| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 8/20/2026 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3454 |
| AES-CFB128 | A3454 |
| AES-CTR | A3454 |
| AES-GCM | A3454 |
| Conditioning Component AES-CBC-MAC SP800-90B | A1791 |
| Counter DRBG | A3454 |
| ECDSA KeyGen (FIPS186-4) | A3454 |
| ECDSA KeyVer (FIPS186-4) | A3454 |
| ECDSA SigGen (FIPS186-4) | A3454 |
| ECDSA SigVer (FIPS186-4) | A3454 |
| HMAC-SHA-1 | A3454 |
| HMAC-SHA2-224 | A3454 |
| HMAC-SHA2-256 | A3454 |
| HMAC-SHA2-384 | A3454 |
| HMAC-SHA2-512 | A3454 |
| KAS-ECC-SSC Sp800-56Ar3 | A3454 |
| KAS-FFC-SSC Sp800-56Ar3 | A3454 |
| KDF IKEv2 | A3454 |
| KDF SNMP | A3454 |
| KDF SSH | A3454 |
| RSA KeyGen (FIPS186-4) | A3454 |
| RSA SigGen (FIPS186-4) | A3454 |
| RSA SigVer (FIPS186-4) | A3454 |
| Safe Primes Key Generation | A3454 |
| Safe Primes Key Verification | A3454 |
| SHA-1 | A3454 |
| SHA2-224 | A3454 |
| SHA2-256 | A3454 |
| SHA2-384 | A3454 |
| SHA2-512 | A3454 |
| TLS v1.2 KDF RFC7627 | A3454 |
flowchart LR
%% Deterministic review-risk graph for PAN-OS 11.0 VM-Series
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for PAN-OS 11.0 VM-Series
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;PAN-OS 11.0 VM-Series Version: 1.1 Revision Date: June 13, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
7 Physical Security N/A
8 Non-Invasive Security N/A
12 Mitigation of Other Attacks N/A
Overall Level 1
Table 3 - Vendor Affirmed Operational Environments Operating System Hardware Platform Amazon Web Services (AWS) x86 Architecture Microsoft Azure (Note: Specific processor/hardware is dependent on Google Cloud Platform (GCP) Instance/Machine Type selected for operation system) Operator Porting Rules The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run a VM-series firewall on any general purpose computer (GPC) or platform using the specified hypervisor and operating system on the validation certificate or other compatible operating and/or hypervisor system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate. Approved Mode of Operation The following procedure will put the module into the Approved mode of operation:
Note: Disabling “FIPS-CC” mode causes a complete factory reset, which is described in the Zeroization section below. Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To perform the zeroization service, follow the procedure below:
AES-GCM GCM** Encryption A3454 [SP 800-38D] Decryption AES 256 bits with Counter DRBG A3454 CTR DRBG Derivation Function Random Bit Generator [SP 800-90Arev1] Enabled ECDSA KeyGen Key Generation A3454 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) ECDSA KeyVer (FIPS Public Key Validation A3454 ECDSA KeyVer P-256, P-384, P-521 186-4) P-256, P-384, P-521 with ECDSA SigGen (FIPS Signature Generation A3454 ECDSA SigGen SHA2-224, SHA2-256, 186-4) SHA2-384, and SHA2-512 P-256, P-384, P-521 with A3454 ECDSA SigVer (FIPS 186-4) ECDSA SigVer Signature Verification SHA-1, SHA2-224, © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 5
SHA2-256, SHA2-384, and SHA2-512 A3454 HMAC-SHA-1 with λ=96, Authentication for HMAC-SHA-1 [FIPS 198-1] HMAC
A3454 HMAC-SHA2-224 with HMAC-SHA2-224 Authentication for HMAC λ=224 [FIPS 198-1] protocols A3454 HMAC-SHA2-256 HMAC-SHA2-256 with Authentication for HMAC [FIPS 198-1] λ=256 protocols A3454 HMAC-SHA2-384 HMAC-SHA2-384 with Authentication for HMAC [FIPS 198-1] λ=384 protocols A3454 HMAC-SHA2-512 HMAC-SHA2-512 with Authentication for HMAC [FIPS 198-1] λ=512 protocols KAS-ECC-SSC KAS P-256/P-384/P-521 A3454 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A3454 KAS MODP-2048/3072/4096 Key Exchange 800-56Ar3 KDF IKEv2 [SP SHA2-256, SHA2-384, A3454 IKEv2 KDF IKEv2 800-135rev1] (CVL) SHA2-512 Engine ID: KDF SNMP [SP A3454 SNMPv3 KDF 80001F88043030303030 SNMPv3 800-135rev1] (CVL) 343935323630 KDF SSH [SP 800-135rev1] SHA-1, SHA2-256, A3454 SSHv2 KDF SSH (CVL) SHA2-512 TLS v1.2 KDF RFC7627 TLS1.2 KDF TLS v1.2 Hash Algorithm: A3454 TLS (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A3454 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) RSA SigGen RSA SigGen 2048, 3072, and 4096-bit Signature Generation A3454 (FIPS 186-4) (FIPS 186-4) with hashes 256/384/512 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/224+++/256/384/5 RSA SigVer RSA SigVer 12 (Signature Verification) A3454 Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A3454 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A3454 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Generation/Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 6
Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3454 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key MODP-2048, Safe Primes Key A3454 Generation [RFC 3526] Generation MODP-3072, MODP-4096 Generation Safe Primes Key Safe Primes Key MODP-2048, Safe Primes Key A3454 Verification [RFC 3526] Verification MODP-3072, MODP-4096 Verification AES-CBC or AES-CTR plus SP 800-38A and FIPS HMAC AES Cert. #A3454 and KTS 198-1. KTS (key wrapping 128, 192, and 256-bit keys Key Wrapping HMAC Cert. #A3454 [SP 800-38F] and unwrapping) per IG providing 128, 192, or 256 D.G. bits of encryption strength SP 800-38D and SP AES-GCM KTS 800-38F. KTS (key 128 and 256-bit keys AES-GCM Cert. A3454 Key Wrapping [SP 800-38F] wrapping and unwrapping) providing 128 or 256 bits per IG D.G. of encryption strength Palo Alto Networks DRNG ESV Cert. #E69 SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC Cert. SP 800-56Arev3. KAS-ECC P-256 and P-384 curves Key Exchange with #A3454, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128 or 192 bits protocol KDF #A3454 (2). of encryption strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3454, KDF SSH Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A3454 or 256 bits of encryption protocol KDF (2). strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3454, TLS v1.2 KDF curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path RFC7627 Cert. #A3454 or 256 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. 2048, 3072, and 4096-bit SP 800-56Arev3. KAS-FFC #A3454, KDF IKEv2 Cert. keys providing 112, 128, or Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A3454 150 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3454, KDF SSH Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A3454 (2). KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3454, TLS v1.2 KDF KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF RFC7627 Cert. #A3454 (2). Key Generation Note: Symmetric keys and Cryptographic Key the seeds used for Vendor CKG Section 5.1, Section 5.2 Generation; SP 800- asymmetric key pair Affirmed (SP 800-133rev2)
using the unmodified/direct output of the DRBG
part of the IV exhausts all possible values for a given session key, that a new TLS handshake is initiated per sections 7.4.1.1 and 7.4.1.2 of RFC 5246. During operational testing, the module was tested against an independent version of TLS and found to behave correctly.
Cryptographic Boundary The PAN-OS 11.0 VM-Series is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file name in Section 11 (PanOS_vm-11.0.3-h12) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. Figure 1 - Cryptographic Boundary 3. Cryptographic Module Interfaces The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3 logical interfaces: Table 6 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface Power Power In Power supplies Console, GPC I/O Status Output Self-test status output Ethernet Data input, control input, HTTPS, TLS, SNMP, IPsec, and SSH traffic data. data output, status output The module does not support a Control Output interface. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 9
The module’s physical and electrical characteristics, manual controls, and physical indicators are provided by the host GPC; the hypervisors provide virtualized ports and interfaces which map to the GPCs’ physical ports and interfaces (i.e., network interfaces and GPC inputs/outputs). 4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7 - Roles, Service Commands, Input and Output Role Service Input Output Crypto Officer Show Version Query module for version Module provides version Crypto Officer, Security Configuration Configuring and managing Confirmation of service User Management cryptographic parameters and via Configuration Logs setting/modifying security policy, including creating User accounts and additional CO accounts via CLI or WebUI Crypto Officer Other Configuration Networking parameter Confirmation of service configuration, logging configuration, via Configuration Logs and other non-security relevant configuration via CLI or WebUI Crypto Officer, View Other Query module for current Confirmation of service User Configuration non-security relevant configuration via Configuration Logs via WebUI or CLI Crypto Officer, Show Status Query status and version of the Module status information User, RA VPN, module via WebUI or CLI via CLI or System Logs S-S VPN RA VPN, S-S VPN VPN Initialize VPN connection Confirmation of service via System Logs Crypto Officer Software Update Loading new image Message output noting version updated successfully Unauthenticated Zeroize Initiate zeroization command The device will overwrite all CSPs and provide status of completion Unauthenticated Power cycling the module Self-test status output via Self-Tests system logs Unauthenticated Show Status View status of the module via Module status via the (Hypervisor) hypervisor. hypervisor © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 10
The zeroization procedure is invoked when the operator initiates the service. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Note: Additional information on the configuration options the module provides can be found at https://docs.paloaltonetworks.com/ Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules do not provide a maintenance role or bypass capability. The modules all support the use of a password (i.e. Memorized Secret as per SP 800-140E). Upon first boot, the module requires that the Cryptographic Officer change the password from the default one to a custom one. The module automatically enforces a minimum password length of at least 8 characters. In “FIPS-CC” mode, the module automatically enforces a maximum of 10 failed attempts. Passwords stored in the module are hashed using SHA-256, and any passwords that are transported into/out of the module are protected via TLS 1.2. Table 8
successfully authenticating to the module within a one minute period is 60,000,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000,000 new sessions per second to authenticate in a one-minute period. Site-to-Site VPN (S-S VPN) IKE/IPSec Pre-shared keys - The pre-shared key authentication method Identification with the IP Address and has a minimum security strength2 of 956. The authentication with the Pre-Shared probability of successfully authenticating to Key or certificate based the module is 1/(956), which is less than authentication 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(956), which is less than 1/100,000. The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. The minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 60,000,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000,000 new sessions per second to authenticate in a one-minute period. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: Note: The security strength (956) is based on the use of ASCII characters that are utilized, which surpasses the 6 character random number password allowance that sets a baseline minimum acceptable strength of 106. © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 12
G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 9 - Approved Services Service Description Approved Security Keys and/or SSPs Roles Access rights to Indicator Functions Keys and/or SSPs Show Version Query the module to N/A N/A CO N/A Version displayed via System display the version Logs / CLI / UI Security Configuring and CKG RSA Private Keys CO G/W/E Configuration/System Logs Configuration managing RSA KeyGen (FIPS 186-4) Management cryptographic RSA SigGen (FIPS 186-4) parameters and CKG ECDSA Private Keys CO G/W/E Configuration/System Logs ECDSA KeyGen setting/modifying (FIPS 186-4) security policy, ECDSA SigGen including creating (FIPS 186-4) User accounts and KAS TLS v1.2 KDF TLS Pre-Master Secret CO G/E/Z Configuration/System Logs additional CO RFC7627 accounts TLS v1.2 KDF TLS Master Secret CO G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private G/E/Z ECDSA Components CO Configuration/System Logs KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys CO G/E/Z Configuration/System Logs KTS AES-GCM KTS HMAC-SHA-1 SSH Session CO G/E/Z Configuration/System Logs HMAC-SHA2- Authentication Keys HMAC-SHA2AES-CBC, SSH Session Encryption CO G/E/Z Configuration/System Logs AES-CTR Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components KAS-ECC-SSC KAS-FFC-SSC SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Components Key Generation, Safe Primes Key Verification N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password Counter DRBG, ESV Entropy Input String CO G/E Configuration/System Logs DRBG Seed DRBG V © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 13
DRBG Key KDF SNMP SNMPv3 Authentication CO W/E Configuration/System Logs Secret KDF SNMP SNMPv3 Privacy Secret CO W/E Configuration/System Logs HMAC-SHA-1 Authentication Key CO G/E/Z Configuration/System Logs HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key CO G/E/Z Configuration/System Logs N/A Protocol Secrets CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs RSA SigVer (FIPS 186-4) Public key for software CO W/E Configuration/System Logs load test Other Networking RSA SigGen RSA Private Keys CO G/W/E Configuration/System Logs Configuration parameter (FIPS 186-4) configuration, logging ECDSA SigGen ECDSA Private Keys CO G/W/E Configuration/System Logs configuration, and (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret CO G/E/Z Configuration/System Logs other non-security RFC7627 relevant configuration TLS v1.2 KDF TLS Master Secret CO G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private CO G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO G/E/Z Configuration/System Logs HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO G/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE/ECDHE CO G/E/Z Configuration/System Logs Private Components CKG, ECDSA G/E/R/W/Z KeyGen (FIPS SSH DHE/ECDHE Public 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 14
N/A CO, User, RA VPN CO G/E/W Configuration/System Logs Password RSA SigVer (FIPS 186-4) CA Certificates CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys CO G/R/E/W Configuration/System Logs (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Host Public Key CO G/R/E/W Configuration/System Logs ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key CO W/E Configuration/System Logs Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String View Other Read-only of N/A CO, User, RA VPN CO, User W/E Configuration/System Logs Configuration non-security relevant Password configuration Note: includes all items in “Other Configuration” Show Status Provides status RSA SigGen (FIPS 186-4) RSA Private Keys CO, User E Configuration/System Logs information of the module ECDSA SigGen ECDSA Private Keys CO, User E Configuration/System Logs (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret CO, User G/E/Z Configuration/System Logs RFC7627 TLS v1.2 KDF TLS Master Secret CO, User G/E/Z Configuration/System Logs RFC7627 CKG, TLS DHE/ECDHE Private CO, User G/E/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Public G/E/R/W/Z 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA2-384 AES-CBC or AES-GCM TLS Encryption Keys CO, User G/E/Z Configuration/System Logs HMAC-SHA-1 SSH Session CO, User G/E/Z Configuration/System Logs HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR, or SSH Session Encryption CO, User G/E/Z Configuration/System Logs AES-GCM Keys KAS KDF SSH SSH DHE Public/Private CO, User G/E/Z Configuration/System Logs CKG, Components ECDSA SSH ECDHE G/E/R/W/Z KeyGen (FIPS Public/Private 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 15
Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String VPN Provide network HMAC-SHA-1 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs access for remote KTS HMAC-SHA2- Authentication Keys users or site-to-site 256 HMAC-SHA2connection HMAC-SHA2AES-CBC S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs KTS AES-GCM Session Keys KAS KDF IKEv2 S-S VPN IPSec/IKE S-S VPN G/E/Z Configuration/System Logs DHE/ECDHE Private CKG, Components ECDSA KeyGen (FIPS G/E/R/W/Z 186-4), ECDSA S-S VPN IPSec/IKE KeyVer (FIPS DHE/ECDHE Public 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification N/A S-S VPN IPSec S-S VPN W/E Configuration/System Logs Pre-Shared Keys ECDSA SigVer ECDSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys S-S VPN W/E Configuration/System Logs (FIPS 186-4) Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String VPN Provide network RSA SigGen RSA Private Keys RA VPN E Configuration/System Logs access for remote (FIPS 186-4) users or site-to-site ECDSA SigGen ECDSA Private Keys RA VPN E Configuration/System Logs connection (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master Secret RA VPN G/E/Z Configuration/System Logs RFC7627 TLS v1.2 KDF TLS Master Secret G/E/Z RFC7627 CKG, TLS DHE/ECDHE Public RA VPN G/E/R/W/Z Configuration/System Logs ECDSA Components KeyGen (FIPS TLS DHE/ECDHE Private RA VPN G/E/Z Configuration/System Logs 186-4), Components ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2- TLS HMAC Keys RA VPN G/E/Z Configuration/System Logs HMAC-SHA2AES-CBC TLS Encryption Keys RA VPN G/E/Z Configuration/System Logs KTS AES-GCM CKG, RA VPN IPSec Session RA VPN G/E/Z Configuration/System Logs AES-CBC or AES-GCM Keys CKG, RA VPN IPSec RA VPN G/E/Z Configuration/System Logs HMAC-SHA-1 Authentication © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 16
Counter DRBG, ESV Entropy Input String RA VPN G/E Configuration/System Logs DRBG Seed DRBG V DRBG Key RSA SigVer (FIPS 186-4)) CA Certificates RA VPN W/E Configuration/System Logs ECDSA SigVer (FIPS 186-4) ECDSA SigVer ECDSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) RSA SigVer RSA Public Keys RA VPN W/E Configuration/System Logs (FIPS 186-4) Software Provides a method to RSA SigVer Public key for software CO E Configuration/System Logs Update update the software of (FIPS 186-4) content load test the module Note: Includes all keys from Other Configuration Zeroize Destroys all keys in N/A All keys and SSPs CO Z Zeroization indicator the module Self-Test Initiates self-tests and HMAC-SHA2-256, Software integrity CO E System Logs integrity test ECDSA SigVer verification key (FIPS 186-4) Show Status Provides status of the N/A N/A All R LEDs (Hypervisor) module Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled, configuration requirements from Section 11 are followed, and that the service succeeded.
112 bits ECDSA SigVer DRBG, FIPS HDD/RAM –
CA Certificates Session Key N/A RAM - Zeroize at certificates minimum (FIPS 186-4) 186-4 plaintext Encrypted session (RSA 2048, 3072, and termination 4096 bits) Cert. #A3454 (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the TLS or SSH verification of Session Key RSA SigVer signatures,
112 bits DRBG, FIPS Encrypted or HDD/RAM –
RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum 186-4 Plaintext plaintext Cert. #A3454 operator TLS authentication and handshake peer authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD
112 bits DRBG, FIPS HDD/RAM –
RSA Private Keys (FIPS 186-4) Session Key N/A RAM - Zeroize at authentication or key minimum 186-4 plaintext Cert. #A3454 Encrypted session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of Session Key ECDSA SigVer signatures, ECDSA Public 128 bits DRBG, FIPS Encrypted or HDD/RAM
112 bits RAM - FFC or EC component
Private KAS-FFC-SSC 800-56A N/A N/A session minimum plaintext used in TLS Components Cert. #A3454 Rev. 3 termination (DHE 2048, ECDHE P-256, P-384, P-521) Diffie_Hellman or EC TLS DHE/ECDHE KAS-ECC-SSC DRBG, SP Plaintext - Zeroize at
112 bits Diffie-Hellman
Public KAS-FFC-SSC 800-56A TLS N/A N/A session minimum Ephemeral values used Components Cert. #A3454 Rev. 3 handshake termination in key agreement © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 18
(DHE 2048, ECDHE P-256, P-384, P-521) Secret value used to TLS v1.2 KDF KAS SP Zeroize at derive the TLS Master TLS Pre-Master RAM
256 bits RAM - TLS connections
TLS HMAC Keys HMAC-SHA2-384 KDF N/A 800-56A Rev. session minimum plaintext (SHA2- 256/384) Cert. #A3454 RFC7627 3 termination (256, 384 bits) Diffie Hellman or EC SSH DHE/ECDHE KAS-ECC-SSC DRBG, SP Zeroize at Diffie-Hellman private
Private KAS-FFC-SSC 800-56A N/A N/A session (DH Group 14, ECDH minimum plaintext Components Cert. #A3454 Rev. 3 termination P-256, ECDH P-384, ECDH P-521) Diffie Hellman or EC Plaintext Diffie-Hellman public SSH DHE/ECDHE KAS-ECC-SSC DRBG, SP Zeroize at
112 bits SSH RAM - component (DH Group
Public KAS-FFC-SSC 800-56A N/A session minimum handshake plaintext 14, ECDH P-256, Components Cert. #A3454 Rev. 3 termination ECDH P-384, ECDH P-521) RSA SigVer SSH Host Public Key (FIPS 186-4) (RSA 2048, RSA 3072, SSH Host Public 112 bits ECDSA SigVer DRBG, FIPS HDD/RAM
Used in all SSH connections to the security module’s AES-CBC, SSH, KAS SP Zeroize at command line SSH Session 128 bits AES-CTR, or RAM KDF SSH N/A 800-56A Rev. session interface. Encryption Keys minimum AES-GCM plaintext
Cert. #A3454 AES CBC or CTR) (128 or 256 bits: AES GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 security module’s SSH Session SSH, KAS SP Zeroize at
160 bits HMAC-SHA2-256 RAM - command line
Authentication KDF SSH N/A 800-56A Rev. session minimum HMAC-SHA2-512 plaintext interface Keys 3 termination Cert. #A3454 (HMAC-SHA-1, HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC Diffie-Hellman private S-S VPN IPSec/IKE component used in key KAS-ECC-SSC DBRG, SP DHE or ECDHE 112 bits RAM - establishment KAS-FFC-SSC 800-56A N/A N/A Power cycle Private minimum plaintext (DHE 2048, DHE Cert. #A3454 Rev. 3 Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) Diffie-Hellman or EC Diffie-Hellman public S-S VPN IPSec/IKE component used in key KAS-ECC-SSC DRBG, SP DHE or ECDHE 112 bits RAM - agreement KAS-FFC-SSC 800-56A N/A N/A Power cycle Public minimum plaintext (DHE 2048, DHE Cert. #A3454 Rev. 3 Components 3072, DHE 4096, ECDHE P-256, P-384, P-521) © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 19
Used to encrypt IKE/IPSec data. These IPSec/IKE, AES-CBC, Zeroize at are AES (128, 192, or S-S VPN IPSec/IKE 128 bits KAS SP RAM AES-GCM KDF IKEv2 N/A session 256 CBC) IKE keys Session Keys minimum 800-56A Rev. plaintext Cert. #A3454 termination and (128, 192 or 256 CBC, 128 or 256 GCM) IPSec keys (HMAC-SHA-1, HMAC-SHA-1 SHA-256, SHA-384 or IPSec/IKE, S-S VPN IPSec/IKE HMAC-SHA2-256 Zeroize at SHA-512) Used to
Authentication HMAC-SHA2-384 KDF IKEv2 N/A session authenticate the peer minimum 800-56A Rev. plaintext Keys HMAC-SHA2-512 termination in an IKE/IPSec tunnel Cert. #A3454 connection. (160, 256, 384, 512 bits) PSK used in conjunction with HMAC listed above for Encrypted S-S VPN IPSec HDD/RAM
160 bits N/A N/A session Used in authentication
Authentication Cert. #A3454 DRBG plaintext termination of remote access IPSec data. Used to check the integrity of all HMAC-SHA2-256, software code Software integrity ECDSA SigVer HDD -
128 bits N/A N/A N/A N/A (HMAC-SHA-256 and
verification key (FIPS 186-4) plaintext ECDSA P-256) Cert. #A3454 (Note: This is not considered an SSP) Used to authenticate software/firmware Public key for RSA SigVer HDD - and content to be software content 112 bits (FIPS 186-4) N/A N/A N/A N/A plaintext installed on the load test Cert. #A3454 firewall (RSA 2048 with SHA-256) Encrypted HDD - a Authentication string CO, User, RA VPN SHA2-256 N/A External via SSH or N/A password hash Zeroize Service with a minimum length Password Cert. #A3454 TLS (SHA2-256) of eight (8) characters. Secrets used by Encrypted HDD/RAM
256 bits per N/A N/A Power cycle
String plaintext SP 800-90B Cert. #A3454 Input length = 384 bits CKG (vendor DRBG seed coming affirmed), Counter Entropy as from the entropy DRBG RAM DRBG Seed 256 bits per N/A N/A Power cycle source Plaintext SP 800-90B Cert. #A3454 Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG RAM - state Key used in the DRBG Key 256 bits per N/A N/A Power cycle plaintext generation of a SP 800-90B Cert. #A3454 random values CKG (vendor Entropy as affirmed), Counter RAM - AES 256 CTR DRBG DRBG V 128 bits per N/A N/A Power cycle DRBG plaintext state V used in the SP 800-90B © 2024 Palo Alto Networks, Inc. PAN-OS 11.0 VM-Series Security Policy 20
Cert. #A3454 generation of a random values SNMPv3 Used to support Authentication KDF SNMP Encrypted HDD/RAM
128 bits AES-CFB HDD/RAM - encryption key
Session Key KDF SNMP N/A N/A Zeroize Service minimum Cert. #A3454 Plaintext (AES 128/192/256 CFB) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of Details entropy ESV Cert. #E69 Palo Alto Networks DRNG Entropy 256 bits Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test
CO