All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Palo Alto Networks SD-WAN Virtual Instant-On Network (vION)

Certificate#4768StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusHistoricalVendorPalo Alto Networks, Inc.
High review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusHistorical
CaveatInterim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode
VendorPalo Alto Networks, Inc.

Approved Algorithms (40)

AlgorithmACVP Cert
AES-CBCA3564
AES-CBCA3566
AES-CTRA3563
AES-ECBA3563
AES-GCMA3563
AES-GCMA3564
Counter DRBGA3563
ECDSA KeyGen (FIPS186-4)A3563
ECDSA KeyGen (FIPS186-4)A3564
ECDSA SigGen (FIPS186-4)A3563
ECDSA SigVer (FIPS186-4)A3563
HMAC DRBGA3564
HMAC-SHA-1A3563
HMAC-SHA2-224A3563
HMAC-SHA2-256A3564
HMAC-SHA2-256A3566
HMAC-SHA2-384A3563
HMAC-SHA2-384A3564
HMAC-SHA2-512A3563
HMAC-SHA2-512A3564
KAS-ECC-SSC Sp800-56Ar3A3563
KAS-ECC-SSC Sp800-56Ar3A3564
KDF IKEv2A3563
KDF SNMPA3563
KDF SSHA3563
KDF TLSA3563
KDF TLSA3564
RSA KeyGen (FIPS186-4)A3563
RSA SigGen (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3563
RSA SigVer (FIPS186-4)A3572
SHA-1A3566
SHA2-224A3563
SHA2-224A3564
SHA2-256A3563
SHA2-256A3564
SHA2-384A3563
SHA2-384A3564
SHA2-512A3563
SHA2-512A3564

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Palo Alto Networks SD-WAN Virtual Instant-On Network (vION)
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Palo Alto Networks SD-WAN Virtual Instant-On Network (vION)
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Self-Test<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) Software Version: 6.1.2 Documentation Version: 1.4 Last Update: June 11, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: June 11, 2024 Document Version: 1.4

Page 2
Table of Contents
#SectionPage
Page 3
  1. General The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks SD-WAN Virtual Instant-On Network (vION), hereinafter referred to as the Module or vION module. The Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) enables the integration of a diverse set of wide area network (WAN) connection types, improves application performance and visibility, enhances security and compliance, and reduces the overall cost and complexity of a WAN. Built with the intent to reduce remote infrastructure, Palo Alto Networks SD-WAN vION enables the cloud-delivered branch. The vION module software version is 6.1.2. ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level [Number Below]

1 General 1

2 Cryptographic module specification 1

3 Cryptographic module interfaces 1

4 Roles, services, and authentication 1

5 Software/Firmware security 1

6 Operational environment 1

7 Physical security N/A

8 Non-invasive security N/A

9 Sensitive security parameter management 1

10 Self-tests 1

11 Life-cycle assurance 1

12 Mitigation of other attacks N/A

Table 1 - Security Levels The module is designed to meet an overall security level 1. 2. Cryptographic Module Specification The module is a multi-chip standalone software module running on a general-purpose computing platform. FIPS 140-3 conformance testing was performed at Security Level 1 with the configurations noted in the table 2 below. # Operating System Hardware Platform Processor PAA/Acceleration

1 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 with PAA

2 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 without PAA

Table 2 - Tested Operational Environments # Operating System Hardware Platform

1 AWS Dependent on Provider
2 Azure Dependent on Provider
3 Google Cloud Dependent on Provider
4 OCI using KVM Dependent on Provider

5 VMware ESXi Dependent on Provider/GPC

6 ION 7108V GPC
7 ION 3108V GPC

© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 3

Page 4

Table 3 - Vendor Affirmed Operational Environments Note: The vION comes in either ION 3108V or ION 7108V, which is the same functionality just with differences such as throughput. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported to an operational environment which is not listed on the validation certificate. Modes of Operation The module has one approved mode of operation and is always in approved mode of operation after initial operations are performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4 provides details on the service indicator implemented by the module. The tables below list all Approved or Vendor-affirmed security functions of the module, including specific key size(s) (in bits unless noted otherwise) employed for Approved services, and implemented modes of operation. There are some algorithm modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are implemented by the module are shown in these tables. CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3566 AES: ECB 128, 192, and 256 bits Data Encryption/Decryption

4 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 5

CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3566 KAS KAS (ECC) KAS (ECC): Key Agreement Scheme per SP800

Page 6

Table 4 - Approved Algorithms (Crypto Library - I) CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A3572 AES: CBC 128 or 256 bits Data Encryption/Decryption

6 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 7

CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) Generation (CKG) for asymmetric keys as per section 5 in SP800133rev2 (vendor affirmed). A seed (i.e., the random value) used in asymmetric key generation is a direct output from SP800-90Arev1 DRBG (DRBG Cert. #A3572) Table 5 - Approved Algorithms (Crypto Library

52 Rev1, Section 3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme

were performed entirely within the cryptographic boundary of the module being validated. The counter portion of the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established.

Page 8

Figure 1 - Block Diagram

  1. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces. Physical Port Logical Interface Data that passes over port/interface N/A Data Input Interface API input parameters for data N/A Data Output Interface API output parameters for data N/A Control Input Interface API function calls N/A Control Output Interface N/A N/A Status Output Interface Return values, and or log messages Table 7 - Ports and Interfaces
  2. Roles, Services, and Authentication The module supports role-based authentication, and provides a Crypto Officer role. The Crypto Officer role has the ability to perform all tasks and administrative actions. Role Service Input Output Crypto Officer Self-Test Command to trigger Self-Test Status of the self-tests results Crypto Officer Zeroize Command to initiate the SSPs Status of the SSPs zeroization zeroization Crypto Officer Show Version Command to show version Module’s name/ID and versions Crypto Officer Show Status Command to show status Module’s status information Crypto Officer Software Update Command to upload a new validated Status of the updated software installation software Crypto Officer Configure Network Commands to configure the module Status of the completion of network related configuration

8 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 9

Crypto Officer Configure SSHv2 Commands to configure SSHv2 Status of the completion of SSHv2 Function configuration Crypto Officer Configure TLSv1.2 Commands to configure TLSv1.2 Status of the completion of TLSv1.2 Function configuration Crypto Officer Configure SNMPv3 Commands to configure SNMPv3 Status of the completion of SNMPv3 Function configuration Crypto Officer Configure IPsec/IKEv2 Commands to configure Status of the completion of IPSec/IKEv2 Function IPSec/IKEv2 configuration Crypto Officer Run SSHv2 Function Initiate SSHv2 tunnel establishment Status of SSHv2 tunnel establishment request Crypto Officer Run TLSv1.2 Function Initiate TLSv1.2 tunnel establishment Status of TLSv1.2 tunnel establishment request Crypto Officer Run SNMPv3 Function Initiate SNMPv3 tunnel Status of SNMPv3 tunnel establishment establishment request Crypto Officer Run IPSec/IKEv2 Initiate of IPSec/IKEv2 tunnel Status of IPSec/IKEv2 tunnel establishment Function establishment Table 8

Page 10

Service Description Approved Security Keys and/or SSPs Roles Access rights Indicator Functions to Keys and / or SSPs SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP); Configure Create a secure AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global TLSv1.2 Function TLSv1.2 channel AES-GCM; DRBG Seed (CSP); Officer indicator and CKG; DRBG Internal State V Value TLS success CTR_DRBG; (CSP); log message HMAC_DRBG; DRBG Key (CSP); HMAC-SHA2-256; TLS RSA Private Key (CSP); HMAC-SHA2-384; TLS RSA Public Key (PSP); KAS-SSC (ECC); TLS ECDHE Private Key KAS (ECC); (CSP); KTS; TLS ECDHE Public Key (PSP); RSA KeyGen; Peer TLS ECDHE Public Key RSA SigGen; (PSP); RSA SigVer; TLS ECDHE Shared Secret KDF TLS; (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); Configure Create a secure AES-CBC; SNMPv3 Authentication Crypto G/R/W/E Global SNMPv3 SNMPv3 channel HMAC-SHA-1; Secret (CSP); Officer indicator and Function KDF SNMP; SNMPv3 Session Encryption SNMPv3 Key (CSP); success log SNMPv3 Session message Authentication Key (CSP); Configure Create IPSec/IKEv2 AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global IPsec/IKEv2 tunnel CKG; DRBG Seed (CSP); Officer indicator and Function CTR_DRBG; DRBG Internal State V Value IPSec success HMAC-SHA-1; (CSP); log message HMAC-SHA2-256; DRBG Key (CSP); HMAC-SHA2-384; IPSec/IKE Pre-Shared Secret HMAC-SHA2-512; (CSP); KAS-SSC (ECC); IPSec/IKE RSA Private Key KAS (ECC); (CSP); RSA KeyGen; IPSec/IKE RSA Public Key RSA SigGen; (PSP); RSA SigVer; IPSec/IKE ECDHE Private KDF IKEV2 Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); Run SSHv2 Negotiation and AES-CTR; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data CKG; DRBG Seed (CSP); Officer indicator and transport via SSH CTR_DRBG; DRBG Internal State V Value SSH ECDSA KeyGen; (CSP); connection log ECDSA SigGen; DRBG Key (CSP); message ECDSA SigVer; SSH ECDHE Private Key HMAC-SHA-1; (CSP); HMAC-SHA2-256; SSH ECDHE Public Key (PSP); HMAC-SHA2-512; Peer SSH ECDHE Public Key KAS-SSC (ECC); (PSP);

10 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 11

Service Description Approved Security Keys and/or SSPs Roles Access rights Indicator Functions to Keys and / or SSPs KAS (ECC); SSH ECDHE Shared Secret KDF SSH (CSP); SSH ECDSA Private Key (CSP); SSH ECDSA Public Key (PSP); SSH Session Encryption Key (CSP); SSH Session Authentication Key (CSP); Run TLSv1.2 Negotiation and AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data AES-GCM; DRBG Seed (CSP); Officer indicator and transport via TLS CKG; DRBG Internal State V Value TLS success CTR_DRBG; (CSP); log message HMAC_DRBG; DRBG Key (CSP); HMAC-SHA2-256; TLS RSA Private Key (CSP); HMAC-SHA2-384; TLS RSA Public Key (PSP); KAS-SSC (ECC); TLS ECDHE Private Key KAS (ECC); (CSP); KTS; TLS ECDHE Public Key (PSP); RSA KeyGen; Peer TLS ECDHE Public Key RSA SigGen; (PSP); RSA SigVer; TLS ECDHE Shared Secret KDF TLS; (CSP); TLS Pre-Master Secret (CSP); TLS Master Secret (CSP); TLS Session Encryption Key (CSP); TLS Session Authentication Key (CSP); Run SNMPv3 Negotiation and AES-CBC; SNMPv3 Authentication Crypto G/R/W/E Global Function encrypted data HMAC-SHA-1; Secret (CSP); Officer indicator and transport via KDF SNMP; SNMPv3 Session Encryption SNMPv3 SNMPv3 Key (CSP); success log SNMPv3 Session message Authentication Key (CSP); Run IPSec/IKEv2 Negotiation and AES-CBC; DRBG Entropy Input (CSP); Crypto G/R/W/E Global Function encrypted data CKG; DRBG Seed (CSP); Officer indicator and transport via IPSec CTR_DRBG; DRBG Internal State V Value IPSec/IKEv2 HMAC-SHA-1; (CSP); success log HMAC-SHA2-256; DRBG Key (CSP); message HMAC-SHA2-384; IPSec/IKE Pre-Shared Secret HMAC-SHA2-512; (CSP); KAS-SSC (ECC); IPSec/IKE RSA Private Key KAS (ECC); (CSP); RSA KeyGen; IPSec/IKE RSA Public Key RSA SigGen; (PSP); RSA SigVer; IPSec/IKE ECDHE Private KDF IKEV2 Key (CSP); IPSec/IKE ECDHE Public Key (PSP); IPSec/IKE ECDHE Shared Secret (CSP); IPSec/IKE Session Encryption Key (CSP); IPSec/IKE Session Authentication Key (CSP); Table 9

Page 12

W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroizes the SSP. Unauthenticated Services Unauthenticated Users can run the self-test service by power-cycling the module by removing the power and re-applying.

  1. Software/Firmware Security Integrity Techniques The module performs the Software Integrity test by using HMAC-SHA2-256 (HMAC Cert. #A3566) during the PreOperational Self-Test. A Software Integrity Test Key (non-SSP) was preloaded to the module’s binary at the factory and used for software integrity test only at the pre-operational self-test. At Module’s initialization, the integrity of the runtime executable is verified using an HMAC-SHA2-256 digest which is compared to a value computed at build time. If at the load time the MAC does not match the stored, known MAC value, the module would enter an Error state with all crypto functionality inhibited. The module also supports the software load test by using RSA 2048 bits with SHA2-256 (RSA Cert. #A3566) for the new validated software to be uploaded into the module. A Software Load Test Key was preloaded to the module’s binary at the factory and used for software load test. In order to load new software, the Crypto Officer must authenticate into the module before loading any software. This ensures that unauthorized access and use of the module is not performed. The module will load the new update upon reboot. The update attempt will be rejected if the verification fails Integrity Test On-Demand Integrity test is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. The operator can power-cycle or reboot the module to initiate the software integrity test on-demand. This automatically performs the integrity test of all software components included within the boundary of the module.
  2. Operational Environment The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The operating system is restricted to a single operator mode of operation. The application that makes calls to the module is the single user of the modules even when the application is serving multiple clients. See Table 2 for details regarding what platforms the module was tested on. The software module provides a Software Update service. The module’s validation to FIPS 140-3 is no longer valid once a non-validated software is loaded.
  3. Physical Security As the module is a software only module, the physical security requirements are not applicable.

12 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 13
  1. Non-Invasive Security No approved non-invasive attack mitigation test metrics are defined at this time.
  2. Sensitive Security Parameters Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number DRBG 256 bits N/A Obtained from the Entropy Import to the N/A DRAM (plaintext) Zeroized when Used to seed the Entropy Input Source within TOEPP (GPS module via the tested DRBG (CSP) INT Pathways) Module’s API Note: The module does platform is not provide persistent powered down Export: No keys/ SSPs storage DRBG Seed 256 bits N/A Internally Derived from Import: No N/A DRAM (plaintext) Zeroized when Random number (CSP) entropy input string as the tested generation defined by SP800-90Arev1 Export: No Note: The module does platform is DRBG not provide persistent powered down keys/ SSPs storage DRBG 256 bits N/A Internally Derived from Import: No N/A DRAM (plaintext) Zeroized when Random number Internal State entropy input string as the tested generation V value defined by SP800-90Arev1 Export: No Note: The module does platform is (CSP) DRBG not provide persistent powered down keys/ SSPs storage DRBG Key 256 bits N/A Internally Derived from Import: No N/A DRAM (plaintext) Zeroized when Random number (CSP) entropy input string as the tested generation defined by SP800-90Arev1 Export: No Note: The module does platform is DRBG not provide persistent powered down keys/ SSPs storage Software 112 bits RSA Sig Ver Pre-loaded at the build time Import: No N/A HDD (plaintext) N/A Used for Software Load Test (in the module’s binary) (Note: This key is Load Test Key (Modulus: Cert. #A3566 Export: No Embedded in the only used for (PSP) 2048 bits) module’s executable Software Load binary. Test and not subject to the Note: The module does zeroization not provide persistent requirement) keys/ SSPs storage TLS RSA 112-128 CKG; Internally generated Import: No N/A HDD (plaintext) Zeroized by Used for TLS peer Private Key bits DRBG; conformant to SP800- SSP/CSP/PSP authentication (CSP) RSA KeyGen; 133r2 (CKG) using FIPS Export: No Note: The module does Zeroization (Modulus: RSA SigGen; 186-4 RSA key generation not provide persistent Command 2048, 3072 method, and the random keys/ SSPs storage bits) Certs. #A3566 value used in key and #A3572 generation is generated using SP800-90Arev1 DRBG TLS RSA 112-128 RSA KeyGen; Internally derived per the Import: No N/A HDD (plaintext) Zeroized by Used for TLS peer Public Key bits RSA SigVer; FIPS 186-4 RSA key SSP/CSP/PSP authentication (PSP) generation method Export: Yes, to Note: The module does Zeroization (Modulus: Certs. #A3566 the TLS peer not provide persistent Command 2048, 3072 and #A3572 keys/ SSPs storage bits) TLS ECDHE 128 – 256 CKG; Internally generated Import: No DRAM (plaintext) Zeroized when Used to derive TLS Private Key bits DRBG; conformant to SP800- N/A the tested ECDHE Shared (CSP) KAS-ECC-SSC; 133r2 (CKG) using SP800- Export: No Note: The module does platform is Secret (Curves: P- 56Arev3 EC Diffie-Hellman not provide persistent powered down 256, Certs. #A3566 key generation method, and keys/ SSPs storage P-384, and #A3572 the random value used in P-521) key generation is generated using SP800-90Arev1 DRBG TLS ECDHE 128 – 256 KAS-ECC-SSC; Internally derived internally Import: No N/A DRAM (plaintext) Zeroized when Used to derive TLS Public Key bits per the EC Diffie-Hellman the tested ECDHE Shared (PSP) Certs. #A3566 key agreement Export: Yes, to Note: The module does platform is Secret (Curves: P- and #A3572 (SP800-56Arev3) the TLS peer not provide persistent powered down 256, keys/ SSPs storage P-384, P-521) Peer TLS Curves: P- N/A N/A Import: Enter N/A DRAM (plaintext) Zeroized when Used to derive TLS ECDHE 256, into the Module the tested ECDHE Shared Public Key P-384, via Module’s API Note: The module does platform is Secret (PSP) P-521 not provide persistent powered down Export: No keys/ SSPs storage © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 13
Page 14

Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number TLS ECDHE 128

2048 bits

Pre-Shared Encrypted by SSP/CSP/PSP peer authentication Secret characters using TLS/SSH Note: The module does Zeroization (CSP) session key not provide persistent Command keys/ SSPs storage Export: No IPSec/IKE 112 or 128 CKG; Internally generated Import: No N/A HDD (plaintext) Zeroized by Used for IPSec/IKE RSA Private bits DRBG; conformant to SP800- SSP/CSP/PSP peer authentication Key RSA SigGen; 133r2 (CKG) using FIPS Export: No Note: The module does Zeroization (CSP) (Modulus: 186-4 RSA key generation not provide persistent Command 2048, 3072 Cert# A3566 method, and the random keys/ SSPs storage bits) value used in key generation is generated using SP800-90Arev1 DRBG IPSec/IKE 112 or 128 RSA SigVer; Internally derived per the Import: No N/A HDD (plaintext) Zeroized by Used for IPSec/IKE RSA Public bits FIPS 186-4 RSA key Export: to the SSP/CSP/PSP peer authentication Key Cert. #A3566 generation method IKE Peer Note: The module does Zeroization (PSP) (Modulus: application not provide persistent Command 2048, 3072 keys/ SSPs storage bits) IPSec/IKE 128 or 192 CKG; Internally generated Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits DRBG; conformant to SP800- the tested IPSec/IKE ECDHE Private Key KAS-ECC-SSC; 133r2 (CKG) using SP800- Export: No Note: The module does platform is Shared Secret (CSP) (Curves: P- 56Arev3 EC Diffie-Hellman not provide persistent powered down

256 or Cert. #A3566 key generation method, and keys/ SSPs storage

P-384) the random value used in key generation is generated using SP800-90Arev1 DRBG IPSec/IKE 128 or 192 KAS-ECC-SSC; Internally derived internally Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits per the EC Diffie-Hellman Export: to the the tested IPSec/IKE ECDHE Public Key Cert. #A3566 key agreement IKE Peer Note: The module does platform is Shared Secret (PSP) (Curves: P- (SP800-56Arev3) application not provide persistent powered down

256 or keys/ SSPs storage

P-384) IPSec/IKE 128 or 192 KAS-ECC-SSC; Internally derived Import: No N/A DRAM (plaintext) Zeroized when Used to derive ECDHE bits using the tested IPSec/IKE Session Shared Secret Cert. #A3566 SP800-56A rev3 Export: No Note: The module does platform is Encryption Keys, (CSP) (Curves: P- EC Diffie-Hellman shared not provide persistent powered down IPSec/IKE

256 or secret computation keys/ SSPs storage Authentication

14 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 15

Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number IPSec/IKE 128-256 AES-CBC; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits KDF IKEv2; derivation function defined the tested IPSec/IKEv2 Encryption in SP800-135rev1 KDF Export: No Note: The module does platform is session Key Cert. #A3566 (IKEv2) not provide persistent powered down confidentiality (CSP) keys/ SSPs storage IPSec/IKE At least 112 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits HMAC-SHA2- derivation function defined the tested IPSec/IKEv2 Authenticatio 256; in SP800-135rev1 KDF Export: No Note: The module does platform is session integrity n Key HMAC-SHA2- (IKEv2) not provide persistent powered down (CSP) 384; keys/ SSPs storage HMAC-SHA2512; KDF IKEv2; Cert. #A3566 SNMPv3 8 characters N/A N/A Import: MD/EE HDD (plaintext) Zeroized by Used for SNMPv3 Authenticatio minimum Encrypted by SSP/CSP/PSP User authentication n Secret using TLS/SSH Note: The module does Zeroization (CSP) session key not provide persistent Command keys/ SSPs storage Export: No SNMPv3 128 bits AES-CFB; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session KDF SNMP; derivation function defined the tested SNMPv3 session Encryption in SP800-135rev1 KDF Export: No Note: The module does platform is confidentiality Key Cert. #A3566 (SNMPv3) not provide persistent powered down (CSP) keys/ SSPs storage SNMPv3 At least 112 HMAC-SHA-1; Internally derived via key Import: No N/A DRAM (plaintext) Zeroized when Used to secure Session bits KDF SNMP; derivation function defined the tested SNMPv3 session Authenticatio in SP800-135rev1 KDF Export: No Note: The module does platform is integrity n Key Cert. #A3566 (SNMPv3) not provide persistent powered down (CSP) keys/ SSPs storage SSH ECDHE 128-256 CKG; Internally generated Import: No N/A DRAM (plaintext) Zeroized when Used to derive the Private Key bits DRBG; conformant to SP800- the tested SSH ECDHE Shared (CSP) KAS-ECC-SSC; 133r2 (CKG) using SP800- Export: No Note: The module does platform is Secret (Curves: P- 56Arev3 EC Diffie-Hellman not provide persistent powered down 256, Cert. #A3566 key generation method, and keys/ SSPs storage P-384, or P- the random value used in 521) key generation is generated using SP800-90Arev1 DRBG SSH ECDHE 128-256 KAS-ECC-SSC; Internally derived internally Import: No N/A DRAM (plaintext) Zeroized when Used to derive the Public Key bits per the EC Diffie-Hellman the tested SSH ECDHE Shared (PSP) Cert. #A3566 key agreement Export: Yes, to Note: The module does platform is Secret (Curves: P- (SP800-56Arev3) the SSH peer not provide persistent powered down 256, keys/ SSPs storage P-384, or P521) Peer SSH 128-256 KAS-ECC-SSC; N/A Import: Enter N/A DRAM (plaintext) Zeroized when Used to derive SSH ECDHE bits KAS-ECC; into the Module the tested ECDHE Shared Public Key via the Module’s Note: The module does platform is Secret (PSP) (Curves: P- Cert.#A3566 API not provide persistent powered down 256, keys/ SSPs storage P-384, or P- Export: No 521) SSH ECDHE 128-256 KAS-ECC-SSC; Internally derived Import: No N/A DRAM (plaintext) Zeroized when Used to derive SSH Shared Secret bits KAS-ECC; using the tested Session Encryption (CSP) SP800-56A rev3 Export: No Note: The module does platform is Keys, SSH Session (Curves: P- Cert. #A3566 EC Diffie-Hellman shared not provide persistent powered down Authentication 256, secret computation keys/ SSPs storage Keys P-384, or P521) SSH ECDSA 128-256 CKG; Internally generated Import: No SSP HDD (plaintext) Zeroized by SSP Used for SSH Private Key bits DRBG; conformant to SP800- generation (CSP/PSP) session (CSP) ECDSA KeyGen; 133r2 (CKG) using FIPS Export: No Note: The module does Zeroization authentication (Curves: P- ECDSA SigGen; 186-4 ECDSA Key not provide persistent Command 256, Generation method, and keys/ SSPs storage P-384, or P- the random value used in 521) Cert. #A3566 key generation is generated using SP800-90Arev1 DRBG SSH ECDSA 128-256 ECDSA KeyGen; Internally derived per the Import: No N/A HDD (plaintext) Zeroized by Used for SSH Public Key bits ECDSA SigVer; FIPS 186-4 ECDSA Keypair SSP/CSP/PSP session (PSP) generation method Export: Yes, to Note: The module does Zeroization authentication (Curves: P- Cert. #A3566 the SSH peer not provide persistent Command 256, keys/ SSPs storage P-384, or P521) SSH Session 128 - 256 AES-CTR; Internally derived via key Import: No Key DRAM (plaintext) Zeroized when Used for SSH Encryption bits KDF SSH; derivation function defined derivation the tested session Key KTS; in SP 800-135rev1 KDF Export: No Note: The module does platform is confidentiality (CSP) (SSHv2) not provide persistent powered down protection Cert. #A3566 keys/ SSPs storage © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 15

Page 16

Key/SSP Strength Security Generation Import/Export Establish- Storage Zeroization Use & Related Name/Typ Function and ment Keys e Cert. Number SSH Session At least 112 KDF SSH; Internally derived via key Import: No Key DRAM (plaintext) Zeroized when Used for SSH Authenticatio bits KTS; derivation function defined derivation the tested session integrity n Key HMAC-SHA-1; in SP 800-135rev1 KDF Export: No Note: The module does platform is protection (CSP) HMAC-SHA2- (SSHv2) not provide persistent powered down 256; keys/ SSPs storage HMAC-SHA2512; Cert. #A3566 Table 10 - SSPs Entropy Source(s) Minimum Number of Bits of Entropy Details Palo Alto Networks DRNG Entropy Source 0.6 bits entropy per sample with Please refer to ESV Cert. #E69 sample bit: 1 bit Table 11 - Non-Deterministic Random Number Generation Specification 10. Self-Tests The module performs the following self-tests, including the pre-operational self-tests and Conditional self-tests. Pre-Operational Self-Tests Algorithm Self-Test Details SHS KAT using SHA2-256 HMAC KAT using HMAC- SHA2-256 Software integrity Using HMAC-SHA2-256 Table 12 - Pre-Operational Self-Tests The module performs the following Cryptographic Algorithm Self-Tests (CASTs). These CASTs can be initiated by rebooting the module. All CASTs run without operator intervention automatically on reboot. Conditional Self-Tests Cryptographic Algorithm Self-Tests (CASTs) Algorithm Self-Test Details AES AES-ECB 256 bits Encryption KAT AES AES-ECB 256 bits Decryption KAT AES AES-CBC 256 bits Encryption KAT AES AES-CBC 256 bits Decryption KAT AES AES-GCM 256 bits Encryption KAT AES AES-GCM 256 bits Decryption KAT DRBG CTR_DRBG KAT: Instantiate KAT: Generate KAT: Reseed Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed) ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Generation) ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Verification) HMAC KAT using HMAC-SHA-1

16 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 17

Algorithm Self-Test Details HMAC KAT using HMAC-SHA2-224 HMAC KAT using HMAC-SHA2-256 HMAC KAT using HMAC-SHA2-384 HMAC KAT using HMAC-SHA2-512 KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value KDF IKEv2 KAT for IKEv2 KDF KDF SNMP KAT for SNMPv3 KDF KDF SSH KAT for SSHv2 KDF KDF TLS KAT for TLSv1.2 KDF RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation) RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification) SHS KAT using SHA-1 Table 13

Page 18

Table 16 - Conditional Pair-Wise Consistency Tests (Crypto Library I) Algorithm Self-Test Details RSA RSA Pairwise consistency test (PCT) ECDSA ECDSA PCT SP800-56Ar3 KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT Table 17 - Conditional Pair-Wise Consistency Tests (Crypto Library II) Conditional Software Load Test Conditional Self-Tests Algorithm Self-Test Details Software Load Test RSA 2048 with SHA2-256 Signature Verification Table 18 - Conditional Software Load Test Periodic/On-Demand Self-Test The module performs on-demand self-tests initiated by the operator, by power cycling or rebooting the tested platform. The full suite of self-tests is then executed. The same procedure may be employed by the operator to perform periodic self-tests. It is recommended that the Crypto Officer perform periodic testing of the module’s on-demand self-tests every 60 days to ensure all components are functioning correctly. Error Handling If any of the above-mentioned self-tests fail, the module reports the cause of the error and enters an error state (there is only one error state). In the Error State, no cryptographic services are provided, and data output is prohibited. The only method to recover from the error state is to reboot the module and perform the self-tests, including the pre-operational software integrity test and the conditional CASTs. The module will only enter into the operational state after successfully passing the pre-operational software integrity test and the conditional CASTs. The table below shows the different causes that lead to the Error State and the status indicators reported. Cause of Error Error State Indicator Failed Pre-Operational Software Integrity Test Integrity check failed at <location> Failed Conditional CAST <Crypto Library>: FIPS Self-test failed for <algorithm> Entering error state Failed Conditional PCT Key verification failed Failed Software Load Test Verification Failure SP 800-90B Entropy Source No random numbers are generated and key generation is Start-up/Continuous health tests halted Table 19 - Error State Indicators 11. Life-Cycle Assurance The module is designed to handle the various stages of a module’s life-cycle. The sections below highlight the details for each stage. Secure Delivery Procedures Software is available on Palo Alto Networks’ support site, which uses TLS 1.2 during the download process. The support site also provides a SHA2-256 checksum that Crypto Officers can use to verify the integrity of the module once it has been transferred/downloaded.

18 Palo Alto Networks SD-WAN Virtual Instant-On © 2024 Palo Alto Networks, Inc.

Page 19

Secure Operation The module meets all the Level 1 requirements for FIPS 140-3. Follow the secure operations provided below to place the module in the Approved mode. The software version is 6.1.2, which is the only allowable software image for this current approved mode of operation. The module is initiated into the Approved mode of operation via the following procedure:

  1. Install the vION on the platform
  2. Using the Controller, navigate to the device that is to be initiated
  3. Select “FIPS” a. Click “proceed” to begin initialization procedure
  4. The module will begin initialization that includes the following: a. Zeroization of any sensitive information or data b. Power cycle of the device followed by running all self-tests
  5. Once initialization is complete, the module provides the following status output: a. Device Mode: “fips” b. Self-tests: “Power-up self test successful” Once the module has completed initialization into the Approved mode of operation, any non-Approved configurations/algorithms are rejected automatically by the module and an error message is output. End of Life / Sanitization End of life dates for software and hardware modules are announced publicly via Palo Alto Networks’ services website. Crypto Officers should follow the procedure below for the secure destruction of their module: Note: This process will cause the module to no longer function after it has wiped all configurations and keys.
  6. Access the module as Crypto Officer
  7. Execute command: “disable system” a. Confirm command
  8. Module will begin zeroization process and wipe all security parameters and configurations
  9. Mitigation of Other Attacks This module is not designed to mitigate against any other attacks outside of the FIPS 140-3 scope. © 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) 19