All modules
CMVP Validated Module · FIPS 140-3 Security Policy

PAN-OS 10.2 VM-Series

Certificate#4762StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy
VendorPalo Alto Networks, Inc.

Approved Algorithms (31)

AlgorithmACVP Cert
AES-CBCA2907
AES-CFB128A2907
AES-CTRA2907
AES-GCMA2907
Conditioning Component AES-CBC-MAC SP800-90BA1791
Counter DRBGA2907
ECDSA KeyGen (FIPS186-4)A2907
ECDSA KeyVer (FIPS186-4)A2907
ECDSA SigGen (FIPS186-4)A2907
ECDSA SigVer (FIPS186-4)A2907
HMAC-SHA-1A2907
HMAC-SHA2-224A2907
HMAC-SHA2-256A2907
HMAC-SHA2-384A2907
HMAC-SHA2-512A2907
KAS-ECC-SSC Sp800-56Ar3A2907
KAS-FFC-SSC Sp800-56Ar3A2907
KDF IKEv2A2907
KDF SNMPA2907
KDF SSHA2907
KDF TLSA2907
RSA KeyGen (FIPS186-4)A2907
RSA SigGen (FIPS186-4)A2907
RSA SigVer (FIPS186-4)A2907
Safe Primes Key GenerationA2907
Safe Primes Key VerificationA2907
SHA-1A2907
SHA2-224A2907
SHA2-256A2907
SHA2-384A2907
SHA2-512A2907

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for PAN-OS 10.2 VM-Series
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for PAN-OS 10.2 VM-Series
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

PAN-OS 10.2 VM-Series Version: 1.2 Revision Date: August 13, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Page 2
Table of Contents
#SectionPage
Page 3
  1. General The PAN-OS 10.2.8-h4 VM-Series module is available in multiple capacity options. All models can be deployed as guest virtual machines on VMware ESXi, Hyper-V, and Linux server that is running the KVM (Kernel-based Virtual Machine) using a common base image distributed in a compatible hypervisor format. The PAN-OS VM-Series is the virtualized form factor of the Palo Alto Networks next-generation firewall. The VM-Series is used to protect applications/data from cyber threats using Palo Alto Networks’ next-generation firewall and advanced threat prevention features. The cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-3. Table 1 - Security Levels ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 3

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security N/A

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 1

10 Self-Tests 1

11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks N/A

Overall Level 1

  1. Cryptographic Module Specification The tested operational environments are highlighted in Table
  2. Table 2 - Tested Operational Environments Operating System Hardware Platform Processor PAA/Acceleration Hyper-V 2019 on Microsoft Dell PowerEdge R740 Intel Xeon Gold 6248 N/A Hyper-V Server 2019 KVM 4 on Ubuntu 20.04 Dell PowerEdge R740 Intel Xeon Gold 6248 N/A VMware ESXi v7.0 Dell PowerEdge R740 Intel Xeon Gold 6248 N/A © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 3
Page 4

Table 3 - Vendor Affirmed Operational Environments Operating System Hardware Platform Amazon Web Services (AWS) x86 Architecture Google Cloud Platform (GCP) (Note: Specific processor/hardware is dependent on Instance/Machine Type selected for operation system) Microsoft Azure Operator Porting Rules The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run a VM-series firewall on any general purpose computer (GPC) or platform using the specified hypervisor and operating system on the validation certificate or other compatible operating and/or hypervisor system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate. Approved Mode of Operation The following procedure will put the module into the Approved mode of operation:

Page 5

Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To perform the zeroization service, follow the procedure below:

128 and 256 bits

AES-GCM GCM** Encryption A2907 [SP 800-38D] Decryption Counter DRBG AES 256 bits with Derivation A2907 CTR DRBG Random Bit Generator [SP 800-90Arev1] Function Enabled ECDSA KeyGen Key Generation A2907 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) Public Key Validation A2907 ECDSA KeyVer (FIPS 186-4) ECDSA KeyVer P-256, P-384, P-521 P-256, P-384, P-521 with Signature Generation A2907 ECDSA SigGen (FIPS 186-4) ECDSA SigGen SHA2-224, SHA2-256, SHA2-384, and SHA2-512 P-256, P-384, P-521 with SHA-1, A2907 ECDSA SigVer (FIPS 186-4) ECDSA SigVer SHA2-224, SHA2-256, Signature Verification SHA2-384, and SHA2-512 A2907 HMAC-SHA-1 [FIPS 198-1] HMAC HMAC-SHA-1 with λ=96, 160 Authentication for protocols A2907 HMAC-SHA2-224 HMAC HMAC-SHA2-224 with λ=224 Authentication for protocols © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 5

Page 6

[FIPS 198-1] A2907 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS P-256/P-384/P-521 A2907 KAS-ECC-SSC SP 800-56Ar3 Key Exchange A2907 KAS-FFC-SSC SP 800-56Ar3 KAS MODP-2048/3072/4096 Key Exchange KDF IKEv2 [SP 800-135rev1] SHA2-256, SHA2-384, A2907 IKEv2 KDF IKEv2 (CVL) SHA2-512 Engine ID: KDF SNMP [SP 800-135rev1] A2907 SNMPv3 KDF 80001F880430303030303439 SNMPv3 (CVL) 35323630 KDF SSH [SP 800-135rev1] A2907 SSHv2 KDF SHA-1, SHA2-256, SHA2-512 SSH (CVL) KDF TLS TLS1.2 KDF A2907 TLS v1.2 Hash Algorithm: TLS [SP 800-135rev1] (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A2907 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) RSA SigGen RSA SigGen 2048, 3072, and 4096-bit with Signature Generation A2907 (FIPS 186-4) (FIPS 186-4) hashes SHA2-256/384/512 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/SHA2-224+++/256/384/ RSA SigVer RSA SigVer A2907 512 (Signature Verification) Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A2907 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A2907 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Generation/Verification © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 6

Page 7

Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Generation Safe Primes Key MODP-2048, MODP-3072, A2907 Safe Primes Key Generation [RFC 3526] Generation MODP-4096 Safe Primes Key Verification Safe Primes Key MODP-2048, MODP-3072, A2907 Safe Primes Key Verification [RFC 3526] Verification MODP-4096 SP 800-38A, FIPS 198-1, and SP AES Cert. A2907 128, 192, and 256-bit keys KTS 800-38F. KTS (key and HMAC Cert. providing 128, 192, or 256 bits Key Wrapping [SP 800-38F] wrapping and A2907 of encryption strength unwrapping) per IG D.G. SP 800-38D and SP 800-38F. KTS (key 128 and 256-bit keys providing AES-GCM Cert. KTS wrapping and 128 or 256 bits of encryption Key Wrapping A2907 [SP 800-38F] unwrapping) per IG strength D.G. Palo Alto Networks DRNG ESV Cert. #E69 SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC SP 800-56Arev3. P-256 and P-384 curves Cert. #A2907, KDF Key Exchange with protocol KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128 or 192 bits of IKEv2 Cert. KDF Scenario 2 path (2). encryption strength #A2907 KAS-ECC-SSC SP 800-56Arev3. P-256, P-384, and P-521 curves Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128, 192, or 256 bits KDF SSH Cert. #A2907 Scenario 2 path (2). of encryption strength KAS-ECC-SSC SP 800-56Arev3. P-256, P-384, and P-521 curves Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128, 192, or 256 bits KDF TLS Cert. #A2907 Scenario 2 path (2). of encryption strength KAS-FFC-SSC SP 800-56Arev3. 2048, 3072, and 4096-bit keys Cert. #A2907, KDF Key Exchange with protocol KAS [SP 800-56Arev3] KAS-FFC per IG D.F providing 112, 128, or 150 bits IKEv2 Cert. KDF Scenario 2 path (2). of encryption strength #A2907 KAS-FFC-SSC SP 800-56Arev3. 2048-bit key providing 112 bits Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-FFC per IG D.F of encryption strength KDF SSH Cert. #A2907 Scenario 2 path (2). KAS-FFC-SSC SP 800-56Arev3. 2048-bit key providing 112 bits Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-FFC per IG D.F of encryption strength KDF TLS Cert. #A2907 Scenario 2 path (2). Key Generation Note: Symmetric keys and the Cryptographic Key Vendor CKG Section 5.1, Section seeds used for asymmetric key Generation; SP 800Affirmed (SP 800-133rev2) 5.2, Section 6.1 pair generation are produced

133 and IG D.H.

using the unmodified/direct output of the DRBG

Page 8

7296 (RFC 5282 is not applicable, as the module does not use GCM within IKEv2 itself), and ensures when the module

exhausts all possible values for a given session key that this triggers a rekey condition. During operational testing, the module was tested against an independent version of IPsec with IKEv2 and found to behave correctly.

Page 9

Figure 1 - Cryptographic Boundary 3. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces: Table 6 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface Power Power In Power supplies Console, GPC I/O Status Output Self-test status output Ethernet Data input, control input, HTTPS, TLS, SNMP, IPsec, and SSH data output, status output traffic data. The module’s physical and electrical characteristics, manual controls, and physical indicators are provided by the host GPC; the hypervisors provide virtualized ports and interfaces which map to the GPCs’ physical ports and interfaces (i.e., network interfaces and GPC inputs/outputs). © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 9

Page 10

4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7 - Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Show Version Query module for version Module provides version Crypto Officer, Security Configuration Configuring and managing Confirmation of service User Management cryptographic parameters and via Configuration Logs setting/modifying security policy, including creating User accounts and additional CO accounts via CLI or WebUI Crypto Officer Other Configuration Networking parameter Confirmation of service configuration, logging configuration, via Configuration Logs and other non-security relevant configuration via CLI or WebUI Crypto Officer, View Other Query module for current Confirmation of service User Configuration non-security relevant configuration via Configuration Logs via WebUI or CLI Crypto Officer, Show Status Query status of the module via Module status User, RA VPN, WebUI or CLI information via CLI or S-S VPN System Logs RA VPN, S-S VPN VPN Initialize VPN connection Confirmation of service via System Logs Crypto Officer Software Update Loading new image Message output noting version updated successfully Unauthenticated Zeroize Initiate zeroization command The device will overwrite all CSPs and provide status of completion Unauthenticated Power cycling the module Self-test status output via Self-Tests system logs Unauthenticated Show Status View status of the module via Module status via the (Hypervisor) hypervisor. hypervisor The zeroization procedure is invoked when the operator initiates the service. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Note: Additional information on the configuration options the module provides can be found at https://docs.paloaltonetworks.com/ © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 10

Page 11

Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules do not provide a maintenance role or bypass capability. The modules all support the use of a password (i.e. Memorized Secret as per SP 800-140E). Upon first boot, the module requires that the Cryptographic Officer change the password from the default one to a custom one. The module automatically enforces a minimum password length of at least 8 characters. In FIPS-CC mode, the module automatically enforces a maximum of 10 failed attempts. Passwords stored in the module are hashed using SHA-256, and any passwords that are transported into/out of the module are protected via TLS 1.2. Table 8

Page 12

sessions per second to authenticate in a one-minute period. Site-to-Site VPN (S-S VPN) IKE/IPSec Pre-shared keys - The pre-shared key authentication Identification with the IP Address and method has a minimum security authentication with the Pre-Shared strength of 2112. The probability of Key (Memorized Secret) or successfully authenticating to the Single-Factor Cryptographic Software module is 1/(2112), which is less than (certificate based authentication) 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(2112), which is less than 1/100,000. The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 12

Page 13

Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 9 - Approved Services Service Description Approved Security Keys and/or SSPs Roles Access rights to Indicator Functions Keys and/or SSPs Show Version Query the module to N/A N/A CO N/A Version displayed via System display the version Logs / CLI / UI Security Configuring and CKG RSA Private Keys CO G/W/E Configuration/System Logs Configuration managing RSA KeyGen (FIPS Management cryptographic 186-4) RSA SigGen (FIPS 186-4) parameters and setting/modifying CKG ECDSA Private Keys CO G/W/E Configuration/System Logs security policy, ECDSA KeyGen (FIPS 186-4) including creating ECDSA SigGen User accounts and (FIPS 186-4) additional CO KAS KDF TLS TLS Pre-Master Secret CO G/E/Z Configuration/System Logs accounts (CVL) KDF TLS TLS Master Secret CO G/E/Z Configuration/System Logs (CVL) CKG, TLS DHE/ECDHE G/E/Z ECDSA Private Components CO Configuration/System Logs KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys CO G/E/Z Configuration/System Logs KTS AES-GCM KTS HMAC-SHA-1 SSH Session CO G/E/Z Configuration/System Logs HMAC-SHA2- Authentication Keys HMAC-SHA2AES-CBC, SSH Session Encryption CO G/E/Z Configuration/System Logs AES-CTR Keys KTS AES-GCM © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 13

Page 14

KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components KAS-ECC-SSC KAS-FFC-SSC SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Components Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password Counter DRBG, ESV Entropy Input String CO G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key KDF SNMP (CVL) SNMPv3 Authentication CO W/E Configuration/System Logs Secret KDF SNMP (CVL) SNMPv3 Privacy Secret CO W/E Configuration/System Logs HMAC-SHA-1 Authentication Key CO G/E/Z Configuration/System Logs HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key CO G/E/Z Configuration/System Logs N/A Protocol Secrets CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) Public key for software CO W/E Configuration/System Logs load test Other Networking RSA SigGen RSA Private Keys CO G/W/E Configuration/System Logs Configuration parameter (FIPS 186-4) configuration, logging ECDSA SigGen ECDSA Private Keys CO G/W/E Configuration/System Logs configuration, and (FIPS 186-4) other non-security KAS KDF TLS TLS Pre-Master Secret CO G/E/Z Configuration/System Logs relevant configuration (CVL) KDF TLS TLS Master Secret CO G/E/Z Configuration/System Logs (CVL) CKG, TLS DHE/ECDHE CO G/E/Z Configuration/System Logs ECDSA Private Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2-384 © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 14

Page 15

AES-CBC or AES-GCM TLS Encryption Keys CO G/E/Z Configuration/System Logs G/Z HMAC-SHA-1 SSH Session CO Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs (CVL) Private Components CKG, ECDSA G/E/R/W/Z KeyGen (FIPS SSH DHE/ECDHE Public 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs View Other Read-only of N/A CO, User, RA VPN CO, W/E Configuration/System Logs Configuration non-security relevant Password User configuration Note: includes all items in “Other Configuration” Show Status Provides status RSA SigGen (FIPS 186-4) RSA Private Keys CO, E Configuration/System Logs information of the User module ECDSA SigGen ECDSA Private Keys CO, E Configuration/System Logs (FIPS 186-4) User KAS KDF TLS TLS Pre-Master Secret CO, G/E/Z Configuration/System Logs User KDF TLS TLS Master Secret CO, G/E/Z Configuration/System Logs User CKG, TLS DHE/ECDHE CO, G/E/Z Configuration/System Logs ECDSA Private Components User KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 15

Page 16

Key Verification HMAC-SHA2-256 TLS HMAC Keys CO, G/E/Z Configuration/System Logs HMAC-SHA2-384 User AES-CBC or AES-GCM TLS Encryption Keys CO, G/E/Z Configuration/System Logs User HMAC-SHA-1 SSH Session CO, G/E/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys User HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO, G/E/Z Configuration/System Logs AES-GCM Keys User KAS KDF SSH SSH DHE Public/Private CO, G/E/Z Configuration/System Logs (CVL) Components User CKG, ECDSA SSH ECDHE G/E/R/W/Z KeyGen (FIPS Public/Private 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification VPN Provide network HMAC-SHA-1 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs access for remote KTS HMAC-SHA2- Authentication Keys users or site-to-site 256 HMAC-SHA2connection HMAC-SHA2AES-CBC S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs Session Keys KTS AES-GCM KAS KDF IKEv2 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs (CVL) DHE/ECDHE Private Components CKG, ECDSA KeyGen (FIPS G/E/R/W/Z 186-4), ECDSA S-S VPN IPSec/IKE KeyVer (FIPS DHE/ECDHE Public 186-4), Components KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification N/A S-S VPN IPSec S-S VPN W/E Configuration/System Logs Pre-Shared Keys ECDSA SigVer ECDSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigGen RSA Private Keys RA VPN E Configuration/System Logs (FIPS 186-4) ECDSA SigGen ECDSA Private Keys RA VPN E Configuration/System Logs (FIPS 186-4) KAS KDF TLS TLS Pre-Master Secret RA VPN G/E/Z Configuration/System Logs (CVL) © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 16

Page 17

KDF TLS TLS Master Secret G/E/Z (CVL) CKG, TLS DHE/ECDHE Public RA VPN G/E/R/W/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE RA VPN G/E/Z Configuration/System Logs 186-4), Private Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys RA VPN G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys RA VPN G/E/Z Configuration/System Logs KTS AES-GCM CKG, RA VPN IPSec Session RA VPN G/E/Z Configuration/System Logs AES-CBC or AES-GCM Keys CKG, RA VPN IPSec RA VPN G/E/Z Configuration/System Logs HMAC-SHA-1 Authentication Counter DRBG, ESV Entropy Input String RA VPN G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key RSA SigVer (FIPS 186-4)) CA Certificates RA VPN W/E Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer Public key for software CO E Configuration/System Logs (FIPS 186-4) content load test Note: Includes all keys from Other Configuration Zeroize Destroys all keys in N/A All keys and SSPs CO Z Zeroization indicator the module Self-Test Initiates self-tests and HMAC-SHA2-256, Software integrity CO E System Logs integrity test ECDSA SigVer verification key (FIPS 186-4) Show Status Provides status of the N/A N/A All R Hypervisor VM status (Hypervisor) module Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled, configuration requirements from Section 11 are followed, and that the service succeeded. 5. Software/Firmware SecurityS The module performs the Software Integrity test by using HMAC-SHA-256 and ECDSA P-256 Signature Verification (HMAC/ECDSA Cert. #A2907) with the Software integrity verification key during the Pre-Operational Self-Test. In addition, © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 17

Page 18

the module also conducts the software load test by using RSA 2048 with SHA-256 (Cert. #A2907) for the new validated software to be uploaded into the module. Any software loaded into this module that is not shown on the module certificate is out of scope of this validation, and requires a separate FIPS 140-3 validation.

  1. Operational Environment The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The hypervisor environment provides an isolated operating environment and is the single operator of the virtual machine. The tested operating environments isolate virtual systems into separate isolated process spaces. Each process space is logically separated from all other processes by the operating environments software and hardware. The module functions entirely within the process space of the isolated system as managed by the single operational environment. This implicitly meets the FIPS 140-3 requirement that only one (1) entity at a time can use the cryptographic module.
  2. Physical Security There are no applicable FIPS 140-3 physical security requirements.
  3. Non-Invasive Security No approved non-invasive attack mitigation test metrics are defined at this time.
  4. Sensitive Security Parameters The following table details all the sensitive security parameters utilized by the module. Table 10 - SSPs Key/SSP/Name/ Strength Security Function Generation Import/Expor Establishmen Storage Zeroization1 Use & Related Keys Type and Cert. Number t t ECDSA/RSA Public key - Used to trust a RSA SigVer (FIPS HDD – Zeroize root CA intermediate 186-4) TLS or SSH Service CA and leaf /end

112 bits ECDSA SigVer DRBG, FIPS HDD/RAM

CA Certificates Session Key N/A RAM - Zeroize at entity certificates minimum (FIPS 186-4) 186-4

112 bits DRBG, FIPS Encrypted or HDD/RAM

RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum 186-4 Plaintext

Page 19

RAM - Zeroize at authentication or key session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of Session Key ECDSA SigVer signatures, ECDSA Public 128 bits DRBG, FIPS Encrypted or HDD/RAM (FIPS 186-4) N/A Zeroize Service establishment of TLS, Keys minimum 186-4 Plaintext

256 bits RAM - TLS connections

TLS HMAC Keys HMAC-SHA2-384 KDF TLS N/A 800-56A Rev. session minimum plaintext (SHA2- 256/384) Cert. #A2907 3 termination (256, 384 bits) Diffie Hellman or EC SSH Diffie-Hellman KAS-ECC-SSC DRBG, SP Zeroize at DHE/ECDHE 112 bits RAM - private (DH Group KAS-FFC-SSC 800-56A N/A N/A session Private minimum plaintext 14, ECDH P-256, Cert. #A2907 Rev. 3 termination Components ECDH P-384, ECDH P-521) Diffie Hellman or EC SSH Plaintext SSH Diffie-Hellman public KAS-ECC-SSC DRBG, SP Zeroize at DHE/ECDHE 112 bits handshake RAM - component (DH KAS-FFC-SSC 800-56A N/A session Public minimum plaintext Group 14, ECDH Cert. #A2907 Rev. 3 termination Components P-256, ECDH P-384, ECDH P-521) RSA SigVer SSH Host Public Key (FIPS 186-4) (RSA 2048, RSA 3072, SSH Host Public 112 bits ECDSA SigVer DRBG, FIPS HDD/RAM N/A N/A Zeroize Service RSA 4096, ECDSA Key minimum (FIPS 186-4) 186-4

Page 20
4096 bits)

Used in all SSH connections to the security module’s AES-CBC, SSH, KAS SP Zeroize at command line SSH Session 128 bits AES-CTR, or RAM KDF SSH N/A 800-56A Rev. session interface. Encryption Keys minimum AES-GCM plaintext

3 termination (128, 192, or 256 bits:

Cert. #A2907 AES CBC or CTR) (128 or 256 bits: AES GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 security module’s SSH Session SSH, KAS SP Zeroize at

160 bits HMAC-SHA2-256 RAM - command line

Authentication KDF SSH N/A 800-56A Rev. session minimum HMAC-SHA2-512 plaintext interface Keys 3 termination Cert. #A2907 (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC Diffie-Hellman S-S VPN private component IPSec/IKE DHE KAS-ECC-SSC DBRG, SP used in key

112 bits RAM -

or ECDHE KAS-FFC-SSC 800-56A N/A N/A Power cycle establishment minimum plaintext Private Cert. #A2907 Rev. 3 (DHE 2048, DHE Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) Diffie-Hellman or EC Diffie-Hellman public S-S VPN component used in IPSec/IKE DHE KAS-ECC-SSC DRBG, SP

112 bits RAM - key agreement

or ECDHE KAS-FFC-SSC 800-56A N/A N/A Power cycle minimum plaintext (DHE 2048, DHE Public Cert. #A2907 Rev. 3 3072, DHE 4096, Components ECDHE P-256, P-384, P-521) Used to encrypt IKE/IPSec data. These IPSec/IKE, S-S VPN AES-CBC, Zeroize at are AES (128, 192, or

128 bits KAS SP RAM -

IPSec/IKE AES-GCM KDF IKEv2 N/A session 256 CBC) IKE keys minimum 800-56A Rev. plaintext Session Keys Cert. #A2907 termination and (128, 192 or 256 CBC, 128 or 256 GCM) IPSec keys (HMAC-SHA-1, HMAC-SHA-1 SHA-256, SHA-384 or S-S VPN IPSec/IKE, HMAC-SHA2-256 Zeroize at SHA-512) Used to IPSec/IKE 160 bits KAS SP RAM HMAC-SHA2-384 KDF IKEv2 N/A session authenticate the peer Authentication minimum 800-56A Rev. plaintext HMAC-SHA2-512 termination in an IKE/IPSec tunnel Keys 3 Cert. #A2907 connection. (160, 256, 384, 512 bits) PSK used in conjunction with HMAC listed above S-S VPN IPSec Encrypted via HDD/RAM for authentication. N/A N/A N/A N/A Zeroize Service Pre-Shared Keys SSH or TLS

160 bits N/A N/A session

Authentication Cert. #A2907 DRBG plaintext authentication of termination remote access IPSec data. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 20

Page 21

Used to check the integrity of all HMAC-SHA2-256, Software software code ECDSA SigVer HDD integrity 128 bits N/A N/A N/A N/A (HMAC-SHA-256 and (FIPS 186-4) plaintext verification key ECDSA P-256) Cert. #A2907 (Note: This is not considered an SSP) Used to authenticate Public key for RSA SigVer software and content HDD software 112 bits (FIPS 186-4) N/A N/A N/A N/A to be installed on the plaintext content load test Cert. #A2907 firewall (RSA 2048 with SHA-256) HDD - a Authentication string CO, User, RA SHA2-256 Encrypted via password with a minimum N/A External N/A Zeroize Service VPN Password Cert. #A2907 SSH or TLS hash length of eight (8) (SHA2-256) characters. Secrets used by Encrypted via HDD/RAM RADIUS or TACACS+ Protocol Secrets N/A N/A N/A IPsec, SSH or N/A Zeroize Service

256 bits per N/A N/A Power cycle

String plaintext SP 800-90B Cert. #A2907 Input length = 384 bits CKG (vendor DRBG seed coming affirmed), Counter Entropy as from the entropy DRBG RAM DRBG Seed 256 bits per N/A N/A Power cycle source Plaintext SP 800-90B Cert. #A2907 Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state Key used in the DRBG Key 256 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A2907 random values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state V used in the DRBG V 128 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A2907 random values SNMPv3 Used to support Authentication KDF SNMP Encrypted via HDD/RAM SNMPv3 services N/A N/A N/A Zeroize Service Secret Cert. #A2907 TLS/SSH

128 bits AES-CFB128 HDD/RAM -

Session Key KDF SNMP N/A N/A Zeroize Service encryption key minimum Cert. #A2907 Plaintext (AES 128 CFB) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 21

Page 22

Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of entropy Details ESV Cert. #E69 Palo Alto Networks DRNG Entropy 256 bits Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test

Page 23
Page 24

Alternatively, the VM-Series version can be obtained by running the following commands via CLI (as an authorized administrator): 1. request system software check 2. request system software download version 10.2.8-h4 3. request system software install version 10.2.8-h4 4. request restart system Palo Alto Network provides an Administrator Guide for additional information noted in the “Reference Documents” section of this Security Policy. The module design corresponds to the module security rules noted in the section below. Module Enforced Security Rules When FIPS-CC mode is enabled, the module runs all the required items noted in Section 10 Self-tests. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.

  1. The cryptographic module provides four distinct operator roles. These are the User role, Remote Access VPN role, Site-to-site VPN role, and the Cryptographic Officer role.
  2. The cryptographic module provides identity-based authentication.
  3. The cryptographic module clears previous authentications when a power cycle is performed.
  4. If the cryptographic module remains inactive in any valid role for the administrator specified time interval, the module will automatically log out the operator. The CO will configure the period of inactivity.
  5. When configured, the module enforces a timed access protection mechanism that supports at most ten authentication attempts per minute. After the administrator specified number of consecutive unsuccessful password validation attempts have occurred, the cryptographic module shall enforce a wait period of at least one (1) minute before any more login attempts can be attempted. This wait period shall be enforced even if the module power is momentarily removed.
  6. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services.
  7. The module supports the generation of key material with the approved DRBG. The entropy provided must be equal to or greater than the security strength of the key being generated. The approved DRBG requests a minimum of 256 bits of entropy per every 384 bits of seed input.
  8. The operator can command the module to perform the power-up self-test by cycling power of the module.
  9. Power-up self-tests do not require any operator action.
  10. Data output is inhibited during power-up self-tests, zeroization, and error states.
  11. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  12. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  13. The module does not support a maintenance interface or role.
  14. The module does not have any external input/output devices used for entry/output of data.
  15. The module does not enter or output plaintext CSPs.
  16. The module does not output intermediate key generation values.
  17. Pre-shared keys used for IKE/IPsec must be at least 6 bytes in length, but no more than 255 bytes. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 24
Page 25

Vendor Imposed Security Rules In FIPS-CC mode, the following rules shall apply:

  1. The operator should not enable TLSv1.0 or use RSA for key wrapping; it is disabled by default. a. Checked via CLI using “show shared” command
  2. The operator should not enable TLSv1.3, it is disabled by default. a. Checked via CLI using “show profiles” command
  3. If using RADIUS, it must be configured using TLS. a. Checked via CLI using “show shared” command
  4. If using TACACS+, configure the service route via an IPSec tunnel, and ensure the TACACS+ server is configured for a minimum password length of eight (8) characters or greater. a. Checked via CLI using “show deviceconfig” command Failure to follow these Security Rules will cause the module to operate in a non-compliant state. Key to Entity The cryptographic module associates all keys (secret, private, or public) stored within, entered into or output from the module with authenticated operators of the module. Keys stored within the module are only made available to authenticated operators via TLS or SSH. Keys are only input or output from the module by the authenticated operator via a SSH/TLS/IPsec protected communication. Any attempt to intervene in the key to entity relationship would require defeating the module TLS/SSH/IPsec encryption and authentication/integrity mechanism.
  5. Mitigation of Other Attacks The module is not designed to mitigate any specific attacks outside the scope of FIPS 140-3. These requirements are not applicable.
  6. References [FIPS 140-3] FIPS Publication 140-3 Security Requirements for Cryptographic Modules Palo Alto Networks Administrator’s Guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-2/pan-os-admin/pan-os-admin.pdf
  7. Definitions and Acronyms AES – Advanced Encryption Standard CA – Certificate Authority CLI – Command Line Interface CO – Crypto-Officer CSP – Critical Security Parameter © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 25
Page 26

CVL