| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2907 |
| AES-CFB128 | A2907 |
| AES-CTR | A2907 |
| AES-GCM | A2907 |
| Conditioning Component AES-CBC-MAC SP800-90B | A1791 |
| Counter DRBG | A2907 |
| ECDSA KeyGen (FIPS186-4) | A2907 |
| ECDSA KeyVer (FIPS186-4) | A2907 |
| ECDSA SigGen (FIPS186-4) | A2907 |
| ECDSA SigVer (FIPS186-4) | A2907 |
| HMAC-SHA-1 | A2907 |
| HMAC-SHA2-224 | A2907 |
| HMAC-SHA2-256 | A2907 |
| HMAC-SHA2-384 | A2907 |
| HMAC-SHA2-512 | A2907 |
| KAS-ECC-SSC Sp800-56Ar3 | A2907 |
| KAS-FFC-SSC Sp800-56Ar3 | A2907 |
| KDF IKEv2 | A2907 |
| KDF SNMP | A2907 |
| KDF SSH | A2907 |
| KDF TLS | A2907 |
| RSA KeyGen (FIPS186-4) | A2907 |
| RSA SigGen (FIPS186-4) | A2907 |
| RSA SigVer (FIPS186-4) | A2907 |
| Safe Primes Key Generation | A2907 |
| Safe Primes Key Verification | A2907 |
| SHA-1 | A2907 |
| SHA2-224 | A2907 |
| SHA2-256 | A2907 |
| SHA2-384 | A2907 |
| SHA2-512 | A2907 |
flowchart LR
%% Deterministic review-risk graph for PAN-OS 10.2 VM-Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for PAN-OS 10.2 VM-Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;PAN-OS 10.2 VM-Series Version: 1.2 Revision Date: August 13, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks N/A
Overall Level 1
Table 3 - Vendor Affirmed Operational Environments Operating System Hardware Platform Amazon Web Services (AWS) x86 Architecture Google Cloud Platform (GCP) (Note: Specific processor/hardware is dependent on Instance/Machine Type selected for operation system) Microsoft Azure Operator Porting Rules The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run a VM-series firewall on any general purpose computer (GPC) or platform using the specified hypervisor and operating system on the validation certificate or other compatible operating and/or hypervisor system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate. Approved Mode of Operation The following procedure will put the module into the Approved mode of operation:
Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To perform the zeroization service, follow the procedure below:
AES-GCM GCM** Encryption A2907 [SP 800-38D] Decryption Counter DRBG AES 256 bits with Derivation A2907 CTR DRBG Random Bit Generator [SP 800-90Arev1] Function Enabled ECDSA KeyGen Key Generation A2907 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) Public Key Validation A2907 ECDSA KeyVer (FIPS 186-4) ECDSA KeyVer P-256, P-384, P-521 P-256, P-384, P-521 with Signature Generation A2907 ECDSA SigGen (FIPS 186-4) ECDSA SigGen SHA2-224, SHA2-256, SHA2-384, and SHA2-512 P-256, P-384, P-521 with SHA-1, A2907 ECDSA SigVer (FIPS 186-4) ECDSA SigVer SHA2-224, SHA2-256, Signature Verification SHA2-384, and SHA2-512 A2907 HMAC-SHA-1 [FIPS 198-1] HMAC HMAC-SHA-1 with λ=96, 160 Authentication for protocols A2907 HMAC-SHA2-224 HMAC HMAC-SHA2-224 with λ=224 Authentication for protocols © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 5
[FIPS 198-1] A2907 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS P-256/P-384/P-521 A2907 KAS-ECC-SSC SP 800-56Ar3 Key Exchange A2907 KAS-FFC-SSC SP 800-56Ar3 KAS MODP-2048/3072/4096 Key Exchange KDF IKEv2 [SP 800-135rev1] SHA2-256, SHA2-384, A2907 IKEv2 KDF IKEv2 (CVL) SHA2-512 Engine ID: KDF SNMP [SP 800-135rev1] A2907 SNMPv3 KDF 80001F880430303030303439 SNMPv3 (CVL) 35323630 KDF SSH [SP 800-135rev1] A2907 SSHv2 KDF SHA-1, SHA2-256, SHA2-512 SSH (CVL) KDF TLS TLS1.2 KDF A2907 TLS v1.2 Hash Algorithm: TLS [SP 800-135rev1] (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A2907 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) RSA SigGen RSA SigGen 2048, 3072, and 4096-bit with Signature Generation A2907 (FIPS 186-4) (FIPS 186-4) hashes SHA2-256/384/512 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/SHA2-224+++/256/384/ RSA SigVer RSA SigVer A2907 512 (Signature Verification) Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A2907 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2907 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A2907 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Generation/Verification © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 6
Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Generation Safe Primes Key MODP-2048, MODP-3072, A2907 Safe Primes Key Generation [RFC 3526] Generation MODP-4096 Safe Primes Key Verification Safe Primes Key MODP-2048, MODP-3072, A2907 Safe Primes Key Verification [RFC 3526] Verification MODP-4096 SP 800-38A, FIPS 198-1, and SP AES Cert. A2907 128, 192, and 256-bit keys KTS 800-38F. KTS (key and HMAC Cert. providing 128, 192, or 256 bits Key Wrapping [SP 800-38F] wrapping and A2907 of encryption strength unwrapping) per IG D.G. SP 800-38D and SP 800-38F. KTS (key 128 and 256-bit keys providing AES-GCM Cert. KTS wrapping and 128 or 256 bits of encryption Key Wrapping A2907 [SP 800-38F] unwrapping) per IG strength D.G. Palo Alto Networks DRNG ESV Cert. #E69 SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC SP 800-56Arev3. P-256 and P-384 curves Cert. #A2907, KDF Key Exchange with protocol KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128 or 192 bits of IKEv2 Cert. KDF Scenario 2 path (2). encryption strength #A2907 KAS-ECC-SSC SP 800-56Arev3. P-256, P-384, and P-521 curves Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128, 192, or 256 bits KDF SSH Cert. #A2907 Scenario 2 path (2). of encryption strength KAS-ECC-SSC SP 800-56Arev3. P-256, P-384, and P-521 curves Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-ECC per IG D.F providing 128, 192, or 256 bits KDF TLS Cert. #A2907 Scenario 2 path (2). of encryption strength KAS-FFC-SSC SP 800-56Arev3. 2048, 3072, and 4096-bit keys Cert. #A2907, KDF Key Exchange with protocol KAS [SP 800-56Arev3] KAS-FFC per IG D.F providing 112, 128, or 150 bits IKEv2 Cert. KDF Scenario 2 path (2). of encryption strength #A2907 KAS-FFC-SSC SP 800-56Arev3. 2048-bit key providing 112 bits Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-FFC per IG D.F of encryption strength KDF SSH Cert. #A2907 Scenario 2 path (2). KAS-FFC-SSC SP 800-56Arev3. 2048-bit key providing 112 bits Key Exchange with protocol Cert. #A2907, KDF KAS [SP 800-56Arev3] KAS-FFC per IG D.F of encryption strength KDF TLS Cert. #A2907 Scenario 2 path (2). Key Generation Note: Symmetric keys and the Cryptographic Key Vendor CKG Section 5.1, Section seeds used for asymmetric key Generation; SP 800Affirmed (SP 800-133rev2) 5.2, Section 6.1 pair generation are produced
using the unmodified/direct output of the DRBG
7296 (RFC 5282 is not applicable, as the module does not use GCM within IKEv2 itself), and ensures when the module
exhausts all possible values for a given session key that this triggers a rekey condition. During operational testing, the module was tested against an independent version of IPsec with IKEv2 and found to behave correctly.
Figure 1 - Cryptographic Boundary 3. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces: Table 6 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface Power Power In Power supplies Console, GPC I/O Status Output Self-test status output Ethernet Data input, control input, HTTPS, TLS, SNMP, IPsec, and SSH data output, status output traffic data. The module’s physical and electrical characteristics, manual controls, and physical indicators are provided by the host GPC; the hypervisors provide virtualized ports and interfaces which map to the GPCs’ physical ports and interfaces (i.e., network interfaces and GPC inputs/outputs). © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 9
4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7 - Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Show Version Query module for version Module provides version Crypto Officer, Security Configuration Configuring and managing Confirmation of service User Management cryptographic parameters and via Configuration Logs setting/modifying security policy, including creating User accounts and additional CO accounts via CLI or WebUI Crypto Officer Other Configuration Networking parameter Confirmation of service configuration, logging configuration, via Configuration Logs and other non-security relevant configuration via CLI or WebUI Crypto Officer, View Other Query module for current Confirmation of service User Configuration non-security relevant configuration via Configuration Logs via WebUI or CLI Crypto Officer, Show Status Query status of the module via Module status User, RA VPN, WebUI or CLI information via CLI or S-S VPN System Logs RA VPN, S-S VPN VPN Initialize VPN connection Confirmation of service via System Logs Crypto Officer Software Update Loading new image Message output noting version updated successfully Unauthenticated Zeroize Initiate zeroization command The device will overwrite all CSPs and provide status of completion Unauthenticated Power cycling the module Self-test status output via Self-Tests system logs Unauthenticated Show Status View status of the module via Module status via the (Hypervisor) hypervisor. hypervisor The zeroization procedure is invoked when the operator initiates the service. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Note: Additional information on the configuration options the module provides can be found at https://docs.paloaltonetworks.com/ © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 10
Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules do not provide a maintenance role or bypass capability. The modules all support the use of a password (i.e. Memorized Secret as per SP 800-140E). Upon first boot, the module requires that the Cryptographic Officer change the password from the default one to a custom one. The module automatically enforces a minimum password length of at least 8 characters. In FIPS-CC mode, the module automatically enforces a maximum of 10 failed attempts. Passwords stored in the module are hashed using SHA-256, and any passwords that are transported into/out of the module are protected via TLS 1.2. Table 8
sessions per second to authenticate in a one-minute period. Site-to-Site VPN (S-S VPN) IKE/IPSec Pre-shared keys - The pre-shared key authentication Identification with the IP Address and method has a minimum security authentication with the Pre-Shared strength of 2112. The probability of Key (Memorized Secret) or successfully authenticating to the Single-Factor Cryptographic Software module is 1/(2112), which is less than (certificate based authentication) 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(2112), which is less than 1/100,000. The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 12
Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 9 - Approved Services Service Description Approved Security Keys and/or SSPs Roles Access rights to Indicator Functions Keys and/or SSPs Show Version Query the module to N/A N/A CO N/A Version displayed via System display the version Logs / CLI / UI Security Configuring and CKG RSA Private Keys CO G/W/E Configuration/System Logs Configuration managing RSA KeyGen (FIPS Management cryptographic 186-4) RSA SigGen (FIPS 186-4) parameters and setting/modifying CKG ECDSA Private Keys CO G/W/E Configuration/System Logs security policy, ECDSA KeyGen (FIPS 186-4) including creating ECDSA SigGen User accounts and (FIPS 186-4) additional CO KAS KDF TLS TLS Pre-Master Secret CO G/E/Z Configuration/System Logs accounts (CVL) KDF TLS TLS Master Secret CO G/E/Z Configuration/System Logs (CVL) CKG, TLS DHE/ECDHE G/E/Z ECDSA Private Components CO Configuration/System Logs KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys CO G/E/Z Configuration/System Logs KTS AES-GCM KTS HMAC-SHA-1 SSH Session CO G/E/Z Configuration/System Logs HMAC-SHA2- Authentication Keys HMAC-SHA2AES-CBC, SSH Session Encryption CO G/E/Z Configuration/System Logs AES-CTR Keys KTS AES-GCM © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 13
KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components KAS-ECC-SSC KAS-FFC-SSC SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Components Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password Counter DRBG, ESV Entropy Input String CO G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key KDF SNMP (CVL) SNMPv3 Authentication CO W/E Configuration/System Logs Secret KDF SNMP (CVL) SNMPv3 Privacy Secret CO W/E Configuration/System Logs HMAC-SHA-1 Authentication Key CO G/E/Z Configuration/System Logs HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key CO G/E/Z Configuration/System Logs N/A Protocol Secrets CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) Public key for software CO W/E Configuration/System Logs load test Other Networking RSA SigGen RSA Private Keys CO G/W/E Configuration/System Logs Configuration parameter (FIPS 186-4) configuration, logging ECDSA SigGen ECDSA Private Keys CO G/W/E Configuration/System Logs configuration, and (FIPS 186-4) other non-security KAS KDF TLS TLS Pre-Master Secret CO G/E/Z Configuration/System Logs relevant configuration (CVL) KDF TLS TLS Master Secret CO G/E/Z Configuration/System Logs (CVL) CKG, TLS DHE/ECDHE CO G/E/Z Configuration/System Logs ECDSA Private Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2-384 © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 14
AES-CBC or AES-GCM TLS Encryption Keys CO G/E/Z Configuration/System Logs G/Z HMAC-SHA-1 SSH Session CO Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs (CVL) Private Components CKG, ECDSA G/E/R/W/Z KeyGen (FIPS SSH DHE/ECDHE Public 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs View Other Read-only of N/A CO, User, RA VPN CO, W/E Configuration/System Logs Configuration non-security relevant Password User configuration Note: includes all items in “Other Configuration” Show Status Provides status RSA SigGen (FIPS 186-4) RSA Private Keys CO, E Configuration/System Logs information of the User module ECDSA SigGen ECDSA Private Keys CO, E Configuration/System Logs (FIPS 186-4) User KAS KDF TLS TLS Pre-Master Secret CO, G/E/Z Configuration/System Logs User KDF TLS TLS Master Secret CO, G/E/Z Configuration/System Logs User CKG, TLS DHE/ECDHE CO, G/E/Z Configuration/System Logs ECDSA Private Components User KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 15
Key Verification HMAC-SHA2-256 TLS HMAC Keys CO, G/E/Z Configuration/System Logs HMAC-SHA2-384 User AES-CBC or AES-GCM TLS Encryption Keys CO, G/E/Z Configuration/System Logs User HMAC-SHA-1 SSH Session CO, G/E/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys User HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO, G/E/Z Configuration/System Logs AES-GCM Keys User KAS KDF SSH SSH DHE Public/Private CO, G/E/Z Configuration/System Logs (CVL) Components User CKG, ECDSA SSH ECDHE G/E/R/W/Z KeyGen (FIPS Public/Private 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification VPN Provide network HMAC-SHA-1 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs access for remote KTS HMAC-SHA2- Authentication Keys users or site-to-site 256 HMAC-SHA2connection HMAC-SHA2AES-CBC S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs Session Keys KTS AES-GCM KAS KDF IKEv2 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs (CVL) DHE/ECDHE Private Components CKG, ECDSA KeyGen (FIPS G/E/R/W/Z 186-4), ECDSA S-S VPN IPSec/IKE KeyVer (FIPS DHE/ECDHE Public 186-4), Components KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification N/A S-S VPN IPSec S-S VPN W/E Configuration/System Logs Pre-Shared Keys ECDSA SigVer ECDSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigGen RSA Private Keys RA VPN E Configuration/System Logs (FIPS 186-4) ECDSA SigGen ECDSA Private Keys RA VPN E Configuration/System Logs (FIPS 186-4) KAS KDF TLS TLS Pre-Master Secret RA VPN G/E/Z Configuration/System Logs (CVL) © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 16
KDF TLS TLS Master Secret G/E/Z (CVL) CKG, TLS DHE/ECDHE Public RA VPN G/E/R/W/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE RA VPN G/E/Z Configuration/System Logs 186-4), Private Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC , KAS-FFC-SSC , Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys RA VPN G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys RA VPN G/E/Z Configuration/System Logs KTS AES-GCM CKG, RA VPN IPSec Session RA VPN G/E/Z Configuration/System Logs AES-CBC or AES-GCM Keys CKG, RA VPN IPSec RA VPN G/E/Z Configuration/System Logs HMAC-SHA-1 Authentication Counter DRBG, ESV Entropy Input String RA VPN G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key RSA SigVer (FIPS 186-4)) CA Certificates RA VPN W/E Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer Public key for software CO E Configuration/System Logs (FIPS 186-4) content load test Note: Includes all keys from Other Configuration Zeroize Destroys all keys in N/A All keys and SSPs CO Z Zeroization indicator the module Self-Test Initiates self-tests and HMAC-SHA2-256, Software integrity CO E System Logs integrity test ECDSA SigVer verification key (FIPS 186-4) Show Status Provides status of the N/A N/A All R Hypervisor VM status (Hypervisor) module Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled, configuration requirements from Section 11 are followed, and that the service succeeded. 5. Software/Firmware SecurityS The module performs the Software Integrity test by using HMAC-SHA-256 and ECDSA P-256 Signature Verification (HMAC/ECDSA Cert. #A2907) with the Software integrity verification key during the Pre-Operational Self-Test. In addition, © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 17
the module also conducts the software load test by using RSA 2048 with SHA-256 (Cert. #A2907) for the new validated software to be uploaded into the module. Any software loaded into this module that is not shown on the module certificate is out of scope of this validation, and requires a separate FIPS 140-3 validation.
112 bits ECDSA SigVer DRBG, FIPS HDD/RAM
CA Certificates Session Key N/A RAM - Zeroize at entity certificates minimum (FIPS 186-4) 186-4
112 bits DRBG, FIPS Encrypted or HDD/RAM
RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum 186-4 Plaintext
RAM - Zeroize at authentication or key session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of Session Key ECDSA SigVer signatures, ECDSA Public 128 bits DRBG, FIPS Encrypted or HDD/RAM (FIPS 186-4) N/A Zeroize Service establishment of TLS, Keys minimum 186-4 Plaintext
256 bits RAM - TLS connections
TLS HMAC Keys HMAC-SHA2-384 KDF TLS N/A 800-56A Rev. session minimum plaintext (SHA2- 256/384) Cert. #A2907 3 termination (256, 384 bits) Diffie Hellman or EC SSH Diffie-Hellman KAS-ECC-SSC DRBG, SP Zeroize at DHE/ECDHE 112 bits RAM - private (DH Group KAS-FFC-SSC 800-56A N/A N/A session Private minimum plaintext 14, ECDH P-256, Cert. #A2907 Rev. 3 termination Components ECDH P-384, ECDH P-521) Diffie Hellman or EC SSH Plaintext SSH Diffie-Hellman public KAS-ECC-SSC DRBG, SP Zeroize at DHE/ECDHE 112 bits handshake RAM - component (DH KAS-FFC-SSC 800-56A N/A session Public minimum plaintext Group 14, ECDH Cert. #A2907 Rev. 3 termination Components P-256, ECDH P-384, ECDH P-521) RSA SigVer SSH Host Public Key (FIPS 186-4) (RSA 2048, RSA 3072, SSH Host Public 112 bits ECDSA SigVer DRBG, FIPS HDD/RAM N/A N/A Zeroize Service RSA 4096, ECDSA Key minimum (FIPS 186-4) 186-4
Used in all SSH connections to the security module’s AES-CBC, SSH, KAS SP Zeroize at command line SSH Session 128 bits AES-CTR, or RAM KDF SSH N/A 800-56A Rev. session interface. Encryption Keys minimum AES-GCM plaintext
Cert. #A2907 AES CBC or CTR) (128 or 256 bits: AES GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 security module’s SSH Session SSH, KAS SP Zeroize at
160 bits HMAC-SHA2-256 RAM - command line
Authentication KDF SSH N/A 800-56A Rev. session minimum HMAC-SHA2-512 plaintext interface Keys 3 termination Cert. #A2907 (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC Diffie-Hellman S-S VPN private component IPSec/IKE DHE KAS-ECC-SSC DBRG, SP used in key
or ECDHE KAS-FFC-SSC 800-56A N/A N/A Power cycle establishment minimum plaintext Private Cert. #A2907 Rev. 3 (DHE 2048, DHE Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) Diffie-Hellman or EC Diffie-Hellman public S-S VPN component used in IPSec/IKE DHE KAS-ECC-SSC DRBG, SP
112 bits RAM - key agreement
or ECDHE KAS-FFC-SSC 800-56A N/A N/A Power cycle minimum plaintext (DHE 2048, DHE Public Cert. #A2907 Rev. 3 3072, DHE 4096, Components ECDHE P-256, P-384, P-521) Used to encrypt IKE/IPSec data. These IPSec/IKE, S-S VPN AES-CBC, Zeroize at are AES (128, 192, or
IPSec/IKE AES-GCM KDF IKEv2 N/A session 256 CBC) IKE keys minimum 800-56A Rev. plaintext Session Keys Cert. #A2907 termination and (128, 192 or 256 CBC, 128 or 256 GCM) IPSec keys (HMAC-SHA-1, HMAC-SHA-1 SHA-256, SHA-384 or S-S VPN IPSec/IKE, HMAC-SHA2-256 Zeroize at SHA-512) Used to IPSec/IKE 160 bits KAS SP RAM HMAC-SHA2-384 KDF IKEv2 N/A session authenticate the peer Authentication minimum 800-56A Rev. plaintext HMAC-SHA2-512 termination in an IKE/IPSec tunnel Keys 3 Cert. #A2907 connection. (160, 256, 384, 512 bits) PSK used in conjunction with HMAC listed above S-S VPN IPSec Encrypted via HDD/RAM for authentication. N/A N/A N/A N/A Zeroize Service Pre-Shared Keys SSH or TLS
160 bits N/A N/A session
Authentication Cert. #A2907 DRBG plaintext authentication of termination remote access IPSec data. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 20
Used to check the integrity of all HMAC-SHA2-256, Software software code ECDSA SigVer HDD integrity 128 bits N/A N/A N/A N/A (HMAC-SHA-256 and (FIPS 186-4) plaintext verification key ECDSA P-256) Cert. #A2907 (Note: This is not considered an SSP) Used to authenticate Public key for RSA SigVer software and content HDD software 112 bits (FIPS 186-4) N/A N/A N/A N/A to be installed on the plaintext content load test Cert. #A2907 firewall (RSA 2048 with SHA-256) HDD - a Authentication string CO, User, RA SHA2-256 Encrypted via password with a minimum N/A External N/A Zeroize Service VPN Password Cert. #A2907 SSH or TLS hash length of eight (8) (SHA2-256) characters. Secrets used by Encrypted via HDD/RAM RADIUS or TACACS+ Protocol Secrets N/A N/A N/A IPsec, SSH or N/A Zeroize Service
256 bits per N/A N/A Power cycle
String plaintext SP 800-90B Cert. #A2907 Input length = 384 bits CKG (vendor DRBG seed coming affirmed), Counter Entropy as from the entropy DRBG RAM DRBG Seed 256 bits per N/A N/A Power cycle source Plaintext SP 800-90B Cert. #A2907 Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state Key used in the DRBG Key 256 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A2907 random values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state V used in the DRBG V 128 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A2907 random values SNMPv3 Used to support Authentication KDF SNMP Encrypted via HDD/RAM SNMPv3 services N/A N/A N/A Zeroize Service Secret Cert. #A2907 TLS/SSH
Session Key KDF SNMP N/A N/A Zeroize Service encryption key minimum Cert. #A2907 Plaintext (AES 128 CFB) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. © 2024 Palo Alto Networks, Inc. PAN-OS 10.2 VM-Series Security Policy 21
Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of entropy Details ESV Cert. #E69 Palo Alto Networks DRNG Entropy 256 bits Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test
Alternatively, the VM-Series version can be obtained by running the following commands via CLI (as an authorized administrator): 1. request system software check 2. request system software download version 10.2.8-h4 3. request system software install version 10.2.8-h4 4. request restart system Palo Alto Network provides an Administrator Guide for additional information noted in the “Reference Documents” section of this Security Policy. The module design corresponds to the module security rules noted in the section below. Module Enforced Security Rules When FIPS-CC mode is enabled, the module runs all the required items noted in Section 10 Self-tests. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.
Vendor Imposed Security Rules In FIPS-CC mode, the following rules shall apply:
CVL