| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3564 |
| AES-CBC | A3566 |
| AES-CTR | A3563 |
| AES-ECB | A3563 |
| AES-GCM | A3563 |
| AES-GCM | A3564 |
| Counter DRBG | A3563 |
| ECDSA KeyGen (FIPS186-4) | A3563 |
| ECDSA KeyGen (FIPS186-4) | A3564 |
| ECDSA SigGen (FIPS186-4) | A3563 |
| ECDSA SigVer (FIPS186-4) | A3563 |
| HMAC DRBG | A3564 |
| HMAC-SHA-1 | A3563 |
| HMAC-SHA2-224 | A3563 |
| HMAC-SHA2-256 | A3564 |
| HMAC-SHA2-256 | A3566 |
| HMAC-SHA2-384 | A3563 |
| HMAC-SHA2-384 | A3564 |
| HMAC-SHA2-512 | A3563 |
| HMAC-SHA2-512 | A3564 |
| KAS-ECC-SSC Sp800-56Ar3 | A3563 |
| KAS-ECC-SSC Sp800-56Ar3 | A3564 |
| KDF IKEv2 | A3563 |
| KDF SNMP | A3563 |
| KDF SSH | A3563 |
| KDF TLS | A3563 |
| KDF TLS | A3564 |
| RSA KeyGen (FIPS186-4) | A3563 |
| RSA SigGen (FIPS186-4) | A3563 |
| RSA SigVer (FIPS186-4) | A3563 |
| RSA SigVer (FIPS186-4) | A3572 |
| SHA-1 | A3566 |
| SHA2-224 | A3563 |
| SHA2-224 | A3564 |
| SHA2-256 | A3563 |
| SHA2-256 | A3564 |
| SHA2-384 | A3563 |
| SHA2-384 | A3564 |
| SHA2-512 | A3563 |
| SHA2-512 | A3564 |
flowchart LR
%% Deterministic review-risk graph for Palo Alto Networks SD-WAN Virtual Instant-On Network (vION)
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Palo Alto Networks SD-WAN Virtual Instant-On Network (vION)
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) Software Version: 6.1.2 Documentation Version: 1.4 Last Update: June 11, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 11, 2024 Document Version: 1.4
| # | Section | Page |
|---|
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Table 1 - Security Levels The module is designed to meet an overall security level 1. 2. Cryptographic Module Specification The module is a multi-chip standalone software module running on a general-purpose computing platform. FIPS 140-3 conformance testing was performed at Security Level 1 with the configurations noted in the table 2 below. # Operating System Hardware Platform Processor PAA/Acceleration
1 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 with PAA
2 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 without PAA
Table 2 - Tested Operational Environments # Operating System Hardware Platform
5 VMware ESXi Dependent on Provider/GPC
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 3
Table 3 - Vendor Affirmed Operational Environments Note: The vION comes in either ION 3108V or ION 7108V, which is the same functionality just with differences such as throughput. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Modes of Operation The module has one approved mode of operation and is always in approved mode of operation after initial operations are performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module. The tables below list all Approved or Vendor-affirmed security functions of the module, including specific key size(s) (in bits unless noted otherwise) employed for Approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in these tables. CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3566 AES: ECB 128, 192, and 256 bits Data Encryption/Decryption
4 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3566 KAS KAS (ECC) KAS (ECC): Key Agreement Scheme per SP800
Table 4 - Approved Algorithms (Crypto Library - I) CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3572 AES: CBC 128 or 256 bits Data Encryption/Decryption
6 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) Generation (CKG) for asymmetric keys as per section 5 in SP800133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3572) Table 5 - Approved Algorithms (Crypto Library
52 Rev1, Section 3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme
were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established.
Figure 1 - Block Diagram
8 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Crypto Officer Configure SSHv2 Commands to configure SSHv2 Status of the completion of SSHv2 Function configuration Crypto Officer Configure TLSv1.2 Commands to configure TLSv1.2 Status of the completion of TLSv1.2 Function configuration Crypto Officer Configure SNMPv3 Commands to configure SNMPv3 Status of the completion of SNMPv3 Function configuration Crypto Officer Configure IPsec/IKEv2 Commands to configure Status of the completion of IPSec/IKEv2 Function IPSec/IKEv2 configuration Crypto Officer Run SSHv2 Function Initiate SSHv2 tunnel establishment Status of SSHv2 tunnel establishment request Crypto Officer Run TLSv1.2 Function Initiate TLSv1.2 tunnel establishment Status of TLSv1.2 tunnel establishment request Crypto Officer Run SNMPv3 Function Initiate SNMPv3 tunnel Status of SNMPv3 tunnel establishment establishment request Crypto Officer Run IPSec/IKEv2 Initiate of IPSec/IKEv2 tunnel Status of IPSec/IKEv2 tunnel establishment Function establishment Table 8
Service Description Approved Security Keys and/or SSPs Roles Access rights Indicator Functions to Keys and / or SSPs SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP); Configure Create a secure AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global TLSv1.2 Function TLSv1.2 channel AES-GCM; DRBG Seed (CSP); Officer indicator and CKG; DRBG Internal State V Value TLS success CTR_DRBG; (CSP); log message HMAC_DRBG; DRBG Key (CSP); HMAC-SHA2-256; TLS RSA Private Key (CSP); HMAC-SHA2-384; TLS RSA Public Key (PSP); KAS-SSC (ECC); TLS ECDHE Private Key KAS (ECC); (CSP); KTS; TLS ECDHE Public Key (PSP); RSA KeyGen; Peer TLS ECDHE Public Key RSA SigGen; (PSP); RSA SigVer; TLS ECDHE Shared Secret KDF TLS; (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); Configure Create a secure AES-CBC; SNMPv3 Authentication Crypto G/R/W/E Global SNMPv3 SNMPv3 channel HMAC-SHA-1; Secret (CSP); Officer indicator and Function KDF SNMP; SNMPv3 Session Encryption SNMPv3 Key (CSP); success log SNMPv3 Session message Authentication Key (CSP); Configure Create IPSec/IKEv2 AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global IPsec/IKEv2 tunnel CKG; DRBG Seed (CSP); Officer indicator and Function CTR_DRBG; DRBG Internal State V Value IPSec success HMAC-SHA-1; (CSP); log message HMAC-SHA2-256; DRBG Key (CSP); HMAC-SHA2-384; IPSec/IKE Pre-Shared Secret HMAC-SHA2-512; (CSP); KAS-SSC (ECC); IPSec/IKE RSA Private Key KAS (ECC); (CSP); RSA KeyGen; IPSec/IKE RSA Public Key RSA SigGen; (PSP); RSA SigVer; IPSec/IKE ECDHE Private KDF IKEV2 Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); Run SSHv2 Negotiation and AES-CTR; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data CKG; DRBG Seed (CSP); Officer indicator and transport via SSH CTR_DRBG; DRBG Internal State V Value SSH ECDSA KeyGen; (CSP); connection log ECDSA SigGen; DRBG Key (CSP); message ECDSA SigVer; SSH ECDHE Private Key HMAC-SHA-1; (CSP); HMAC-SHA2-256; SSH ECDHE Public Key (PSP); HMAC-SHA2-512; Peer SSH ECDHE Public Key KAS-SSC (ECC); (PSP);
10 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Service Description Approved Security Keys and/or SSPs Roles Access rights Indicator Functions to Keys and / or SSPs KAS (ECC); SSH ECDHE Shared Secret KDF SSH (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP); Run TLSv1.2 Negotiation and AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data AES-GCM; DRBG Seed (CSP); Officer indicator and transport via TLS CKG; DRBG Internal State V Value TLS success CTR_DRBG; (CSP); log message HMAC_DRBG; DRBG Key (CSP); HMAC-SHA2-256; TLS RSA Private Key (CSP); HMAC-SHA2-384; TLS RSA Public Key (PSP); KAS-SSC (ECC); TLS ECDHE Private Key KAS (ECC); (CSP); KTS; TLS ECDHE Public Key (PSP); RSA KeyGen; Peer TLS ECDHE Public Key RSA SigGen; (PSP); RSA SigVer; TLS ECDHE Shared Secret KDF TLS; (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); Run SNMPv3 Negotiation and AES-CBC; SNMPv3 Authentication Crypto G/R/W/E Global Function encrypted data HMAC-SHA-1; Secret (CSP); Officer indicator and transport via KDF SNMP; SNMPv3 Session Encryption SNMPv3 SNMPv3 Key (CSP); success log SNMPv3 Session message Authentication Key (CSP); Run IPSec/IKEv2 Negotiation and AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data CKG; DRBG Seed (CSP); Officer indicator and transport via IPSec CTR_DRBG; DRBG Internal State V Value IPSec/IKEv2 HMAC-SHA-1; (CSP); success log HMAC-SHA2-256; DRBG Key (CSP); message HMAC-SHA2-384; IPSec/IKE Pre-Shared Secret HMAC-SHA2-512; (CSP); KAS-SSC (ECC); IPSec/IKE RSA Private Key KAS (ECC); (CSP); RSA KeyGen; IPSec/IKE RSA Public Key RSA SigGen; (PSP); RSA SigVer; IPSec/IKE ECDHE Private KDF IKEV2 Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); Table 9
W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroizes the SSP. Unauthenticated Services Unauthenticated Users can run the self-test service by power-cycling the module by removing the power and re-applying.
12 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number TLS ECDHE 128
Pre-Shared Encrypted by SSP/CSP/PSP peer authentication Secret characters using TLS/SSH Note: The module does Zeroization (CSP) session key not provide persistent Command keys/ SSPs storage Export: No IPSec/IKE 112 or 128 CKG; Internally generated Import: No N/A HDD (plaintext) Zeroized by Used for IPSec/IKE RSA Private bits DRBG; conformant to SP800- SSP/CSP/PSP peer authentication Key RSA SigGen; 133r2 (CKG) using FIPS Export: No Note: The module does Zeroization (CSP) (Modulus: 186-4 RSA key generation not provide persistent Command 2048, 3072 Cert# A3566 method, and the random keys/ SSPs storage bits) value used in key generation is generated using SP800-90Arev1 DRBG IPSec/IKE 112 or 128 RSA SigVer; Internally derived per the Import: No N/A HDD (plaintext) Zeroized by Used for IPSec/IKE RSA Public bits FIPS 186-4 RSA key Export: to the SSP/CSP/PSP peer authentication Key Cert. #A3566 generation method IKE Peer Note: The module does Zeroization (PSP) (Modulus: application not provide persistent Command 2048, 3072 keys/ SSPs storage bits) IPSec/IKE 128 or 192 CKG; Internally generated Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits DRBG; conformant to SP800- the tested IPSec/IKE ECDHE Private Key KAS-ECC-SSC; 133r2 (CKG) using SP800- Export: No Note: The module does platform is Shared Secret (CSP) (Curves: P- 56Arev3 EC Diffie-Hellman not provide persistent powered down
256 or Cert. #A3566 key generation method, and keys/ SSPs storage
P-384) the random value used in key generation is generated using SP800-90Arev1 DRBG IPSec/IKE 128 or 192 KAS-ECC-SSC; Internally derived internally Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits per the EC Diffie-Hellman Export: to the the tested IPSec/IKE ECDHE Public Key Cert. #A3566 key agreement IKE Peer Note: The module does platform is Shared Secret (PSP) (Curves: P- (SP800-56Arev3) application not provide persistent powered down
256 or keys/ SSPs storage
P-384) IPSec/IKE 128 or 192 KAS-ECC-SSC; Internally derived Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits using the tested IPSec/IKE Session Shared Secret Cert. #A3566 SP800-56A rev3 Export: No Note: The module does platform is Encryption Keys, (CSP) (Curves: P- EC Diffie-Hellman shared not provide persistent powered down IPSec/IKE
256 or secret computation keys/ SSPs storage Authentication
14 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number IPSec/IKE 128-256 AES-CBC; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits KDF IKEv2; derivation function defined the tested IPSec/IKEv2 Encryption in SP800-135rev1 KDF Export: No Note: The module does platform is session Key Cert. #A3566 (IKEv2) not provide persistent powered down confidentiality (CSP) keys/ SSPs storage IPSec/IKE At least 112 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits HMAC-SHA2- derivation function defined the tested IPSec/IKEv2 Authenticatio 256; in SP800-135rev1 KDF Export: No Note: The module does platform is session integrity n Key HMAC-SHA2- (IKEv2) not provide persistent powered down (CSP) 384; keys/ SSPs storage HMAC-SHA2512; KDF IKEv2; Cert. #A3566 SNMPv3 8 characters N/A N/A Import: MD/EE HDD (plaintext) Zeroized by Used for SNMPv3 Authenticatio minimum Encrypted by SSP/CSP/PSP User authentication n Secret using TLS/SSH Note: The module does Zeroization (CSP) session key not provide persistent Command keys/ SSPs storage Export: No SNMPv3 128 bits AES-CFB; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session KDF SNMP; derivation function defined the tested SNMPv3 session Encryption in SP800-135rev1 KDF Export: No Note: The module does platform is confidentiality Key Cert. #A3566 (SNMPv3) not provide persistent powered down (CSP) keys/ SSPs storage SNMPv3 At least 112 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits KDF SNMP; derivation function defined the tested SNMPv3 session Authenticatio in SP800-135rev1 KDF Export: No Note: The module does platform is integrity n Key Cert. #A3566 (SNMPv3) not provide persistent powered down (CSP) keys/ SSPs storage SSH ECDHE 128-256 CKG; Internally generated Import: No N/A DRAM (plaintext) Zeroized when Used to derive the Private Key bits DRBG; conformant to SP800- the tested SSH ECDHE Shared (CSP) KAS-ECC-SSC; 133r2 (CKG) using SP800- Export: No Note: The module does platform is Secret (Curves: P- 56Arev3 EC Diffie-Hellman not provide persistent powered down 256, Cert. #A3566 key generation method, and keys/ SSPs storage P-384, or P- the random value used in 521) key generation is generated using SP800-90Arev1 DRBG SSH ECDHE 128-256 KAS-ECC-SSC; Internally derived internally Import: No N/A DRAM (plaintext) Zeroized when Used to derive the Public Key bits per the EC Diffie-Hellman the tested SSH ECDHE Shared (PSP) Cert. #A3566 key agreement Export: Yes, to Note: The module does platform is Secret (Curves: P- (SP800-56Arev3) the SSH peer not provide persistent powered down 256, keys/ SSPs storage P-384, or P521) Peer SSH 128-256 KAS-ECC-SSC; N/A Import: Enter N/A DRAM (plaintext) Zeroized when Used to derive SSH ECDHE bits KAS-ECC; into the Module the tested ECDHE Shared Public Key via the Module’s Note: The module does platform is Secret (PSP) (Curves: P- Cert.#A3566 API not provide persistent powered down 256, keys/ SSPs storage P-384, or P- Export: No 521) SSH ECDHE 128-256 KAS-ECC-SSC; Internally derived Import: No N/A DRAM (plaintext) Zeroized when Used to derive SSH Shared Secret bits KAS-ECC; using the tested Session Encryption (CSP) SP800-56A rev3 Export: No Note: The module does platform is Keys, SSH Session (Curves: P- Cert. #A3566 EC Diffie-Hellman shared not provide persistent powered down Authentication 256, secret computation keys/ SSPs storage Keys P-384, or P521) SSH ECDSA 128-256 CKG; Internally generated Import: No SSP HDD (plaintext) Zeroized by SSP Used for SSH Private Key bits DRBG; conformant to SP800- generation (CSP/PSP) session (CSP) ECDSA KeyGen; 133r2 (CKG) using FIPS Export: No Note: The module does Zeroization authentication (Curves: P- ECDSA SigGen; 186-4 ECDSA Key not provide persistent Command 256, Generation method, and keys/ SSPs storage P-384, or P- the random value used in 521) Cert. #A3566 key generation is generated using SP800-90Arev1 DRBG SSH ECDSA 128-256 ECDSA KeyGen; Internally derived per the Import: No N/A HDD (plaintext) Zeroized by Used for SSH Public Key bits ECDSA SigVer; FIPS 186-4 ECDSA Keypair SSP/CSP/PSP session (PSP) generation method Export: Yes, to Note: The module does Zeroization authentication (Curves: P- Cert. #A3566 the SSH peer not provide persistent Command 256, keys/ SSPs storage P-384, or P521) SSH Session 128 - 256 AES-CTR; Internally derived via key Import: No Key DRAM (plaintext) Zeroized when Used for SSH Encryption bits KDF SSH; derivation function defined derivation the tested session Key KTS; in SP 800-135rev1 KDF Export: No Note: The module does platform is confidentiality (CSP) (SSHv2) not provide persistent powered down protection Cert. #A3566 keys/ SSPs storage © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 15
Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number SSH Session At least 112 KDF SSH; Internally derived via key Import: No Key DRAM (plaintext) Zeroized when Used for SSH Authenticatio bits KTS; derivation function defined derivation the tested session integrity n Key HMAC-SHA-1; in SP 800-135rev1 KDF Export: No Note: The module does platform is protection (CSP) HMAC-SHA2- (SSHv2) not provide persistent powered down 256; keys/ SSPs storage HMAC-SHA2512; Cert. #A3566 Table 10 - SSPs Entropy Source(s) Minimum Number of Bits of Entropy Details Palo Alto Networks DRNG Entropy Source 0.6 bits entropy per sample with Please refer to ESV Cert. #E69 sample bit: 1 bit Table 11 - Non-Deterministic Random Number Generation Specification 10. Self-Tests The module performs the following self-tests, including the pre-operational self-tests and Conditional self-tests. Pre-Operational Self-Tests Algorithm Self-Test Details SHS KAT using SHA2-256 HMAC KAT using HMAC- SHA2-256 Software integrity Using HMAC-SHA2-256 Table 12 - Pre-Operational Self-Tests The module performs the following Cryptographic Algorithm Self-Tests (CASTs). These CASTs can be initiated by rebooting the module. All CASTs run without operator intervention automatically on reboot. Conditional Self-Tests Cryptographic Algorithm Self-Tests (CASTs) Algorithm Self-Test Details AES AES-ECB 256 bits Encryption KAT AES AES-ECB 256 bits Decryption KAT AES AES-CBC 256 bits Encryption KAT AES AES-CBC 256 bits Decryption KAT AES AES-GCM 256 bits Encryption KAT AES AES-GCM 256 bits Decryption KAT DRBG CTR_DRBG KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed) ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Generation) ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Verification) HMAC KAT using HMAC-SHA-1
16 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Algorithm Self-Test Details HMAC KAT using HMAC-SHA2-224 HMAC KAT using HMAC-SHA2-256 HMAC KAT using HMAC-SHA2-384 HMAC KAT using HMAC-SHA2-512 KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value KDF IKEv2 KAT for IKEv2 KDF KDF SNMP KAT for SNMPv3 KDF KDF SSH KAT for SSHv2 KDF KDF TLS KAT for TLSv1.2 KDF RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) SHS KAT using SHA-1 Table 13
Table 16 - Conditional Pair-Wise Consistency Tests (Crypto Library I) Algorithm Self-Test Details RSA RSA Pairwise consistency test (PCT) ECDSA ECDSA PCT SP800-56Ar3 KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT Table 17 - Conditional Pair-Wise Consistency Tests (Crypto Library II) Conditional Software Load Test Conditional Self-Tests Algorithm Self-Test Details Software Load Test RSA 2048 with SHA2-256 Signature Verification Table 18 - Conditional Software Load Test Periodic/On-Demand Self-Test The module performs on-demand self-tests initiated by the operator, by power cycling or rebooting the tested platform. The full suite of self-tests is then executed. The same procedure may be employed by the operator to perform periodic self-tests. It is recommended that the Crypto Officer perform periodic testing of the module’s on-demand self-tests every 60 days to ensure all components are functioning correctly. Error Handling If any of the above-mentioned self-tests fail, the module reports the cause of the error and enters an error state (there is only one error state). In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to reboot the module and perform the self-tests, including the pre-operational software integrity test and the conditional CASTs. The module will only enter into the operational state after successfully passing the pre-operational software integrity test and the conditional CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported. Cause of Error Error State Indicator Failed Pre-Operational Software Integrity Test Integrity check failed at <location> Failed Conditional CAST <Crypto Library>: FIPS Self-test failed for <algorithm> Entering error state Failed Conditional PCT Key verification failed Failed Software Load Test Verification Failure SP 800-90B Entropy Source No random numbers are generated and key generation is Start-up/Continuous health tests halted Table 19 - Error State Indicators 11. Life-Cycle Assurance The module is designed to handle the various stages of a module’s life-cycle. The sections below highlight the details for each stage. Secure Delivery Procedures Software is available on Palo Alto Networks’ support site, which uses TLS 1.2 during the download process. The support site also provides a SHA2-256 checksum that Crypto Officers can use to verify the integrity of the module once it has been transferred/downloaded.
18 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.
Secure Operation The module meets all the Level 1 requirements for FIPS 140-3. Follow the secure operations provided below to place the module in the Approved mode. The software version is 6.1.2, which is the only allowable software image for this current approved mode of operation. The module is initiated into the Approved mode of operation via the following procedure: