). of encryption strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-FFC #A2244, KDF SSH Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A2244 or 256 bits of encryption protocol KDF (2). strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-FFC #A2244, KDF TLS Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A2244 or 256 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-ECC MODP-2048 Key Exchange with #A2244, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path 2048-bit key providing 112 protocol KDF #A2244 (2). bits of encryption strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-ECC MODP-2048 Key Exchange with #A2244, KDF SSH Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path 2048-bit key providing 112 protocol KDF #A2244 (2). bits of encryption strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-ECC MODP-2048 Key Exchange with #A2244, KDF TLS Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path 2048-bit key providing 112 protocol KDF #A2244 (2). bits of encryption strength N/A ENT (P) (SP 800-90B) ENT ENT (P) Entropy Key Generation Note:The seeds used for Cryptographic Key Vendor CKG asymmetric key pair Section 5.1, Section 5.2 Generation; SP 800Affirmed (SP 800-133rev2) generation are produced
using the unmodified/direct output of the DRBG © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 7
Cryptographic Boundary The PAN-OS 10.1.5 VM-Series is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file noted in Section 11 (PanOS_vm-10.1.5) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. Figure 1 - Cryptographic Boundary 3. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces: Table 7 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface Power Power In Power supplies Console, GPC I/O Status Output Self-test status output N/A Control Output N/A Ethernet Data input, control input, HTTPS, TLS, SNMP, IPsec, and SSH traffic data. data output, status output © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 9
The module’s physical and electrical characteristics, manual controls, and physical indicators are provided by the host GPC; the hypervisors provide virtualized ports and interfaces which map to the GPCs’ physical ports and interfaces (i.e., network interfaces and GPC inputs/outputs). 4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 8 - Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Show Version Query module for version Module provides version Crypto Officer, Security Configuration Configuring and managing Confirmation of service User Management cryptographic parameters and via Configuration Logs setting/modifying security policy, including creating User accounts and additional CO accounts via CLI or WebUI Crypto Officer Other Configuration Networking parameter Confirmation of service configuration, logging configuration, via Configuration Logs and other non-security relevant configuration via CLI or WebUI Crypto Officer, View Other Query module for current Confirmation of service User Configuration non-security relevant configuration via Configuration Logs via WebUI or CLI Crypto Officer, Show Status Query status and version of the Module status information User, RA VPN, module via WebUI or CLI via CLI or System Logs S-S VPN RA VPN, S-S VPN VPN Initialize VPN connection Confirmation of service via System Logs Crypto Officer Software Update Loading new image Message output noting version updated successfully Unauthenticated Zeroize Initiate zeroization command The device will overwrite all CSPs and provide status of completion Unauthenticated Power cycling the module Self-test status output via Self-Tests system logs Unauthenticated Show Status View status of the module via Module status via the (Hypervisor) hypervisor. hypervisor © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 10
The zeroization procedure is invoked when the operator initiates the service. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Note: Additional information on the configuration options the module provides can be found at https://docs.paloaltonetworks.com/ Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules do not provide a maintenance role or bypass capability. The modules all support the use of a password (i.e. Memorized Secret as per SP 800-140E). Upon first boot, the module requires that the Cryptographic Officer change the password from the default one to a custom one. The module automatically enforces a minimum password length of at least 8 characters. In FIPS-CC mode, the module automatically enforces a maximum of 10 failed attempts. Passwords stored in the module are hashed using SHA-256, and any passwords that are transported into/out of the module are protected via TLS 1.2. Table 9
successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. Site-to-Site VPN (S-S VPN) IKE/IPSec Pre-shared keys - The pre-shared key authentication method Identification with the IP Address and has a minimum security strength2 of 956. The authentication with the Pre-Shared probability of successfully authenticating to Key or certificate based the module is 1/(956), which is less than authentication 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(295), which is less than 1/100,000. The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: Note: The security strength (956) is based on the use of ASCII characters that are utilized, which surpasses the 6 character random number password allowance that sets a baseline minimum acceptable strength of 106 established by SP 800-63B. © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 12
G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 10 - Approved Services Service Description Approved Security Keys and/or SSPs Roles Access rights to Indicator Functions Keys and/or SSPs Show Version Query the module to N/A N/A CO N/A Version displayed via System display the version Logs / CLI / UI Security Configuring and CKG RSA Private Keys CO G/W/E Configuration/System Logs Configuration managing RSA KeyGen (FIPS 186-4) Management cryptographic RSA SigGen (FIPS 186-4) parameters and CKG ECDSA Private Keys CO G/W/E Configuration/System Logs ECDSA KeyGen (FIPS setting/modifying 186-4) security policy, ECDSA SigGen (FIPS including creating 186-4) User accounts and KAS KDF TLS, TLS Pre-Master Secret CO G/E/Z Configuration/System Logs additional CO MD5 accounts KDF TLS, TLS Master Secret CO G/E/Z Configuration/System Logs MD5 CKG, TLS DHE/ECDHE Private G/E/Z ECDSA Components CO Configuration/System Logs KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA-1 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2HMAC-SHA2AES-CBC TLS Encryption Keys CO G/E/Z Configuration/System Logs KTS AES-GCM KTS HMAC-SHA-1 SSH Session CO G/E/Z Configuration/System Logs HMAC-SHA2- Authentication Keys HMAC-SHA2AES-CBC, SSH Session Encryption CO G/E/Z Configuration/System Logs AES-CTR Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components KAS-ECC-SSC KAS-FFC-SSC SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Components Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 13
Counter DRBG, Entropy Input String CO G/E Configuration/System Logs ENT (P) DRBG Seed CO G/E Configuration/System Logs DRBG V CO G/E Configuration/System Logs DRBG Key CO G/E Configuration/System Logs KDF SNMP SNMPv3 Authentication CO W/E Configuration/System Logs Secret KDF SNMP SNMPv3 Privacy Secret CO W/E Configuration/System Logs HMAC-SHA-1 Authentication Key CO G/E/Z Configuration/System Logs HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB Session Key CO G/E/Z Configuration/System Logs N/A Protocol Secrets CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer (FIPS ECDSA Public Keys CO G/R/E/W Configuration/System Logs 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys CO G/R/E/W Configuration/System Logs RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) Public key for software CO W/E Configuration/System Logs load test Other Networking RSA SigGen (FIPS 186-4) RSA Private Keys CO G/W/E Configuration/System Logs Configuration parameter ECDSA SigGen (FIPS ECDSA Private Keys CO G/W/E Configuration/System Logs configuration, logging 186-4) configuration, and KAS KDF TLS, TLS Pre-Master Secret CO G/E/Z Configuration/System Logs MD5 other non-security KDF TLS, TLS Master Secret CO G/E/Z Configuration/System Logs relevant configuration MD5 CKG, TLS DHE/ECDHE Private CO G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA-1 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2-256 HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO G/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components CKG, ECDSA G/E/R/W/Z KeyGen (FIPS SSH DHE/ECDHE Public 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 14
Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer (FIPS ECDSA Public Keys CO G/R/E/W Configuration/System Logs 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys CO G/R/E/W Configuration/System Logs RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs View Other Read-only of N/A CO, User, RA VPN CO, User W/E Configuration/System Logs Configuration non-security relevant Password configuration Note: includes all items in “Other Configuration” Show Status Provides status RSA SigGen (FIPS 186-4) RSA Private Keys CO, User E Configuration/System Logs information of the module ECDSA SigGen (FIPS ECDSA Private Keys CO, User E Configuration/System Logs 186-4) KAS KDF TLS, TLS Pre-Master Secret CO, User G/E/Z Configuration/System Logs MD5 KDF TLS, TLS Master Secret CO, User G/E/Z Configuration/System Logs MD5 CKG, TLS DHE/ECDHE Private CO, User G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA-1 TLS HMAC Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA2-256 HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO, User G/E/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO, User G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE Public/Private CO, User G/E/Z Configuration/System Logs CKG, Components ECDSA SSH ECDHE G/E/R/W/Z KeyGen (FIPS Public/Private 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 15
VPN Provide network HMAC-SHA-1 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs access for remote KTS HMAC-SHA2- Authentication Keys users or site-to-site 256 HMAC-SHA2connection HMAC-SHA2AES-CBC S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs KTS AES-CCM Session Keys KTS AES-GCM KAS KDF IKEv2 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs DHE/ECDHE Private CKG, Components ECDSA KeyGen (FIPS G/E/R/W/Z 186-4), ECDSA S-S VPN IPSec/IKE KeyVer (FIPS DHE/ECDHE Public 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification N/A S-S VPN IPSec S-S VPN W/E Configuration/System Logs Pre-Shared Keys ECDSA SigVer (FIPS ECDSA Public Keys S-S VPN W/E Configuration/System Logs 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys S-S VPN W/E Configuration/System Logs RSA SigGen (FIPS 186-4) RSA Private Keys RA VPN E Configuration/System Logs ECDSA SigGen (FIPS ECDSA Private Keys RA VPN E Configuration/System Logs 186-4) KAS KDF TLS, TLS Pre-Master Secret RA VPN G/E/Z Configuration/System Logs MD5 KDF TLS, TLS Master Secret G/E/Z MD5 CKG, TLS DHE/ECDHE Public RA VPN G/E/R/W/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Private RA VPN G/E/Z Configuration/System Logs 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA-1 TLS HMAC Keys RA VPN G/E/Z Configuration/System Logs HMAC-SHA2HMAC-SHA2AES-CBC TLS Encryption Keys RA VPN G/E/Z Configuration/System Logs KTS AES-GCM CKG, RA VPN IPSec Session RA VPN G/E/Z Configuration/System Logs AES-CBC or AES-GCM Keys CKG, RA VPN IPSec RA VPN G/E/Z Configuration/System Logs HMAC-SHA-1 Authentication Counter DRBG, Entropy Input String RA VPN G/E Configuration/System Logs ENT (P) DRBG Seed RA VPN G/E Configuration/System Logs DRBG V RA VPN G/E Configuration/System Logs DRBG Key RA VPN G/E Configuration/System Logs RSA SigVer (FIPS 186-4)) CA Certificates RA VPN W/E Configuration/System Logs ECDSA SigVer (FIPS 186-4) © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 16
ECDSA SigVer (FIPS ECDSA Public Keys RA VPN W/E Configuration/System Logs 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys RA VPN W/E Configuration/System Logs Software Provides a method to RSA SigVer (FIPS 186-4) Public key for firmware CO E Configuration/System Logs Update update the software of content load test the module Note: Includes all keys from Other Configuration Zeroize Destroys all keys in N/A All keys and SSPs CO Z Zeroization indicator the module Self-Test Initiates self-tests and HMAC-SHA2-256, Software integrity CO E System Logs integrity test ECDSA SigVer (FIPS verification key 186-4) Show Status Provides status of the N/A N/A All R LEDs (Hypervisor) module Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled, configuration requirements from Section 11 are followed, and that the service succeeded.
9. Sensitive Security Parameters The following table details all the sensitive security parameters utilized by the module. Table 11 - SSPs Key/SSP/Name/Ty Strength Security Function Generation Import/Expo Establishment Storage Zeroization1 Use & Related Keys pe and Cert. Number rt ECDSA/RSA Public key - Used to trust a RSA SigVer (FIPS HDD
112 bits ECDSA SigVer DRBG, FIPS HDD/RAM –
CA Certificates Session Key N/A RAM - Zeroize at certificates minimum (FIPS 186-4) 186-4 plaintext Encrypted session (RSA 2048, 3072, and termination 4096 bits) Cert. #A2244 (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the TLS or SSH verification of Session Key RSA SigVer signatures,
112 bits DRBG, FIPS Encrypted or HDD/RAM –
RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum 186-4 Plaintext plaintext Cert. #A2244 operator TLS authentication and handshake peer authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD
112 bits DRBG, FIPS HDD/RAM –
RSA Private Keys (FIPS 186-4) Session Key N/A RAM - Zeroize at authentication or key minimum 186-4 plaintext Cert. #A2244 Encrypted session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of Session Key ECDSA SigVer signatures, ECDSA Public 128 bits DRBG, FIPS Encrypted or HDD/RAM
112 bits RAM - FFC or EC component
Private KAS-FFC-SSC 800-56A N/A N/A session minimum plaintext used in TLS Components Cert. #A2244 Rev. 3 termination (DHE 2048, ECDHE P-256, P-384, P-521) Diffie_Hellman or EC Diffie-Hellman TLS DHE/ECDHE KAS-ECC-SSC, DRBG, SP Plaintext - Zeroize at
112 bits Ephemeral values used
Public KAS-FFC-SSC 800-56A TLS N/A N/A session minimum in key agreement Components Cert. #A2244 Rev. 3 handshake termination (DHE 2048, ECDHE P-256, P-384, P-521) Secret value used to KDF TLS, KAS SP Zeroize at derive the TLS Master TLS Pre-Master RAM
KDF TLS, Zeroize at Secret value used to RAM
160 bits HMAC-SHA2-256, TLS, KAS SP RAM - TLS connections
TLS HMAC Keys KDF TLS N/A session minimum HMAC-SHA2-384 800-56A Rev. 3 plaintext (SHA-1, 256, 384) termination Cert. #A2244 (160, 256, 384 bits) Diffie Hellman or EC SSH DHE/ECDHE KAS-ECC-SSC, DRBG, SP Zeroize at Diffie-Hellman private
Private KAS-FFC-SSC 800-56A N/A N/A session (DH Group 14, ECDH minimum plaintext Components Cert. #A2244 Rev. 3 termination P-256, ECDH P-384, ECDH P-521) Diffie Hellman or EC Plaintext Diffie-Hellman public SSH DHE/ECDHE KAS-ECC-SSC, DRBG, SP Zeroize at
112 bits SSH RAM - component (DH Group
Public KAS-FFC-SSC 800-56A N/A session minimum handshake plaintext 14, ECDH P-256, Components Cert. #A2244 Rev. 3 termination ECDH P-384, ECDH P-521) RSA SigVer SSH Host Public Key (FIPS 186-4), (RSA 2048, RSA 3072, SSH Host Public 112 bits ECDSA SigVer DRBG, FIPS HDD/RAM
Used in all SSH connections to the security module’s AES-CBC, Zeroize at command line SSH Session 128 bits AES-CTR, SSH, KAS SP RAM KDF SSH N/A session interface. Encryption Keys minimum AES-GCM 800-56A Rev. 3 plaintext termination (128, 192, or 256 bits: Cert. #A2244 AES CBC or CTR) (128 or 256 bits: AES GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1, security module’s SSH Session Zeroize at
160 bits HMAC-SHA2-256, SSH, KAS SP RAM - command line
Authentication KDF SSH N/A session minimum HMAC-SHA2-512 800-56A Rev. 3 plaintext interface Keys termination Cert. #A2244 (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC S-S VPN IPSec/IKE Diffie-Hellman private KAS-ECC-SSC, DBRG, SP DHE or ECDHE 112 bits RAM - component used in key KAS-FFC-SSC 800-56A N/A N/A Power cycle Private minimum plaintext establishment Cert. #A2244 Rev. 3 Components (DHE 2048, ECDHE P-256, P-384) Diffie-Hellman or EC S-S VPN IPSec/IKE Diffie-Hellman public KAS-ECC-SSC, DRBG, SP DHE or ECDHE 112 bits RAM - component used in key KAS-FFC-SSC 800-56A N/A N/A Power cycle Public minimum plaintext agreement Cert. #A2244 Rev. 3 Components (DHE 2048, ECDHE P-256, P-384) Used to encrypt IKE/IPSec data. These AES-CBC, IPSec/IKE, KAS Zeroize at are AES (128, 192, or S-S VPN IPSec/IKE 128 bits AES-CCM, RAM KDF IKEv2 N/A SP 800-56A session 256 CBC) IKE keys Session Keys minimum AES-GCM plaintext Rev. 3 termination and (128, 192 or 256 Cert. #A2244 CBC, 128 CCM, 128 or
HMAC-SHA-1, (HMAC-SHA-1, S-S VPN IPSec/IKE IPSec/IKE, KAS Zeroize at
160 bits HMAC-SHA2-256, RAM - SHA-256, SHA-384 or
Authentication KDF IKEv2 N/A SP 800-56A session minimum HMAC-SHA2-384, plaintext SHA-512) Used to Keys Rev. 3 termination HMAC-SHA2-512 authenticate the peer © 2024 Palo Alto Networks, Inc. PAN-OS 10.1 VM-Series Security Policy 19
Cert. #A2244 in an IKE/IPSec tunnel connection. (160, 256, 384, 512 bits) PSK used in conjunction with HMAC listed above for Encrypted S-S VPN IPSec HDD/RAM
128 bits N/A N/A N/A N/A software code
verification key (FIPS 186-4) plaintext (HMAC-SHA-256 and Cert. #A2244 ECDSA P-256) Used to authenticate software/firmware Public key for RSA SigVer HDD - and content to be software content 112 bits (FIPS 186-4) N/A N/A N/A N/A plaintext installed on the load test Cert. #A2244 firewall (RSA 2048 with SHA-256) HDD - a Encrypted Authentication string CO, User, RA VPN SHA2-256 password N/A External via SSH or N/A Zeroize Service with a minimum length Password Cert. #A2244 hash TLS of eight (8) characters. (SHA2-256) Secrets used by Encrypted HDD/RAM
256 bits DRBG Cert. per N/A N/A Power cycle
String plaintext #A2244, SP 800-90B Input length = 384 ENT (P) bits CKG (vendor DRBG seed coming affirmed), Counter Entropy as from the entropy DRBG Cert. RAM DRBG Seed 256 bits per N/A N/A Power cycle source #A2244, Plaintext SP 800-90B ENT (P) Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG Cert. RAM - State (V) used in the DRBG V 128 bits per N/A N/A Power cycle #A2244, plaintext generation of random SP 800-90B ENT (P) values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG Cert. RAM - State (Key) used in the DRBG Key 256 bits per N/A N/A Power cycle #A2244, plaintext generation of random SP 800-90B ENT (P) values SNMPv3 Used to support Authentication KDF SNMP Encrypted HDD/RAM
HMAC-SHA-1, HMAC-SHA2-224, HMAC–SHA-1/224/2 Authentication 160 bits HMAC-SHA2-256, HDD/RAM - 56/384/512 KDF SNMP N/A N/A Zeroize Service Key minimum HMAC-SHA2-384, Plaintext Authentication HMAC-SHA2-512 protocol key (160 bits) Cert. #A2244 Privacy protocol
128 bits AES-CFB HDD/RAM - encryption key
Session Key KDF SNMP N/A N/A Zeroize Service minimum Cert. #A2244 Plaintext (AES 128/192/256 CFB) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. Table 12 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of Details entropy Entropy provided by Intel’s CPU with RDSEED as the noise source where the noise samples have a ENT (P) Intel CPU with RDSEED 256 bits min-entropy rate of 0.6138 bits of entropy per bit Hardware entropy source of output. Due to the number of samples collected and the conditioning applied, the DRBG is seeded with >256 bits of entropy. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the power-up self-test by cycling power of the module; these tests do not require any operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test
operation, see “Approved Mode of Operation''. For details regarding secure installation, initialization, startup, and operation of the module, see below. Installation Instructions The module can be retrieved by downloading PanOS_vm-10.1.5 from the support site (https://support.paloaltonetworks.com/Support/Index), and a checksum (SHA-256) is available to ensure the module is correct: o 10.1.5: 018fd6b322d1d65023751496ac3f9a7c4890fdd523f9d5a9145c752447b492cb Alternatively, the VM-Series version can be obtained by running the following commands via CLI (as an authorized administrator): 1. request system software check 2. request system software download version 10.1.5 3. request system software install version 10.1.5 4. request restart system Palo Alto Network provides an Administrator Guide for additional information noted in the “Reference Documents” section of this Security Policy. The module design corresponds to the module security rules noted in the section below. Module Enforced Security Rules When FIPS-CC mode is enabled, the module runs all the required items noted in Section 10 Self-tests. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.
14. Definitions and Acronyms AES