All modules
CMVP Validated Module · FIPS 140-3 Security Policy

PAN-OS 11.0 VM-Series

Certificate#4773StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 23 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date8/20/2026
CaveatInterim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy
VendorPalo Alto Networks, Inc.

Approved Algorithms (31)

AlgorithmACVP Cert
AES-CBCA3454
AES-CFB128A3454
AES-CTRA3454
AES-GCMA3454
Conditioning Component AES-CBC-MAC SP800-90BA1791
Counter DRBGA3454
ECDSA KeyGen (FIPS186-4)A3454
ECDSA KeyVer (FIPS186-4)A3454
ECDSA SigGen (FIPS186-4)A3454
ECDSA SigVer (FIPS186-4)A3454
HMAC-SHA-1A3454
HMAC-SHA2-224A3454
HMAC-SHA2-256A3454
HMAC-SHA2-384A3454
HMAC-SHA2-512A3454
KAS-ECC-SSC Sp800-56Ar3A3454
KAS-FFC-SSC Sp800-56Ar3A3454
KDF IKEv2A3454
KDF SNMPA3454
KDF SSHA3454
RSA KeyGen (FIPS186-4)A3454
RSA SigGen (FIPS186-4)A3454
RSA SigVer (FIPS186-4)A3454
Safe Primes Key GenerationA3454
Safe Primes Key VerificationA3454
SHA-1A3454
SHA2-224A3454
SHA2-256A3454
SHA2-384A3454
SHA2-512A3454
TLS v1.2 KDF RFC7627A3454

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for PAN-OS 11.0 VM-Series
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for PAN-OS 11.0 VM-Series
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

PAN-OS 11.0 VM-Series Version: 1.1 Revision Date: June 13, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Page 2
Table of Contents
#SectionPage
Page 3
  1. General The PAN-OS 11.0 VM-Series module is available in multiple capacity options. All models can be deployed as guest virtual machines on VMware ESXi, Hyper-V, and Linux server that is running the KVM (Kernel-based Virtual Machine) using a common base image distributed in a compatible hypervisor format. The PAN-OS VM-Series is the virtualized form factor of the Palo Alto Networks next-generation firewall. The VM-Series is used to protect applications/data from cyber threats using Palo Alto Networks’ next-generation firewall and advanced threat prevention features. For purposes of this validation, the exact software version of the module tested was 11.0.3-h12. The cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-3. Table 1 - Security Levels ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 1
6 Operational Environment 1

7 Physical Security N/A

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks N/A

Overall Level 1

  1. Cryptographic Module Specification The tested operational environments are highlighted in Table
  2. Table 2 - Tested Operational Environments Operating System Hardware Platform Processor PAA/Acceleration VMware ESXi v7.0 Dell PowerEdge R740 Intel Xeon Gold 6248 N/A KVM 4 on Ubuntu 20.04 Dell PowerEdge R740 Intel Xeon Gold 6248 N/A Hyper-V 2019 on Microsoft Dell PowerEdge R740 Intel Xeon Gold 6248 N/A Hyper-V Server 2019 © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 3
Page 4

Table 3 - Vendor Affirmed Operational Environments Operating System Hardware Platform Amazon Web Services (AWS) x86 Architecture Microsoft Azure (Note: Specific processor/hardware is dependent on Google Cloud Platform (GCP) Instance/Machine Type selected for operation system) Operator Porting Rules The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run a VM-series firewall on any general purpose computer (GPC) or platform using the specified hypervisor and operating system on the validation certificate or other compatible operating and/or hypervisor system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate. Approved Mode of Operation The following procedure will put the module into the Approved mode of operation:

Page 5

Note: Disabling “FIPS-CC” mode causes a complete factory reset, which is described in the Zeroization section below. Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To perform the zeroization service, follow the procedure below:

128 and 256 bits

AES-GCM GCM** Encryption A3454 [SP 800-38D] Decryption AES 256 bits with Counter DRBG A3454 CTR DRBG Derivation Function Random Bit Generator [SP 800-90Arev1] Enabled ECDSA KeyGen Key Generation A3454 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) ECDSA KeyVer (FIPS Public Key Validation A3454 ECDSA KeyVer P-256, P-384, P-521 186-4) P-256, P-384, P-521 with ECDSA SigGen (FIPS Signature Generation A3454 ECDSA SigGen SHA2-224, SHA2-256, 186-4) SHA2-384, and SHA2-512 P-256, P-384, P-521 with A3454 ECDSA SigVer (FIPS 186-4) ECDSA SigVer Signature Verification SHA-1, SHA2-224, © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 5

Page 6

SHA2-256, SHA2-384, and SHA2-512 A3454 HMAC-SHA-1 with λ=96, Authentication for HMAC-SHA-1 [FIPS 198-1] HMAC

160 protocols

A3454 HMAC-SHA2-224 with HMAC-SHA2-224 Authentication for HMAC λ=224 [FIPS 198-1] protocols A3454 HMAC-SHA2-256 HMAC-SHA2-256 with Authentication for HMAC [FIPS 198-1] λ=256 protocols A3454 HMAC-SHA2-384 HMAC-SHA2-384 with Authentication for HMAC [FIPS 198-1] λ=384 protocols A3454 HMAC-SHA2-512 HMAC-SHA2-512 with Authentication for HMAC [FIPS 198-1] λ=512 protocols KAS-ECC-SSC KAS P-256/P-384/P-521 A3454 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A3454 KAS MODP-2048/3072/4096 Key Exchange 800-56Ar3 KDF IKEv2 [SP SHA2-256, SHA2-384, A3454 IKEv2 KDF IKEv2 800-135rev1] (CVL) SHA2-512 Engine ID: KDF SNMP [SP A3454 SNMPv3 KDF 80001F88043030303030 SNMPv3 800-135rev1] (CVL) 343935323630 KDF SSH [SP 800-135rev1] SHA-1, SHA2-256, A3454 SSHv2 KDF SSH (CVL) SHA2-512 TLS v1.2 KDF RFC7627 TLS1.2 KDF TLS v1.2 Hash Algorithm: A3454 TLS (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A3454 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) RSA SigGen RSA SigGen 2048, 3072, and 4096-bit Signature Generation A3454 (FIPS 186-4) (FIPS 186-4) with hashes 256/384/512 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/224+++/256/384/5 RSA SigVer RSA SigVer 12 (Signature Verification) A3454 Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A3454 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A3454 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Generation/Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 6

Page 7

Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key MODP-2048, Safe Primes Key A3454 Generation [RFC 3526] Generation MODP-3072, MODP-4096 Generation Safe Primes Key Safe Primes Key MODP-2048, Safe Primes Key A3454 Verification [RFC 3526] Verification MODP-3072, MODP-4096 Verification AES-CBC or AES-CTR plus SP 800-38A and FIPS HMAC AES Cert. #A3454 and KTS 198-1. KTS (key wrapping 128, 192, and 256-bit keys Key Wrapping HMAC Cert. #A3454 [SP 800-38F] and unwrapping) per IG providing 128, 192, or 256 D.G. bits of encryption strength SP 800-38D and SP AES-GCM KTS 800-38F. KTS (key 128 and 256-bit keys AES-GCM Cert. A3454 Key Wrapping [SP 800-38F] wrapping and unwrapping) providing 128 or 256 bits per IG D.G. of encryption strength Palo Alto Networks DRNG ESV Cert. #E69 SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC Cert. SP 800-56Arev3. KAS-ECC P-256 and P-384 curves Key Exchange with #A3454, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128 or 192 bits protocol KDF #A3454 (2). of encryption strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3454, KDF SSH Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A3454 or 256 bits of encryption protocol KDF (2). strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3454, TLS v1.2 KDF curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path RFC7627 Cert. #A3454 or 256 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. 2048, 3072, and 4096-bit SP 800-56Arev3. KAS-FFC #A3454, KDF IKEv2 Cert. keys providing 112, 128, or Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A3454 150 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3454, KDF SSH Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A3454 (2). KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3454, TLS v1.2 KDF KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF RFC7627 Cert. #A3454 (2). Key Generation Note: Symmetric keys and Cryptographic Key the seeds used for Vendor CKG Section 5.1, Section 5.2 Generation; SP 800- asymmetric key pair Affirmed (SP 800-133rev2)

133 and IG D.H. generation are produced

using the unmodified/direct output of the DRBG

Page 8

part of the IV exhausts all possible values for a given session key, that a new TLS handshake is initiated per sections 7.4.1.1 and 7.4.1.2 of RFC 5246. During operational testing, the module was tested against an independent version of TLS and found to behave correctly.

Page 9

Cryptographic Boundary The PAN-OS 11.0 VM-Series is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file name in Section 11 (PanOS_vm-11.0.3-h12) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. Figure 1 - Cryptographic Boundary 3. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces: Table 6 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface Power Power In Power supplies Console, GPC I/O Status Output Self-test status output Ethernet Data input, control input, HTTPS, TLS, SNMP, IPsec, and SSH traffic data. data output, status output The module does not support a Control Output interface. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 9

Page 10

The module’s physical and electrical characteristics, manual controls, and physical indicators are provided by the host GPC; the hypervisors provide virtualized ports and interfaces which map to the GPCs’ physical ports and interfaces (i.e., network interfaces and GPC inputs/outputs). 4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7 - Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Show Version Query module for version Module provides version Crypto Officer, Security Configuration Configuring and managing Confirmation of service User Management cryptographic parameters and via Configuration Logs setting/modifying security policy, including creating User accounts and additional CO accounts via CLI or WebUI Crypto Officer Other Configuration Networking parameter Confirmation of service configuration, logging configuration, via Configuration Logs and other non-security relevant configuration via CLI or WebUI Crypto Officer, View Other Query module for current Confirmation of service User Configuration non-security relevant configuration via Configuration Logs via WebUI or CLI Crypto Officer, Show Status Query status and version of the Module status information User, RA VPN, module via WebUI or CLI via CLI or System Logs S-S VPN RA VPN, S-S VPN VPN Initialize VPN connection Confirmation of service via System Logs Crypto Officer Software Update Loading new image Message output noting version updated successfully Unauthenticated Zeroize Initiate zeroization command The device will overwrite all CSPs and provide status of completion Unauthenticated Power cycling the module Self-test status output via Self-Tests system logs Unauthenticated Show Status View status of the module via Module status via the (Hypervisor) hypervisor. hypervisor © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 10

Page 11

The zeroization procedure is invoked when the operator initiates the service. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Note: Additional information on the configuration options the module provides can be found at https://docs.paloaltonetworks.com/ Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules do not provide a maintenance role or bypass capability. The modules all support the use of a password (i.e. Memorized Secret as per SP 800-140E). Upon first boot, the module requires that the Cryptographic Officer change the password from the default one to a custom one. The module automatically enforces a minimum password length of at least 8 characters. In “FIPS-CC” mode, the module automatically enforces a maximum of 10 failed attempts. Passwords stored in the module are hashed using SHA-256, and any passwords that are transported into/out of the module are protected via TLS 1.2. Table 8

Page 12

successfully authenticating to the module within a one minute period is 60,000,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000,000 new sessions per second to authenticate in a one-minute period. Site-to-Site VPN (S-S VPN) IKE/IPSec Pre-shared keys - The pre-shared key authentication method Identification with the IP Address and has a minimum security strength2 of 956. The authentication with the Pre-Shared probability of successfully authenticating to Key or certificate based the module is 1/(956), which is less than authentication 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(956), which is less than 1/100,000. The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 60,000,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000,000 new sessions per second to authenticate in a one-minute period. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: Note: The security strength (956) is based on the use of ASCII characters that are utilized, which surpasses the 6 character random number password allowance that sets a baseline minimum acceptable strength of 106. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 12

Page 13

G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 9 - Approved Services Service Description Approved Security Keys and/or SSPs Roles Access rights to Indicator Functions Keys and/or SSPs Show Version Query the module to N/A N/A CO N/A Version displayed via System display the version Logs / CLI / UI Security Configuring and CKG RSA Private Keys CO G/W/E Configuration/System Logs Configuration managing RSA KeyGen (FIPS 186-4) Management cryptographic RSA SigGen (FIPS 186-4) parameters and CKG ECDSA Private Keys CO G/W/E Configuration/System Logs ECDSA KeyGen setting/modifying (FIPS 186-4) security policy, ECDSA SigGen including creating (FIPS 186-4) User accounts and KAS TLS v1.2 KDF TLS Pre-Master Secret CO G/E/Z Configuration/System Logs additional CO RFC7627 accounts TLS v1.2 KDF TLS Master Secret CO G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private G/E/Z ECDSA Components CO Configuration/System Logs KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys CO G/E/Z Configuration/System Logs KTS AES-GCM KTS HMAC-SHA-1 SSH Session CO G/E/Z Configuration/System Logs HMAC-SHA2- Authentication Keys HMAC-SHA2AES-CBC, SSH Session Encryption CO G/E/Z Configuration/System Logs AES-CTR Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components KAS-ECC-SSC KAS-FFC-SSC SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Components Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password Counter DRBG, ESV Entropy Input String CO G/E Configuration/System Logs DRBG Seed DRBG V © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 13

Page 14

DRBG Key KDF SNMP SNMPv3 Authentication CO W/E Configuration/System Logs Secret KDF SNMP SNMPv3 Privacy Secret CO W/E Configuration/System Logs HMAC-SHA-1 Authentication Key CO G/E/Z Configuration/System Logs HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key CO G/E/Z Configuration/System Logs N/A Protocol Secrets CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) Public key for software CO W/E Configuration/System Logs load test Other Networking RSA SigGen RSA Private Keys CO G/W/E Configuration/System Logs Configuration parameter (FIPS 186-4) configuration, logging ECDSA SigGen ECDSA Private Keys CO G/W/E Configuration/System Logs configuration, and (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret CO G/E/Z Configuration/System Logs other non-security RFC7627 relevant configuration TLS v1.2 KDF TLS Master Secret CO G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private CO G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO G/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components CKG, ECDSA G/E/R/W/Z KeyGen (FIPS SSH DHE/ECDHE Public 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 14

Page 15

N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String View Other Read-only of N/A CO, User, RA VPN CO, User W/E Configuration/System Logs Configuration non-security relevant Password configuration Note: includes all items in “Other Configuration” Show Status Provides status RSA SigGen (FIPS 186-4) RSA Private Keys CO, User E Configuration/System Logs information of the module ECDSA SigGen ECDSA Private Keys CO, User E Configuration/System Logs (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret CO, User G/E/Z Configuration/System Logs RFC7627 TLS v1.2 KDF TLS Master Secret CO, User G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private CO, User G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO, User G/E/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO, User G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE Public/Private CO, User G/E/Z Configuration/System Logs CKG, Components ECDSA SSH ECDHE G/E/R/W/Z KeyGen (FIPS Public/Private 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 15

Page 16

Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String VPN Provide network HMAC-SHA-1 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs access for remote KTS HMAC-SHA2- Authentication Keys users or site-to-site 256 HMAC-SHA2connection HMAC-SHA2AES-CBC S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs KTS AES-GCM Session Keys KAS KDF IKEv2 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs DHE/ECDHE Private CKG, Components ECDSA KeyGen (FIPS G/E/R/W/Z 186-4), ECDSA S-S VPN IPSec/IKE KeyVer (FIPS DHE/ECDHE Public 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification N/A S-S VPN IPSec S-S VPN W/E Configuration/System Logs Pre-Shared Keys ECDSA SigVer ECDSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String VPN Provide network RSA SigGen RSA Private Keys RA VPN E Configuration/System Logs access for remote (FIPS 186-4) users or site-to-site ECDSA SigGen ECDSA Private Keys RA VPN E Configuration/System Logs connection (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret RA VPN G/E/Z Configuration/System Logs RFC7627 TLS v1.2 KDF TLS Master Secret G/E/Z RFC7627 CKG, TLS DHE/ECDHE Public RA VPN G/E/R/W/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Private RA VPN G/E/Z Configuration/System Logs 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys RA VPN G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys RA VPN G/E/Z Configuration/System Logs KTS AES-GCM CKG, RA VPN IPSec Session RA VPN G/E/Z Configuration/System Logs AES-CBC or AES-GCM Keys CKG, RA VPN IPSec RA VPN G/E/Z Configuration/System Logs HMAC-SHA-1 Authentication © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 16

Page 17

Counter DRBG, ESV Entropy Input String RA VPN G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key RSA SigVer (FIPS 186-4)) CA Certificates RA VPN W/E Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) Software Provides a method to RSA SigVer Public key for software CO E Configuration/System Logs Update update the software of (FIPS 186-4) content load test the module Note: Includes all keys from Other Configuration Zeroize Destroys all keys in N/A All keys and SSPs CO Z Zeroization indicator the module Self-Test Initiates self-tests and HMAC-SHA2-256, Software integrity CO E System Logs integrity test ECDSA SigVer verification key (FIPS 186-4) Show Status Provides status of the N/A N/A All R LEDs (Hypervisor) module Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled, configuration requirements from Section 11 are followed, and that the service succeeded.

  1. Software/Firmware Security The module performs the Software Integrity test by using HMAC-SHA-256 (HMAC Cert. #A3454) during the Pre-Operational Self-Test. In addition, the module also conducts a software load test by using the Public Verification Key (RSA 2048 with SHA-256, Cert. #A3454) for the new validated software to be uploaded into the module. Any software loaded into this module that is not shown on the module certificate is out of scope of this validation, and requires a separate FIPS 140-3 validation.
  2. Operational Environment The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The hypervisor environment provides an isolated operating environment and is the single operator of the virtual machine. The tested operating environments isolate virtual systems into separate isolated process spaces. Each process space is logically separated from all other processes by the operating environments software and hardware. The module functions entirely within the process space of the isolated system as managed by the single operational environment. This implicitly meets the FIPS 140-3 requirement that only one (1) entity at a time can use the cryptographic module.
  3. Physical Security There are no applicable FIPS 140-3 physical security requirements. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 17
Page 18
  1. Non-Invasive Security No Approved non-invasive attack mitigation test metrics are defined at this time.
  2. Sensitive Security Parameters The following table details all the sensitive security parameters utilized by the module. Table 10 - SSPs Key/SSP/Name/Ty Strength Security Function Generation Import/Expo Establishment Storage Zeroization1 Use & Related Keys pe and Cert. Number rt ECDSA/RSA Public key - Used to trust a RSA SigVer (FIPS HDD – Zeroize root CA intermediate 186-4) TLS or SSH Service CA and leaf /end entity

112 bits ECDSA SigVer DRBG, FIPS HDD/RAM –

CA Certificates Session Key N/A RAM - Zeroize at certificates minimum (FIPS 186-4) 186-4 plaintext Encrypted session (RSA 2048, 3072, and termination 4096 bits) Cert. #A3454 (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the TLS or SSH verification of Session Key RSA SigVer signatures,

112 bits DRBG, FIPS Encrypted or HDD/RAM –

RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum 186-4 Plaintext plaintext Cert. #A3454 operator TLS authentication and handshake peer authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD

112 bits DRBG, FIPS HDD/RAM –

RSA Private Keys (FIPS 186-4) Session Key N/A RAM - Zeroize at authentication or key minimum 186-4 plaintext Cert. #A3454 Encrypted session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of Session Key ECDSA SigVer signatures, ECDSA Public 128 bits DRBG, FIPS Encrypted or HDD/RAM

112 bits RAM - FFC or EC component

Private KAS-FFC-SSC 800-56A N/A N/A session minimum plaintext used in TLS Components Cert. #A3454 Rev. 3 termination (DHE 2048, ECDHE P-256, P-384, P-521) Diffie_Hellman or EC TLS DHE/ECDHE KAS-ECC-SSC DRBG, SP Plaintext - Zeroize at

112 bits Diffie-Hellman

Public KAS-FFC-SSC 800-56A TLS N/A N/A session minimum Ephemeral values used Components Cert. #A3454 Rev. 3 handshake termination in key agreement © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 18

Page 19

(DHE 2048, ECDHE P-256, P-384, P-521) Secret value used to TLS v1.2 KDF KAS SP Zeroize at derive the TLS Master TLS Pre-Master RAM

256 bits RAM - TLS connections

TLS HMAC Keys HMAC-SHA2-384 KDF N/A 800-56A Rev. session minimum plaintext (SHA2- 256/384) Cert. #A3454 RFC7627 3 termination (256, 384 bits) Diffie Hellman or EC SSH DHE/ECDHE KAS-ECC-SSC DRBG, SP Zeroize at Diffie-Hellman private

112 bits RAM -

Private KAS-FFC-SSC 800-56A N/A N/A session (DH Group 14, ECDH minimum plaintext Components Cert. #A3454 Rev. 3 termination P-256, ECDH P-384, ECDH P-521) Diffie Hellman or EC Plaintext Diffie-Hellman public SSH DHE/ECDHE KAS-ECC-SSC DRBG, SP Zeroize at

112 bits SSH RAM - component (DH Group

Public KAS-FFC-SSC 800-56A N/A session minimum handshake plaintext 14, ECDH P-256, Components Cert. #A3454 Rev. 3 termination ECDH P-384, ECDH P-521) RSA SigVer SSH Host Public Key (FIPS 186-4) (RSA 2048, RSA 3072, SSH Host Public 112 bits ECDSA SigVer DRBG, FIPS HDD/RAM

4096 bits)

Used in all SSH connections to the security module’s AES-CBC, SSH, KAS SP Zeroize at command line SSH Session 128 bits AES-CTR, or RAM KDF SSH N/A 800-56A Rev. session interface. Encryption Keys minimum AES-GCM plaintext

3 termination (128, 192, or 256 bits:

Cert. #A3454 AES CBC or CTR) (128 or 256 bits: AES GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 security module’s SSH Session SSH, KAS SP Zeroize at

160 bits HMAC-SHA2-256 RAM - command line

Authentication KDF SSH N/A 800-56A Rev. session minimum HMAC-SHA2-512 plaintext interface Keys 3 termination Cert. #A3454 (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC Diffie-Hellman private S-S VPN IPSec/IKE component used in key KAS-ECC-SSC DBRG, SP DHE or ECDHE 112 bits RAM - establishment KAS-FFC-SSC 800-56A N/A N/A Power cycle Private minimum plaintext (DHE 2048, DHE Cert. #A3454 Rev. 3 Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) Diffie-Hellman or EC Diffie-Hellman public S-S VPN IPSec/IKE component used in key KAS-ECC-SSC DRBG, SP DHE or ECDHE 112 bits RAM - agreement KAS-FFC-SSC 800-56A N/A N/A Power cycle Public minimum plaintext (DHE 2048, DHE Cert. #A3454 Rev. 3 Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 19

Page 20

Used to encrypt IKE/IPSec data. These IPSec/IKE, AES-CBC, Zeroize at are AES (128, 192, or S-S VPN IPSec/IKE 128 bits KAS SP RAM AES-GCM KDF IKEv2 N/A session 256 CBC) IKE keys Session Keys minimum 800-56A Rev. plaintext Cert. #A3454 termination and (128, 192 or 256 CBC, 128 or 256 GCM) IPSec keys (HMAC-SHA-1, HMAC-SHA-1 SHA-256, SHA-384 or IPSec/IKE, S-S VPN IPSec/IKE HMAC-SHA2-256 Zeroize at SHA-512) Used to

160 bits KAS SP RAM -

Authentication HMAC-SHA2-384 KDF IKEv2 N/A session authenticate the peer minimum 800-56A Rev. plaintext Keys HMAC-SHA2-512 termination in an IKE/IPSec tunnel Cert. #A3454 connection. (160, 256, 384, 512 bits) PSK used in conjunction with HMAC listed above for Encrypted S-S VPN IPSec HDD/RAM

160 bits N/A N/A session Used in authentication

Authentication Cert. #A3454 DRBG plaintext termination of remote access IPSec data. Used to check the integrity of all HMAC-SHA2-256, software code Software integrity ECDSA SigVer HDD -

128 bits N/A N/A N/A N/A (HMAC-SHA-256 and

verification key (FIPS 186-4) plaintext ECDSA P-256) Cert. #A3454 (Note: This is not considered an SSP) Used to authenticate software/firmware Public key for RSA SigVer HDD - and content to be software content 112 bits (FIPS 186-4) N/A N/A N/A N/A plaintext installed on the load test Cert. #A3454 firewall (RSA 2048 with SHA-256) Encrypted HDD - a Authentication string CO, User, RA VPN SHA2-256 N/A External via SSH or N/A password hash Zeroize Service with a minimum length Password Cert. #A3454 TLS (SHA2-256) of eight (8) characters. Secrets used by Encrypted HDD/RAM

256 bits per N/A N/A Power cycle

String plaintext SP 800-90B Cert. #A3454 Input length = 384 bits CKG (vendor DRBG seed coming affirmed), Counter Entropy as from the entropy DRBG RAM DRBG Seed 256 bits per N/A N/A Power cycle source Plaintext SP 800-90B Cert. #A3454 Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state Key used in the DRBG Key 256 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A3454 random values CKG (vendor Entropy as affirmed), Counter RAM - AES 256 CTR DRBG DRBG V 128 bits per N/A N/A Power cycle DRBG plaintext state V used in the SP 800-90B © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 20

Page 21

Cert. #A3454 generation of a random values SNMPv3 Used to support Authentication KDF SNMP Encrypted HDD/RAM

128 bits AES-CFB HDD/RAM - encryption key

Session Key KDF SNMP N/A N/A Zeroize Service minimum Cert. #A3454 Plaintext (AES 128/192/256 CFB) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of Details entropy ESV Cert. #E69 Palo Alto Networks DRNG Entropy 256 bits Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test

Page 22
Page 23
  1. Life-Cycle Assurance The vendor provided life-cycle assurance documentation describes configuration management, design, finite state model, development, testing, delivery & operation, end of life procedures, and guidance. For details regarding the approved mode of operation, see “Approved Mode of Operation''. For details regarding secure installation, initialization, startup, and operation of the module, see below. Installation Instructions The module can be retrieved by downloading PanOS_vm-11.0.3-h12 from the support site: https://support.paloaltonetworks.com/Support/Index, and a checksum (SHA-256) is available to ensure the module is correct: PanOS_vm-11.0.3-h12: 6c3522db244bdd200075038d4eb5fff580c1d49610fab75e7e9f28f65b451017 Alternatively, the VM-Series version can be obtained by running the following commands via CLI (as an authorized administrator): 1. request system software check 2. request system software download version 11.0.3-h12 3. request system software install version 11.0.3-h12 4. request restart system Palo Alto Network provides an Administrator Guide for additional information noted in the “Reference Documents” section of this Security Policy. The module design corresponds to the module security rules noted in the section below. Module Enforced Security Rules This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.
  2. The cryptographic module provides four distinct operator roles. These are the User role, Remote Access VPN role, Site-to-site VPN role, and the Cryptographic Officer role.
  3. The cryptographic module provides identity-based authentication.
  4. The cryptographic module clears previous authentications when a power cycle is performed.
  5. If the cryptographic module remains inactive in any valid role for the administrator specified time interval, the module will automatically log out the operator. The CO will configure the period of inactivity.
  6. When the module has not been placed in a valid role, the operator does not have access to any cryptographic services.
  7. The operator can command the module to perform the power-up self-test by cycling power of the module.
  8. Power-up self-tests do not require any operator action.
  9. Data output is inhibited during power-up self-tests, zeroization, and error states.
  10. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  11. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  12. The module does not support a maintenance interface or role.
  13. The module does not have any external input/output devices used for entry/output of data.
  14. The module does not enter or output plaintext CSPs. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 23
Page 24
  1. The module does not output intermediate key generation values.
  2. Pre-shared keys used for IKE/IPsec must be at least 6 bytes in length, but no more than 255 bytes. Vendor Imposed Security Rules In FIPS-CC mode, the following rules shall apply:
  3. The operator should not enable TLSv1.0 or use RSA for key wrapping; it is disabled by default. a. Checked via CLI using “show shared” command
  4. The operator should not enable TLSv1.3, it is disabled by default. a. Checked via CLI using “show profiles” command
  5. If using RADIUS, it must be configured using TLS. a. Checked via CLI using “show shared” command
  6. If using TACACS+, configure the service route via an IPSec tunnel, and ensure the TACACS+ server is configured for a minimum password length of eight (8) characters or greater. a. Checked via CLI using “show deviceconfig” command Failure to follow these Security Rules will cause the module to operate in a non-compliant state. Key to Entity The cryptographic module associates all keys (secret, private, or public) stored within, entered into or output from the module with authenticated operators of the module. Keys stored within the module are only made available to authenticated operators via TLS or SSH. Keys are only input or output from the module by the authenticated operator via a SSH/TLS/IPsec protected communication. Any attempt to intervene in the key to entity relationship would require defeating the module TLS/SSH/IPsec encryption and authentication/integrity mechanism.
  7. Mitigation of Other Attacks The module is not designed to mitigate any specific attacks outside the scope of FIPS 140-3. These requirements are not applicable.
  8. References [FIPS 140-3] FIPS Publication 140-3 Security Requirements for Cryptographic Modules Palo Alto Networks Administrator’s Guide: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/11-0/pan-os-admin/pan-os-admin.pdf
  9. Definitions and Acronyms AES – Advanced Encryption Standard CA – Certificate Authority CLI – Command Line Interface © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 24
Page 25

CO