All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Certificate#4719StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 24 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date7/10/2029
CaveatInterim Validation. The tamper evident seals installed as indicated in the Security Policy
VendorPalo Alto Networks, Inc.

Approved Algorithms (50)

AlgorithmACVP Cert
AES-CBCA3563
AES-CBCA3564
AES-CBCA3565
AES-CTRA3563
AES-ECBA3563
AES-GCMA3563
AES-GCMA3564
Counter DRBGA3563
ECDSA KeyGen (FIPS186-4)A3563
ECDSA KeyGen (FIPS186-4)A3564
ECDSA SigGen (FIPS186-4)A3563
ECDSA SigVer (FIPS186-4)A3563
HMAC DRBGA3564
HMAC-SHA-1A3563
HMAC-SHA2-224A3563
HMAC-SHA2-256A3563
HMAC-SHA2-256A3564
HMAC-SHA2-256A3565
HMAC-SHA2-384A3563
HMAC-SHA2-384A3564
HMAC-SHA2-384A3565
HMAC-SHA2-512A3563
HMAC-SHA2-512A3565
KAS-ECC-SSC Sp800-56Ar3A3563
KAS-ECC-SSC Sp800-56Ar3A3564
KDF IKEv2A3563
KDF SNMPA3563
KDF SSHA3563
KDF TLSA3563
KDF TLSA3564
RSA KeyGen (FIPS186-4)A3563
RSA SigGen (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3564
RSA SigVer (FIPS186-4)C170
SHA-1A3563
SHA-1C170
SHA2-224A3563
SHA2-224A3564
SHA2-256A3563
SHA2-256A3564
SHA2-256A3565
SHA2-256C170
SHA2-384A3563
SHA2-384A3564
SHA2-384A3565
SHA2-512A3563
SHA2-512A3564
SHA2-512A3564
SHA2-512A3565

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 Firmware Version: 6.1.2 Documentation Version: 1.3 Last Update: June 17, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 17, 2024 Document Version: 1.3

Page 2
Table of Contents
#SectionPage
Page 3
  1. General The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 (hereinafter referred to as the Module or ION module). The Palo Alto Networks SD-WAN Instant-On Network (ION) Devices enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of a WAN. Built with the intent to reduce remote infrastructure, Palo Alto Networks SD-WAN ION devices enable the cloud-delivered branch. ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level [Number Below]
1 General 2
2 Cryptographic Module Specification 2
3 Cryptographic Module Interfaces 2
4 Roles, Services, and Authentication 2
5 Software/Firmware Security 2

6 Operational Environment N/A

7 Physical Security 2

8 Non-invasive Security N/A

9 Sensitive Security Parameter Management 2
10 Self-tests 2
11 Life-Cycle Assurance 2

12 Mitigation of Other Attacks N/A

Table 1 - Security Levels The module is designed to meet an overall security level 2. 2. Cryptographic Module Specification The module is a hardware multiple-chip standalone cryptographic module. FIPS 140-3 conformance testing was performed at Security Level 2 with the configurations noted in the table 2 below. Model Hardware [Part Number and Firmware Distinguishing Features Version] Version ION 1200 ION 1200 6.1.2 See Cryptographic Module Interfaces section ION 1200 ION 1200-C-NA 6.1.2 ION 1200 ION 1200-C-ROW 6.1.2 ION 1200 ION 1200-C-5G-WW 6.1.2 ION 1200-S ION 1200-S 6.1.2 ION 1200-S ION 1200-S-C-NA 6.1.2 ION 1200-S ION 1200-S-C-ROW 6.1.2 ION 1200-S ION 1200-S-C-5G-WW 6.1.2 ION 3200 ION 3200 6.1.2 ION 5200 ION 5200 6.1.2 ION 9200 ION 9200 6.1.2 Table 2 - Tested Operational Environments © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 3

Page 4

Cryptographic Boundary The module’s cryptographic boundary is defined as the entire chassis unit’s physical perimeter encompassing the "top," "front," "left," "right," “rear” and "bottom" surfaces of the case, and shown in the figures below and in the Physical Security section. Figure 1 - ION 1200 Figure 2 - ION 1200 (Top), ION 1200-C-NA/ION 1200-C-ROW (Middle), and ION 1200-C-5G-WW (Bottom) front interfaces Figure 3 - ION 1200-S (Top), ION 1200-S-C-NA/ION 1200-S-C-ROW (Middle), and ION 1200-S-C-5G-WW (Bottom) front interfaces

4 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 5

Figure 4 - ION 1200 (Top), ION 1200-C-NA/ION 1200-C-ROW (Middle), and ION 1200-C-5G-WW (Bottom) Rear Interfaces Figure 5 - ION 1200-S (Top), ION 1200-S-C-NA/ION 1200-S-C-ROW (Middle), and ION 1200-S-C-5G-WW (Bottom) Rear Interfaces Figure 6 - ION 3200 Front Interfaces Figure 7 - ION 3200 Rear Interfaces Figure 8 - ION 5200 Front Interfaces © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 5

Page 6

Figure 9 - ION 5200 Rear Interfaces Figure 10 - ION 9200 Front Interfaces Figure 11 - ION 9200 Rear Interfaces Modes of Operation The module has one approved mode of operation and is always in the approved mode of operation after initial operations are performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module. The tables 3-6 below list all Approved or Vendor-affirmed security functions of the module, including specific key size(s) (in bits unless noted otherwise) employed for Approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in these tables. CAVP Cert Algorithm and Mode/Method Description/Key Size(s) / Use / Function Standard Key Strength(s) A3563 AES: ECB 128, 192, and 256 bits Data Encryption/Decryption

6 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 7

CAVP Cert Algorithm and Mode/Method Description/Key Size(s) / Use / Function Standard Key Strength(s)

Page 8

CAVP Cert Algorithm and Mode/Method Description/Key Size(s) / Use / Function Standard Key Strength(s) between 128 and 256 bits of encryption strength A3563 RSA RSA KeyGen Modulus: 2048 and 3072 bits RSA Key Generation

8 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 9

CAVP Algorithm and Standard Mode/Method Description/Key Size(s) / Use / Function Cert Key Strength(s) A3564 KAS KAS (ECC) KAS (ECC): Key Agreement Scheme

256 bits of encryption

strength A3564 KTS KTS (AES Cert. 128 or 256 bits Key Transport using AES and

256 bits of encryption

strength A3564 RSA RSA SigVer Modulus: 2048 bits Digital Signature Verification

Page 10

Table 4 - Approved Algorithms (Crypto Library

52 Rev1, Section 3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme

were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established.

10 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 11
Page 12

Console 1 1 1 1 Micro USB 1 1 1 1 SFP/RJ-45 Combo Ports 1 and 2 (SFP/RJ- Ports 1 and 2 (SFP/RJ- Ports 1 and 2 (SFP/RJ- Ports 1 and 2 (SFP/RJ-45 port 45 Combo) 45 Combo) 45 Combo) Combo) ByPass Pair (Note: Ports 3 and 4 Ports 3 and 4 Ports 3 and 4 Ports 3 and 4 This is not for FIPS 140-3 Bypass Service) Ethernet Ports Ports 5 - 10 (Access Ports 1 - 10 (Access Ports 1 - 10 (Access Ports 1 - 10 (Access Ports) Ports) Ports) Ports) Ports 7 - 10 (PoE) Ports 7 - 10 (PoE) Ports 7 - 10 (PoE) Ports 7 - 10 (PoE) LEDs 3 4 4 4 Power 2 2 2 2 Uplink Connector N/A 3 3 4 Table 10 - ION 1200-S Interface Quantity Note: All USB and Micro USB ports on each ION 1200-S module are functionally disabled. Physical Port Logical Interface Data that passes over port/interface Ethernet, PoE, SFP/RJ-45 Combo port, Data Input Data input into the module for all the services defined in ByPass Pair, and Uplink Connector Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Ethernet, PoE, SFP/RJ-45 Combo port, Data Output Data output from the module for all the services defined in ByPass Pair, and Uplink Connector Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Ethernet, PoE, SFP/RJ-45, and Uplink Control Input Control Data input into the module for all the services Connector defined in Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Console, Ethernet, PoE, ByPass Pair, Status Output Status Information output from the module. SFP/RJ-45 Combo port, Uplink Connector, and LEDs N/A Control Output N/A Power N/A Provide the Power Supply to the module. Table 11 - Ports and Interfaces (ION 1200-S) Physical Port ION 3200 Qty USB 2 x USB 3.0(Functionally Disabled) Console 1 x RJ-45 serial console port Micro USB 1 x USB Type B console connector SFP / RJ-45 Combo port Ports 1 and 2 (SFP/RJ-45) ByPass Pair Ports 3 and 4 (RJ-45) (Note: This is not for FIPS 140-3 Bypass Service) Ethernet or PoE Ports 5 - 10 (RJ-45) Ports 7 - 10 (PoE) LEDs 3 Power 2 Table 12 - ION 3200 Interface Quantity Note: All USB ports on ION 3200 module are functionally disabled.

12 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 13

Physical Port Logical Interface Data that passes over port/interface Ethernet, PoE, ByPass Pair, Data Input Data input into the module for all the services defined in SFP/RJ-45 Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, ByPass Pair, Data Output Data output from the module for all the services defined in SFP/RJ-45 Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, SFP/RJ-45 Control Input Control Data input into the module for all the services defined in Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data Console, ByPass Pair, Ethernet, Status Output Status Information output from the module. PoE, SFP/RJ-45 Combo port, and LEDs N/A Control Output N/A Power N/A Provides the power supply to the module. Table 13 - Ports and Interfaces (ION 3200) Physical Port ION 5200 Qty ByPass Pair Ports 1 - 4 (Note: This is not for FIPS 140-3 Bypass Service) PoE Ports 9 - 12 SFP+ Ports 13 - 16 Ethernet Ports 5 - 8, Ports 17-19 (RJ-45) Console 1 x RJ-45 serial console port USB 1 Micro USB 1 LEDs 9 Power 2 Table 14 - ION 5200 Interface Quantity Note: All USB and Micro USB ports on each ION 5200 module are functionally disabled. Physical Port Logical Interface Data that passes over port/interface Ethernet, PoE, ByPass Pair, Data Input Data input into the module for all the services defined in SFP+/RJ-45 Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, ByPass Pair, Data Output Data output from the module for all the services defined in SFP+/RJ-45 Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, SFP+/RJ-45 Control Input Control Data input into the module for all the services defined in Combo port Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Console, ByPass Pair, Ethernet, Status Output Status Information output from the module. PoE, SFP+/RJ-45 Combo port, and LEDs N/A Control Output N/A Power N/A Provides the power supply to the module. Table 15 - Ports and Interfaces (ION 5200) Interface Descriptions © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 13

Page 14

Physical Port ION 9200 Qty ByPass Pair Ports 1 - 8 (Note: This is not for FIPS 140-3 Bypass Service) PoE Ports 9 - 12 SFP+ Ports 13 - 22 Ethernet Ports 23 - 25 (RJ-45) Console 1 x RJ-45 serial console port USB 1 Micro USB 1 LEDs 9 Power 2 Table 16 - ION 9200 Interface Quantity Note: All USB and Micro USB ports on each ION 9200 module are functionally disabled. Physical Port Logical Interface Data that passes over port/interface Ethernet, PoE, ByPass Pair, SFP+ Data Input Data input into the module for all the services defined in Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, ByPass Pair, SFP+ Data Output Data output from the module for all the services defined in Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Status of the module via LEDs. Ethernet, PoE, SFP+ Control Input Control Data input into the module for all the services defined in Approved Services Table, including TLSv1.2, SSHv2, IPsec/IKEv2 and SNMPv3 service data. Console, ByPass Pair, Ethernet, Status Output Status Information output from the module. PoE, SFP+ and LEDs N/A Control Output N/A Power N/A Provides the power supply to the module. Table 17 - Ports and Interfaces (ION 9200) Interface Descriptions Note: All USB ports on each ION 9200 module are functionally disabled. 4. Roles, Services, and Authentication The modules all support role-based authentication, and provide the Crypto Officer role and the User role. The Crypto Officer role has the ability to perform all tasks and administrative actions while the User is read-only. Role Service Input Output Crypto Officer Crypto Officer Role Crypto Officer role Status of Crypto Officer role authentication Authentication authentication request Crypto Officer Perform Self-Test Command to trigger Self-Test Status of the self-tests results Crypto Officer Perform Zeroization Command to initiate the SSPs Status of the SSPs zeroization zeroization Crypto Officer Firmware Update Command to upload a new Status of the updated firmware installation validated firmware Crypto Officer Show Version Command to show version Module’s name/ID and versions Crypto Officer Show Status Command to show status Module’s status information

14 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 15

Crypto Officer Configure Network Commands to configure the Status of the completion of network related module configuration Crypto Officer Configure SSHv2 Commands to configure SSHv2 Status of the completion of SSHv2 Function configuration Crypto Officer Configure TLSv1.2 Commands to configure TLSv1.2 Status of the completion of TLSv1.2 Function configuration Crypto Officer Configure SNMPv3 Commands to configure SNMPv3 Status of the completion of SNMPv3 Function configuration Crypto Officer Configure IPSec/IKEv2 Commands to configure Status of the completion of IPSec/IKEv2 Function IPSec/IKEv2 configuration Table 18 - Roles, Services Commands, Input and Output (Crypto Officer) Role Service Input Output User User Role Authentication User role authentication request Status of User role authentication User Show Version Command to show version Module’s name/ID and versions User Show Status Initialize show status command Module’s status information User Run SSHv2 Function Initiate SSHv2 tunnel establishment Status of SSHv2 tunnel establishment request User Run TLSv1.2 Function Initiate TLSv1.2 tunnel Status of TLSv1.2 tunnel establishment establishment request User Run SNMPv3 Function Initiate SNMPv3 tunnel Status of SNMPv3 tunnel establishment establishment request User Run IPsec/IKEv2 Function Initiate IPsec/IKEv2 tunnel Status of IPSec/IKEv2 tunnel establishment establishment request Table 19 - Roles, Services Commands, Input and Output (User) Role Authentication Authentication Strength Method User Password/Pre- The modules support Password based authentication mechanism using the minimum shared Secret length is eight (8) characters password (94 possible characters from the keyboard). The probability that a random attempt will succeed or a false acceptance will occur is 1/(94^8) which is less than 1/1,000,000. For multiple attacks during a one-minute period, as the module supports at most 3 failed attempts to authenticate in a one-minute period, the probability of successfully authenticating to the module within one minute is 3/(94^8), which is less than 1/100,000. This calculation is based on the assumption that the typical standard American QWERTY computer keyboard has 10 Integer digits, 52 alphabetic characters, and 32 special characters providing 94 characters to choose from in total. Crypto Officer, RSA The modules support RSA public-key based authentication mechanism using a User minimum of RSA 2048 bits, which provides 112 bits of security strength. The probability that a random attempt will succeed is 1/(2^112) which is less than 1/1,000,000. For multiple attacks during a one-minute period, as the module at its highest can support at most 17,000 new sessions per second to authenticate in a one-minute period, the probability of successfully authenticating to the module within a one minute period is 17,000 * 60 = 1,020,000/(2^112), which is less than 1/100,000. User ECDSA The modules support ECDSA public-key based authentication mechanism using a minimum of curve P-256, which provides 128 bits of security strength. The probability that a random attempt will succeed is 1/(2^128) which is less than 1/1,000,000. For multiple attacks during a one-minute period, as the module at its highest can support at most 17,000 new sessions per second to authenticate in a one-minute period, the probability of successfully authenticating to the module within a one minute period is 17,000 * 60 = 1,020,000/(2^128), which is less than 1/100,000. Table 20 - Roles and Authentication © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 15

Page 16

Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights to Functions Keys and / or SSPs Crypto Crypto Officer Role RSA SigVer Crypto Officer Crypto W/E/Z CO role Officer role Authentication Authentication RSA Public Officer successful Authenticatio Key (PSP) login status n Perform Self- Initiate and run the HMAC-SHA2- Firmware Integrity Test Key Crypto N/A None Test pre-operational 256 (Non-SSP) Officer self-tests pre-operational self-tests Perform Zeroize all N/A All Crypto Z None Zeroization unprotected SSPs Officer stored in the module Firmware The module’s RSA Signature Firmware Update Key (SSP) Crypto E Firmware Update firmware is updated Verification Officer update to a new version completion message Show Version Provides the N/A N/A Crypto N/A None module’s name/ID Officer/ and versions User Show Status Provides the N/A N/A Crypto N/A None module’s current Officer/ status and User information Configure Perform the N/A N/A Crypto G/R/W/E Global Network Module’s Network Officer indicator and Configuration Configuratio n logs Configure Create a secure AES-CTR; DRBG Entropy Input (CSP); Crypto G/R/W/E Global SSHv2 SSHv2 channel CKG; DRBG Seed (CSP); Officer indicator and Function CTR_DRBG; DRBG Internal State V Value SSH ECDSA (CSP); connection KeyGen; DRBG Key (CSP); log message ECDSA SSH ECDHE Private Key KeyVer; (CSP); ECDSA SigGen; SSH ECDHE Public Key ECDSA SigVer; (PSP); Peer SSH ECDHE HMAC-SHA-1; Public Key (PSP); HMAC-SHA2- SSH ECDHE Shared Secret 256; (CSP); HMAC-SHA2- SSH ECDSA Private Key 512; (CSP); KAS-SSC SSH ECDSA Public Key (ECC); (PSP); KAS (ECC); SSH Session Encryption Key KDF SSH (CSP); SSH Session Authentication Key (CSP) Configure Create a secure AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global TLSv1.2 TLSv1.2 channel AES-GCM; DRBG Seed (CSP); Officer indicator and Function CKG;

16 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 17

Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights to Functions Keys and / or SSPs CTR_DRBG; DRBG Internal State V Value TLS success HMAC_DRBG; (CSP); log message HMAC-SHA2- DRBG Key (CSP); 256; TLS RSA Private Key (CSP); HMAC-SHA2- TLS RSA Public Key (PSP); 384; TLS ECDHE Private Key KAS-SSC (CSP); (ECC); TLS ECDHE Public Key KAS (ECC); (PSP); KTS; Peer TLS ECDHE Public Key RSA KeyGen; (PSP); RSA SigGen; TLS ECDHE Shared Secret RSA SigVer; (CSP); KDF TLS TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP) Configure Create a secure AES-CBC; SNMPv3 Authentication Crypto G/R/W/E Global SNMPv3 SNMPv3 channel HMAC-SHA-1; Secret (CSP); Officer indicator and Function KDF SNMP SNMPv3 Session Encryption SNMPv3 Key (CSP); success log SNMPv3 Session message Authentication Key (CSP) Configure Create IPSec/IKEv2 AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global IPsec/IKEv2 tunnel CKG; DRBG Seed (CSP); Officer indicator and Function CTR_DRBG; DRBG Internal State V Value IPSec HMAC-SHA-1; (CSP); success log HMAC-SHA2- DRBG Key (CSP); message 256; IPSec/IKE Pre-Shared Secret HMAC-SHA2- (CSP); 384; IPSec/IKE RSA Private Key HMAC-SHA2- (CSP); 512; IPSec/IKE RSA Public Key KAS-SSC (PSP); (ECC); IPSec/IKE ECDHE Private KAS (ECC); Key (CSP); RSA KeyGen; IPSec/IKE ECDHE Public RSA SigGen; Key (PSP); RSA SigVer; IPSec/IKE ECDHE Shared KDF IKEv2 Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); User role User Role N/A User Password (CSP) User W/E N/A Authenticatio Authentication n Run SSHv2 Negotiation and AES-CTR; DRBG Entropy Input (CSP); User G/R/W/E Global Function encrypted data CKG; DRBG Seed (CSP); indicator and transport via SSH CTR_DRBG; DRBG Internal State V Value SSHv2 (CSP); Function © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 17

Page 18

Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights to Functions Keys and / or SSPs ECDSA DRBG Key (CSP); running KeyGen; SSH ECDHE Private Key status ECDSA (CSP); message KeyVer; SSH ECDHE Public Key ECDSA SigGen; (PSP); Peer SSH ECDHE ECDSA SigVer; Public Key (PSP); HMAC-SHA-1; SSH ECDHE Shared Secret HMAC-SHA2- (CSP); 256; SSH ECDSA Private Key HMAC-SHA2- (CSP); 512; SSH ECDSA Public Key KAS-SSC (PSP); SSH Session (ECC); Encryption Key (CSP); KAS (ECC); SSH Session Authentication KDF SSH Key (CSP); Run TLSv1.2 Negotiation and AES-CBC; DRBG Entropy Input (CSP); User G/R/W/E Global Function encrypted data AES-GCM; DRBG Seed (CSP); indicator and transport via TLS CKG; DRBG Internal State V Value TLSv1.2 CTR_DRBG; (CSP); Function HMAC_DRBG; DRBG Key (CSP); running HMAC-SHA2- TLS RSA Private Key (CSP); status 256; TLS RSA Public Key (PSP); message HMAC-SHA2- TLS ECDHE Private Key 384; (CSP); KAS-SSC TLS ECDHE Public Key (ECC); (PSP); KAS (ECC); Peer TLS ECDHE Public Key KTS; (PSP); RSA KeyGen; TLS ECDHE Shared Secret RSA SigGen; (CSP); RSA SigVer; TLS Pre-Master Secret (CSP); KDF TLS TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP) Run SNMPv3 Negotiation and AES-CBC; SNMPv3 Authentication User G/R/W/E Global Function encrypted data HMAC-SHA-1; Secret (CSP); indicator and transport via KDF SNMP SNMPv3 Session Encryption SNMPv3 SNMPv3 Key (CSP); Function SNMPv3 Session running Authentication Key (CSP) status message Run Negotiation and AES-CBC; DRBG Entropy Input (CSP); User G/R/W/E Global IPSec/IKEv2 encrypted data CKG; DRBG Seed (CSP); indicator and Function transport via IPSec CTR_DRBG; DRBG Internal State V Value IPSec/IKEv2 HMAC-SHA-1; (CSP); Function HMAC-SHA2- DRBG Key (CSP); running 256; IPSec/IKE Pre-Shared Secret status HMAC-SHA2- (CSP); message 384; IPSec/IKE RSA Private Key (CSP);

18 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 19

Service Description Approved Keys and/or SSPs Roles Access Indicator Security rights to Functions Keys and / or SSPs HMAC-SHA2- IPSec/IKE RSA Public Key 512; (PSP); KAS-SSC IPSec/IKE ECDHE Private (ECC); Key (CSP); KAS (ECC); IPSec/IKE ECDHE Public RSA KeyGen; Key (PSP); RSA SigGen; IPSec/IKE ECDHE Shared RSA SigVer; Secret (CSP); KDF IKEv2 IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP) Table 21 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Unauthenticated Services Unauthenticated Users can run the self-test service by power-cycling the module by removing the power and re-applying. 5. Software/Firmware Security Integrity Techniques The module performs the Firmware Integrity test by using HMAC-SHA2-256 (HMAC Cert. #A3563) during the PreOperational Self-Test. A Firmware Integrity Test Key (non-SSP) was preloaded to the module’s binary at the factory and used for firmware integrity test only at the pre-operational self-test. At Module’s initialization, the integrity of the runtime executable is verified using an HMAC-SHA2-256 digest which is compared to a value computed at build time. If at the load time the MAC does not match the stored, known MAC value, the module would enter an Error state with all crypto functionality inhibited. The module also supports the firmware load test by using RSA 2048 bits with SHA2-256 (RSA Cert. #A3563) for the new validated firmware to be uploaded into the module. A Firmware Load Test Key was preloaded to the module’s binary at the factory and used for firmware load test. In order to load new firmware, the Crypto Officer must authenticate into the module before loading any firmware. This ensures that unauthorized access and use of the module is not performed. The module will load the new update upon reboot. The update attempt will be rejected if the verification fails. Integrity Test On-Demand Integrity test is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. The operator can power-cycle or reboot the module to initiate the firmware integrity test on-demand. This automatically performs the integrity test of all firmware components included within the boundary of the module. © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 19

Page 20
  1. Operational Environment The Operational Environment requirements are not applicable as the module does not contain modifiable operational environments. The operational environment is non-modifiable. New firmware versions within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into these modules is out of the scope of this validation and requires a separate FIPS 140-3 validation.
  2. Physical Security The module’s physical security includes tamper evident labels that are utilized to meet FIPS 140-3 Level 2 requirements. Details regarding the label placement are noted below: Physical Recommended Inspection/Test Guidance Details Security Frequency of Mechanism Inspection/Test Tamper Evident 30 days Verify integrity of tamper-evident seals in the locations identified in the FIPS Kit Installation Guide. Labels Label integrity to be verified within the module’s operating temperature range. TEL Quantity Required on each Module: Qty. 3 - ION 1200; Qty 4 - ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW; Qty. 3 - ION 1200-S, ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW; Qty. 3 - ION 3200; Qty. 12 - ION 5200/9200 Opacity Shield 30 days Verify integrity of the front opacity shield such that it has not been tampered, scratched, or warped Table 22 - Physical Security Inspection Guidelines Kit Part Numbers The module requires the following for physical security requirements: ● [ION 1200, ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW]: Kit P/N 920-000363 ● [ION 1200-S, ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW]: Kit P/N 920-000363 ● ION 3200: Kit P/N 920-000363 ● ION 5200, ION 9200: Kit P/N 920-000333 If additional labels are needed, the CO will need to contact Palo Alto Networks. ION 1200 The following section demonstrates how to apply the tamper evident labels (TELs) to the ION 1200 modules. The enclosure of the modules is the same. The tamper evident labels shall be installed on the security devices containing the module prior to operating in Approved mode. TELs shall be applied as depicted in the figures below. Any unused TELs must be securely stored, accounted for, and maintained by the Crypto Officer (CO) in a protected location. Should the CO have to remove, change or replace TELs for any reason, the CO must examine the location from which the TEL was removed and ensure that no residual debris is still remaining on the chassis or card. If residual debris remains, the CO must remove the debris using a damp cloth.

20 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 21

Any deviation of the TELs placement by unauthorized operators such as tearing, misconfiguration, removal, change, replacement or any other change in the TELs from its original configuration as depicted below shall mean the module is no longer in Approved mode of operation. Returning the system back to Approved mode of operation requires the replacement of the TELs as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The ION 1200 requires 3 tamper evident labels while the ION 1200-C-NA/ION 1200-C-ROW/ION 1200-C-5G-WW require 4 tamper evident labels. The figures below detail the location of the labels. Figure 12 - ION 1200 Front View Figure 13 - ION 1200-C-5G-WW Front View Figure 14 - ION 1200-C-NA and ION 1200-C-ROW Front View Figure 15 - ION 1200 Left View (same for all models) Figure 16 - ION 1200 Right View (same for all models) © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 21

Page 22

Figure 17 - ION 1200 Top View Figure 18 - ION 1200-C-5G-WW/ION 1200-C-NA/ION 1200-C-ROW Top View Figure 19 - ION 1200 Rear View Figure 20 - ION 1200 Bottom View

22 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 23

Figure 21 - ION 1200-C-5G-WW/ION 1200-C-NA/ION 1200-C-ROW Bottom View Figure 21A - ION 1200-S Rear View Figure 21B - ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW Rear View Figure 21C - ION 1200-S, ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW Bottom View ION 3200 The ION 3200 requires 3 tamper labels, which are placed at the following locations. Figure 22 - ION 3200 Rear View © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 23

Page 24

Figure 23 - ION 3200 Bottom View Figure 24 - ION 3200 Left Side View Figure 25 - ION 3200 Right Side View ION 5200 / 9200 The ION 5200 and ION 9200 use the same FIPS kit and have the same installation. The figure below demonstrates the tamper label placement along with the front opacity shield. Figure 26 - ION 5200/9200 FIPS Kit Installation 8. Non-Invasive Security No approved non-invasive attack mitigation test metrics are defined at this time.

24 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 25

9. Sensitive Security Parameters Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Keys Name/Type Function and ment Cert. Number DRBG Entropy 256 bits N/A Obtained from the Import to the N/A DRAM Zeroized by SSP Used to seed the DRBG Input Entropy Source located module via (plaintext) (CSP/PSP) (CSP) within module’s Module’s API Zeroization cryptographic boundary Command Export: No DRBG Seed 256 bits CTR_DRBG; Internally Derived from Import: No N/A DRAM Zeroized by SSP Random number (CSP) Cert. #A3563; entropy input string as (plaintext) (CSP/PSP) generation defined by SP800- Export: No Zeroization HMAC_DRBG; 90Arev1 DRBG Command Cert. #A3564 DRBG Internal 256 bits CTR_DRBG; Internally Derived from Import: No N/A DRAM Zeroized by SSP Random number State V Value Cert. #A3563; entropy input string as (plaintext) (CSP/PSP) generation defined by SP800- Export: No Zeroization HMAC_DRBG; 90Arev1 DRBG Command Cert. #A3564 DRBG Key 256 bits CTR_DRBG; Internally Derived from Import: No N/A DRAM Zeroized by SSP Random number (CSP) Cert. #A3563; entropy input string as (plaintext) (CSP/PSP) generation defined by SP800- Export: No Zeroization HMAC_DRBG; 90Arev1 DRBG Command Cert. #A3564 Crypto Officer 2048 bits SHA-1; Pre-loaded at the factory Import: No N/A Embedded in Zeroized by SSP Used for CO role Authentication SHA2-256; the module’s (CSP/PSP) authentication RSA Public Key RSA SigVer Export: No executable Zeroization (PSP) binary in HDD Command Cert. #C170 (plaintext) User Password 8 N/A N/A Import to the MD/EE HDD Zeroized by SSP Used for User role (CSP) characters Module (plaintext) (CSP/PSP) authentication minimum encrypted by Zeroization TLS/SSH session Command key Export: No Firmware Load 112 bits RSA SigVer Pre-loaded at the build Import: No N/A Embedded in N/A Used for Firmware Load Test Key time (in the module’s the module’s (Note: This key is Test (CSP) (Modulus: Cert. #A3563 binary) Export: No executable only used for

2048 bits) binary in HDD Firmware Load

(plaintext) Test and not subject to the zeroization requirement) TLS RSA 112 - 128 CKG; Internally generated Import: No N/A HDD Zeroized by SSP Used for TLS peer Private Key bits DRBG; conformant to SP800- (plaintext) (CSP/PSP) authentication (CSP) RSA KeyGen; 133r2 (CKG) using FIPS Export: No Zeroization (Modulus: RSA SigGen; 186-4 RSA key generation Command 2048, method, and the random

3072 bits) Certs. #A3563 and value used in key

#A3564 generation is generated using SP800-90Arev1 DRBG TLS RSA Public 112 - 128 RSA SigVer; Internally derived per the Import: No N/A HDD Zeroized by SSP Used for TLS peer Key bits FIPS 186-4 RSA key (plaintext) (CSP/PSP) authentication (PSP) Certs. #A3563 and generation method Export to the TLS Zeroization (Modulus: #A3564 peer via the Command 2048, Module’s data

3072 bits) output interface

TLS ECDHE 128

Page 26

Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Keys Name/Type Function and ment Cert. Number TLS ECDHE 128

2048 or method, and the random
3072 bits) Cert. #A3563 value used in key

generation is generated using SP800-90Arev1 DRBG IPSec/IKE RSA 112 or 128 RSA SigVer Internally derived per the Import: No N/A HDD Zeroized by SSP Used for IPSec/IKE peer Public Key bits FIPS 186-4 RSA key (plaintext) (CSP/PSP) authentication (PSP) Cert. #A3563 generation method Export to the Zeroization (Modulus: IPSec/IKE peer Command

2048 or via the Module’s
3072 bits) data output

interface IPSec/IKE 128 or 192 CKG; Internally generated Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Private bits DRBG; conformant to SP800- (plaintext) (CSP/PSP) ECDHE Shared Secret Key KAS-ECC-SSC; 133r2 (CKG) using Export: No Zeroization (CSP) (Curves: P- SP800-56Arev3 EC Command

256 or Cert. #A3563 Diffie-Hellman key

P-384) generation method, and the random value used in key generation is generated using SP80090Arev1 DRBG IPSec/IKE 128 or 192 KAS-ECC-SSC Internally derived per the Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Public bits EC Diffie-Hellman key (plaintext) (CSP/PSP) ECDHE Shared Secret Key Cert. #A3563 agreement Export to the Zeroization (PSP) (Curves: P- (SP800-56A rev3) IPSec/IKE peer Command

256 or

P-384) IPSec/IKE 128 or 192 KAS-ECC-SSC; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive IPSec/IKE ECDHE Shared bits KAS (ECC); using (plaintext) (CSP/PSP) Session Encryption Keys, Secret SP800-56A rev3 Export: No Zeroization IPSec/IKE Authentication (CSP) (Curves: P- Cert. #A3563 ECDH shared Command Keys

256 or secret

P-384) computation IPSec/IKE 128-256 AES-CBC; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure Session bits KDF IKEv2; derivation function (plaintext) (CSP/PSP) IPSec/IKEv2 session Encryption Key defined in SP800- Export: No Zeroization confidentiality (CSP) 135rev1 KDF (IKEv2) Command

26 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 27

Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Keys Name/Type Function and ment Cert. Number Certs. #A3563 and #A3565 IPSec/IKE At least HMAC-SHA-1; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure Session 112 bits HMAC-SHA2-256; derivation function (plaintext) (CSP/PSP) IPSec/IKEv2 session Authentication HMAC-SHA2-384; defined in SP800- Export: No Zeroization integrity Key HMAC-SHA2-512; 135rev1 KDF (IKEv2) Command (CSP) KDF IKEv2; Certs. #A3563 and #A3565 SNMPv3 8 N/A N/A Import: MD/EE HDD Zeroized by SSP Used for SNMPv3 User Authentication characters Encrypted by (plaintext) (CSP/PSP) authentication Secret minimum using TLS/SSH Zeroization (CSP) session key Command Export: No SNMPv3 128 bits AES-CFB; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure SNMPv3 Session KDF SNMPv3; derivation function (plaintext) (CSP/PSP) session confidentiality Encryption Key defined in SP800- Export: No Zeroization (CSP) Cert. #A3563 135rev1 KDF (SNMPv3) Command SNMPv3 160 bits HMAC-SHA-1; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used to secure SNMPv3 Session KDF SNMPv3; derivation function (plaintext) (CSP/PSP) session integrity Authentication defined in SP800- Export: No Zeroization Key Cert. #A3563 135rev1 KDF (SNMPv3) Command (CSP) SSH ECDHE 128-256 CKG; Internally generated Import: No N/A DRAM Zeroized by SSP Used to derive the SSH Private Key bits DRBG; conformant to SP800- (plaintext) (CSP/PSP) ECDHE Shared Secret (CSP) KAS-ECC-SSC; 133r2 (CKG) using Export: No Zeroization (Curves: P- SP800-56Arev3 EC Command 256, Cert. #A3563 Diffie-Hellman key P-384, or generation method, and P-521) the random value used in key generation is generated using SP80090Arev1 DRBG SSH ECDHE P-256, KAS-ECC-SSC; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive the SSH Public Key P-384, or internally per the EC (plaintext) (CSP/PSP) ECDHE Shared Secret (PSP) P-521 Cert. #A3563 Diffie-Hellman key Export to the Zeroization agreement SSH peer via the Command (SP800-56Arev3) Module’s data output interface SSH ECDHE 128-256 KAS-ECC-SSC; Internally derived Import: No N/A DRAM Zeroized by SSP Used to derive SSH Shared Secret bits KAS-ECC; using (plaintext) (CSP/PSP) Session Encryption Keys, (CSP) SP800-56A rev3 Export: No Zeroization SSH Session (Curves: P- Cert. #A3566 EC Diffie-Hellman shared Command Authentication Keys 256, secret computation P-384, or P-521) SSH ECDSA 128-256 CKG; Internally generated Import: No N/A HDD Zeroized by SSP Used for SSH session Private Key bits DRBG; conformant to SP800- (plaintext) (CSP/PSP) authentication (CSP) ECDSA KeyGen; 133r2 (CKG) using FIPS Export: No Zeroization (Curves: P- ECDSA SigGen; 186-4 ECDSA key Command 256, generation method, and P-384, or Cert. #A3563 the random value used in P-521) key generation is generated using SP80090Arev1 DRBG SSH ECDSA 128-256 ECDSA SigVer; Internally derived per the Import: No N/A HDD Zeroized by SSP Used for SSH session Public Key bits FIPS 186-4 RSA key (plaintext) (CSP/PSP) authentication (PSP) Cert. #A3563 generation method Export to the Zeroization (Curves: P- SSH peer via the Command 256, Module’s data P-384, or output interface P-521) SSH Session 128, 192, AES-CTR; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used for SSH session Encryption Key or 256 bits KDF SSH; derivation function (plaintext) (CSP/PSP) confidentiality protection (CSP) KTS; defined in SP 800- Export: No Zeroization 135rev1 KDF (SSHv2) Command Cert. #A3563 SSH Session At least KDF SSH; Internally derived via key Import: No N/A DRAM Zeroized by SSP Used for SSH session Authentication 160 bits KTS; derivation function (plaintext) (CSP/PSP) integrity protection Key HMAC-SHA-1; defined in SP800-135 Export: No Zeroization (CSP) HMAC-SHA2-256; KDF (SSH) Command HMAC-SHA2-512; Cert. #A3563 © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 27

Page 28

Table 23 – SSPs Notes:

  1. To initiate zeroization, see Section End of Life / Sanitization in this document for more details.
  2. The zeroization operations shall be performed under the control of the CO role.
  3. The zeroized SSPs cannot be retrieved or reused. Once the command is initiated, the SSPs are overwritten with 0s. Entropy Source(s) Minimum Number of Bits of Entropy Details Palo Alto Networks DRNG Entropy Source 0.6 bits entropy per sample with sample Please refer to ESV Cert. #E68 bit: 1 bit Palo Alto Networks DRNG Entropy Source 0.6 bits entropy per sample with sample Please refer to ESV Cert. #E71 bit: 1 bit Table 24 - Non-Deterministic Random Number Generation Specification
  4. Self-Tests The modules perform the following self-tests, including the pre-operational self-tests and Conditional self-tests. Pre-Operational Self-Tests Algorithm Self-Test Details SHS KAT using SHA2-256 HMAC KAT using HMAC- SHA2-256 Firmware integrity Using HMAC-SHA2-256 Table 25 - Crypto Library I Pre-Operational Self-Tests The modules also perform the following Cryptographic Algorithm Self-Tests (CASTs), which can be initiated by rebooting the module. All self-tests run without operator intervention. Conditional Self-Tests Cryptographic Algorithm Self-Tests (CASTs) Algorithm Self-Test Details AES AES-ECB 256 bits Encryption KAT AES AES-ECB 256 bits Decryption KAT AES AES-CBC 256 bits Encryption KAT AES AES-CBC 256 bits Decryption KAT AES-GCM AES-GCM 256 bits Encryption KAT AES-GCM AES-GCM 256 bits Decryption KAT DRBG CTR_DRBG (AES-256) KAT: Instantiate; KAT: Generate; KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 Section 11.3 are performed) ECDSA SigGen KAT using P-224 with SHA2-256 (ECDSA Signature Generation) ECDSA SigVer KAT using P-224 with SHA2-256 (ECDSA Signature Verification)

28 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 29

Algorithm Self-Test Details HMAC KAT using HMAC-SHA-1 HMAC KAT using HMAC-SHA2-224 HMAC KAT using HMAC-SHA2-256 HMAC KAT using HMAC-SHA2-384 HMAC KAT using HMAC-SHA2-512 KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value KDF IKEv2 KAT for IKEv2 KDF KDF SNMP KAT for SNMPv3 KDF KDF SSH KAT for SSHv2 KDF KDF TLS KAT for TLSv1.2 KDF RSA SigGen KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) RSA SigVer KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) SHS KAT using SHA-1 Table 26

Page 30

SHS KAT using SHA2-256 Table 29 –CASTs (Crypto Library V) Algorithm Self-Test Details SP 800-90B Health Tests The module’s entropy source implements Start-up and Continuous health tests defined in SP800-90B, section 4.2. The entropy source utilizes Developer-Defined Alternatives to the Continuous Health Tests which is defined in SP 800-90B section 4.5. Table 30 - Entropy Source Health Tests Conditional Pair-Wise Consistency Tests Conditional Self-Tests Algorithm Self-Test Details RSA RSA Pairwise consistency test (PCT) ECDSA ECDSA PCT KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT Table 31 - Conditional Pair-Wise Consistency Tests (Crypto Library I) Algorithm Self-Test Details RSA RSA Pairwise consistency test (PCT) ECDSA ECDSA PCT KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT Table 32 - Conditional Pair-Wise Consistency Tests (Crypto Library II) Conditional Firmware Load Test Conditional Self-Tests Algorithm Self-Test Details Firmware Load Test RSA 2048 with SHA2-256 Signature Verification Table 33 - Conditional Firmware Load Test (Crypto Library I) Periodic/On-Demand Self-Test The module performs on-demand self-tests initiated by the operator, by power cycling the module. The full suite of selftests is then executed. The same procedure may be employed by the operator to perform periodic self-tests. It is recommended that the Crypto Officer perform periodic testing of the module’s on-demand self-tests every 60 days to ensure all components are functioning correctly. Error Handling If any of the above-mentioned self-tests fail, the module reports the cause of the error and enters an error state (there is only one error state). In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to reboot the module and perform the self-tests, including the pre-operational firmware integrity test and the conditional CASTs. The module will only enter into the operational state after successfully passing the pre-operational firmware integrity test and the conditional CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported.

30 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Page 31

Cause of Error Error State Indicator Failed Pre-Operational Firmware Integrity Test Integrity check failed at <location> Failed Conditional CAST <Crypto Library>: FIPS Self-test failed for <algorithm> Entering error state Failed Conditional PCT Key verification failed Failed Firmware Load Test Verification Failure SP 800-90B Entropy Source No random numbers are generated and key generation is halted Start-up/Continuous health tests Table 35 - Error State Indicators

  1. Life-Cycle Assurance All ION devices are designed to handle the various stages of a module’s life-cycle. The sections below highlight the details for each stage. Secure Delivery Procedures The security of the module is maintained during the transfer of these products from production sites to the customer through the following mechanisms: ● Email from Palo Alto Networks, Inc. confirming the order and includes tracking number(s). When the package arrives at the customer site, the customer checks the tracking number on the package with the tracking number supplied by Palo Alto Networks, Inc. ● The customer also checks the integrity of the package by inspecting the integrity of the security tape and the seals of the package for tampering. Any damages to the security tape and the seals of the package would require the customer to contact Palo Alto. ● The hardware and applicable documentation are delivered in the same package. Secure Operation The module meets all the Level 2 requirements for FIPS 140-3. Follow the secure operations provided below to place the module in approved mode. Operating this module without maintaining the following settings will remove the module from the approved mode of operation. The module runs firmware version 6.1.2. This is the only allowable firmware image for this current approved mode of operation. The module is initiated into the Approved mode of operation via the following procedure:
  2. The Crypto Officer must apply tamper evidence labels as described in Section “Physical Security” of this document
  3. Power on the ION Module
  4. Using the Controller, navigate to the device that is to be initiated a. Note: The module authenticates the Crypto Officer using default authentication (Root CA), and then replaces the default information with a specific one from the Controller (CO role)
  5. Click the three bullets next to the device
  6. Select “FIPS” a. Click “proceed” to begin initialization procedure
  7. The module will begin initialization that includes the following: a. Zeroization of any sensitive information or data b. Power cycle of the device followed by running all self-tests
  8. Once initialization is complete, the module provides the following status output: © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200 31
Page 32

a. Device Mode: “fips” b. Self-tests: “Power-up self test successful” Once the module has completed initialization into the Approved mode of operation, the module automatically enforces a login certificate change for the Crypto Officer. Any non-Approved configurations/algorithms are rejected automatically by the module and an error message is output. End of Life / Sanitization End of life dates for the modules are announced publicly via Palo Alto Networks’ services website. Crypto Officers should follow the procedure below for the secure destruction of their module: Note: This process will cause the module to no longer function after it has wiped all configurations and keys.

  1. Access the module via SSH with Crypto Officer
  2. Authenticate using proper credentials
  3. Execute command: “disable system” a. Confirm command
  4. Module will begin zeroization process and wipe all security parameters and configurations within the module’s boundary
  5. Mitigation of Other Attacks This module is not designed to mitigate against any other attacks outside of the FIPS 140-3 scope.

32 Palo Alto Networks SD-WAN Instant-On Network (ION) Devices © 2024 Palo Alto Networks, Inc.

ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200