| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Historical |
| Caveat | Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2907 |
| AES-CFB128 | A2907 |
| AES-CTR | A2907 |
| AES-GCM | A2907 |
| Conditioning Component AES-CBC-MAC SP800-90B | A1791 |
| Counter DRBG | A2907 |
| ECDSA KeyGen (FIPS186-4) | A2907 |
| ECDSA KeyVer (FIPS186-4) | A2907 |
| ECDSA SigGen (FIPS186-4) | A2907 |
| ECDSA SigVer (FIPS186-4) | A2907 |
| HMAC-SHA-1 | A2907 |
| HMAC-SHA2-224 | A2907 |
| HMAC-SHA2-256 | A2907 |
| HMAC-SHA2-384 | A2907 |
| HMAC-SHA2-512 | A2907 |
| KAS-ECC-SSC Sp800-56Ar3 | A2907 |
| KAS-FFC-SSC Sp800-56Ar3 | A2907 |
| KDF SNMP | A2907 |
| KDF SSH | A2907 |
| KDF TLS | A2907 |
| RSA KeyGen (FIPS186-4) | A2907 |
| RSA SigGen (FIPS186-4) | A2907 |
| RSA SigVer (FIPS186-4) | A2907 |
| Safe Primes Key Generation | A2907 |
| Safe Primes Key Verification | A2907 |
| SHA-1 | A2907 |
| SHA2-224 | A2907 |
| SHA2-256 | A2907 |
| SHA2-384 | A2907 |
| SHA2-512 | A2907 |
flowchart LR
%% Deterministic review-risk graph for Panorama Virtual Appliance 10.2
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Panorama Virtual Appliance 10.2
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Panorama Virtual Appliance 10.2 Version: 1.2 Revision Date: August 28, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
Overall Level 1
Table 3
Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above and Section 11 will result in the module operating in a non-compliant state. Selecting Panorama, Management-Only, and Log Collector System Modes The Panorama VM supports multiple configurations that provide varying services. The Cryptographic Officer can initialize the module into different System Mode. The module supports the following System Modes:
Approved and Allowed Algorithms The cryptographic modules support the following Approved algorithms. Only the algorithms, modes, and key sizes specified in this table are used by the module. The CAVP certificate may contain more tested options than listed in this table. Table 4
AES-GCM GCM** Encryption A2907 [SP 800-38D] Decryption Counter DRBG A2907 Counter DRBG AES 256 bits with Derivation Function Enabled Random Bit Generator [SP 800-90Arev1] ECDSA KeyGen ECDSA KeyGen Key Generation A2907 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA KeyVer ECDSA KeyVer Public Key Validation A2907 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA SigGen ECDSA SigGen P-256, P-384, P-521 with SHA2-224, SHA2-256, Signature Generation A2907 (FIPS 186-4) (FIPS 186-4) SHA2-384, and SHA2-512 ECDSA SigVer ECDSA SigVer P-256, P-384, P-521 with SHA-1, SHA2-224, A2907 Signature Verification (FIPS 186-4) (FIPS 186-4) SHA2-256, SHA2-384, and SHA2-512 A2907 HMAC-SHA-1 HMAC HMAC-SHA-1 with λ=160 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-224 HMAC-SHA2-224 with λ=224 HMAC Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A2907 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS-ECC-SSC KAS Ephemeral Unified Model: P-256/P-384/P-521 A2907 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A2907 KAS dhEphem: MODP-2048 Key Exchange 800-56Ar3 KDF SNMP [SP Engine ID: A2907 800-135rev1] SNMPv3 KDF 80001F88043030303030 SNMPv3 (CVL) 343935323630 © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 6
KDF SSH [SP SHA-1, SHA2-256, A2907 800-135rev1] SSHv2 KDF SSH SHA2-512 (CVL) KDF TLS [SP TLS1.2 KDF A2907 800-135rev1] TLS v1.2 Hash Algorithm: SHA2-256, SHA2-384 TLS (CVL) RSA KeyGen RSA KeyGen (FIPS Key Pair Generation A2907 2048, 3072, and 4096 bits (FIPS 186-4) 186-4) (ANSI X9.31, RSASSA-PKCS1_v1-5, RSA SigGen RSA SigGen (FIPS Signature Generation A2907 RSASSA-PSS): 2048, 3072, and 4096-bit with (FIPS 186-4) 186-4) hashes SHA2-256/384/512 (ANSI X9.31, RSASSA-PKCS1_v1-5, RSASSA-PSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1 and RSA SigVer (FIPS RSA SigVer (FIPS SHA2-224+++/256/384/512 (Signature A2907 Signature Verification 186-4) 186-4) Verification) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 [FIPS SHA-1 A2907 SHA 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-224 [FIPS A2907 SHA2 SHA-224 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-256 [FIPS A2907 SHA2 SHA-256 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-384 [FIPS A2907 SHA2 SHA-384 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-512 [FIPS A2907 SHA2 SHA-512 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key A2907 Generation [RFC MODP-2048 Safe Primes Key Generation Generation 3526] Safe Primes Key Safe Primes Key A2907 Verification [RFC MODP-2048 Safe Primes Key Verification Verification 3526] SP 800-38A, FIPS AES Cert. 198-1, and SP #A2907 KTS [SP 800-38F. KTS (key 128, 192, and 256-bit keys providing 128, 192, or and HMAC Key Wrapping 800-38F] wrapping and 256 bits of encryption strength Cert unwrapping) per IG #A2907 D.G. AES-GCM SP 800-38D and SP KTS [SP 128 and 256-bit keys providing 128 or 256 bits Cert. 800-38F. KTS (key Key Wrapping 800-38F] of encryption strength #A2907 wrapping and © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 7
unwrapping) per IG D.G. ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E69 KAS-ECC-S SC Cert. SP 800-56Arev3. #A2907, KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). Cert. #A2907 KAS-ECC-S SC Cert. SP 800-56Arev3. #A2907, KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). TLSCert. #A2907 KAS-FFC-S SC Cert. SP 800-56Arev3. #A2907, KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] strength Scenario 2 path (2). Cert. #A2907 KAS-FFC-S SC Cert. SP 800-56Arev3. #A2907, KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF TLS 800-56Arev3] strength Scenario 2 path (2). Cert. #A2907 Key Generation Note: The seeds used for asymmetric Vendor CKG (SP Section 5.1, Section Cryptographic Key Generation; SP 800-133 and key pair generation are produced using Affirmed 800-133rev2) 5.2 IG D.H (asymmetric seeds). the unmodified/direct output of the DRBG ** The module is compliant to IG C.H: GCM is used in the context of TLS and SSH:
In all the above cases, the nonce explicit is always generated deterministically. Also, AES GCM keys are zeroized when the module is power-cycled. For each new TLS or SSH session, a new AES GCM key is established. The module is compliant to IG C.F.: The module utilizes approved modulus sizes 2048, 3072, and 4096 bits for RSA signatures. This functionality has been CAVP tested as noted above. The minimum number of Miller Rabin tests for each modulus size is implemented according to Table C.2 of FIPS 186-4. For modulus size 4096 the module implements the largest number of Miller-Rabin tests shown in Table C.2. RSA SigVer is CAVP tested for all three supported modulus sizes as noted above. The module does not perform FIPS 186-2 SigVer. All supported modulus sizes are CAVP testable and tested as noted above. The module does not implement RSA key transport in the approved mode. The module does not have any algorithms that fall under: - Non-Approved Algorithms Allowed in the Approved Mode of Operation - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation Table 5 - Supported Protocols in the Approved Mode Supported Protocols* TLS 1.2 SSHv2 SNMPv3 *Note: These protocols have not been tested or reviewed by the CMVP or the CAVP. Cryptographic Boundary The Panorama Virtual Appliance is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file name in Section 11 (Panorama_pc-10.2.3-h1) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 9
Figure 1
4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7
CO, User, Self-Test Run self-test via CLI or WebUI Output results via System Logs Unauthenticated Show Status Show status via CLI or WebUI FIPS-CC Mode Indicator CO, User System Audit View system audit records via CLI or Audit records via System Logs CO, User WebUI Monitor System Status and View system status records via CLI or System status via System Logs CO, User Logs WebUI Panorama Log Collector Setup Configuring and managing Log Confirmation of service via CO Collectors configurations via CLI or Configuration Logs. WebUI Assumption of Roles The module supports distinct operator roles. The cryptographic module in Panorama or Management-Only mode enforces the separation of roles using unique authentication credentials associated with operator accounts. The Log Collector mode only supports one role, the Crypto-Officer (CO) role. The module does not provide a maintenance role or bypass capability. Table 8 - Roles and Authentication Role Authentication Method Authentication Strength CO Password-based Minimum length is eight1 (8) characters (95 possible characters). The probability that a random attempt will succeed or a false acceptance Memorized Secret (Unique will occur is 1/(958) which is less than 1/1,000,000. The probability of Username/password) and/or successfully authenticating to the module within one minute is Single-Factor Cryptographic 10/(958), which is less than 1/100,000. The module’s configuration Software (certificate common supports at most ten failed attempts to authenticate in a one-minute name / public key-based period. authentication) Certificate/Public key-based The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. Memorized Secret (Unique Username/password) and/or The minimum equivalent strength supported is 112 bits. The Single-Factor Cryptographic probability that a random attempt will succeed is 1/(2112) which is less User than 1/1,000,000. The probability of successfully authenticating to Software (certificate common name / public key-based the module within a one minute period is 10/(2112), which is less than authentication) 1/100,000. The module supports at most 10 failed attempts and locks out afterwards. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: In FIPS-CC Mode, the module checks and enforces the minimum password length of eight (8) as specified in SP 800-63B. Passwords are securely stored hashed with salt value, with very restricted access control, and rate limiting mechanism for authentication attempts. © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 12
G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Note: Unless otherwise specified, all services are available in all system modes. If there is a service that is specific to a certain system mode, it is noted in the Description column. Table 9
Perform panorama licensing, diagnostics, debug functions, manage Panorama support information and switch System System and between Panorama N/A N/A CO N/A Provisioning Configuration logs Management-only, and Logger modes. (Panorama or Management-Only Mode) Panorama Download and install Public Key for System and Software RSA SigVer (FIPS 186-4) CO W/E software updates Software Load Test Configuration logs Update CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W SNMPv3 Authentication W/E KDF SNMP (CVL) Secret SNMPv3 Privacy Secret W/E HMAC-SHA-1 Authentication Key G/E/Z HMAC-SHA2-224 HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key G/E/Z RSA SigVer (FIPS 186-4) ECDSA SigVer CA Certificates G/R/E/W Presents configuration (FIPS 186-4) options for management interfaces and TLS Pre-Master Secret G/E/Z communication for peer KDF TLS TLS Master Secret G/E/Z services (e.g., SNMP, RADIUS). CKG, TLS DHE/ECDHE Private Panorama KAS G/E/Z System and Import, Export, Save, Load, ECDSA KeyGen (FIPS 186-4), Components CO Manager Setup Configuration logs revert and validate ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public Panorama configurations KAS-ECC-SSC, KAS-FFC-SSC, Components and state role Safe Primes Key Generation, G/E/R/W/Z Safe Primes Key Verification (Panorama or HMAC-SHA2-256 TLS HMAC Keys Management-Only Mode) G/E/Z KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE Private G/E/Z Components KAS-ECC-SSC KAS-FFC-SSC Safe Primes Key Generation, SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Key Verification Components DRBG Seed Counter DRBG, ESV DRBG Key G/E © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 14
DRBG V Entropy Input String Define access control N/A CO, User Password G/E/W methods via admin profiles, configure administrators RSA SigVer (FIPS 186-4) SSH Client Public Key W/E Manage and password profiles Panorama System and Configure local user CO Administrative Configuration logs database, authentication RSA SigVer (FIPS 186-4) Access SSH Host Public Key G/R/E/W profiles, sequence of ECDSA SigVer (FIPS 186-4) methods and access domains Configure High Availability RSA SigVer (FIPS 186-4) RSA Public Key G/R/E/W communication settings Configure High CO Configuration Logs Availability ECDSA SigVer (FIPS 186-4) ECDSA Public Key G/R/E/W (Panorama or Management-Only Mode) ECDSA SigGen (FIPS 186-4) RSA Private Keys G/R/W/E Configuration Logs RSA SigGen ECDSA Private Keys (FIPS 186-4) Manage RSA/ECDSA ECDSA SigVer Panorama certificates and private (FIPS 186-4) RSA Public Keys G/R/W/E Configuration Logs Certificate keys, certificate profiles, RSA SigVer ECDSA Public Keys CO Management revocation status, and (FIPS 186-4) usage; show status. DRBG Seed DRBG Key Counter DRBG, ESV G/E System Logs DRBG V Entropy Input String Configure log forwarding Panorama Log N/A N/A CO N/A Configuration Logs Setting (Panorama or Management-Only Mode) SNMPv3 Authentication W/E KDF SNMP (CVL) Secret Configure communication SNMPv3 Privacy Secret W/E parameters and information for peer HMAC-SHA-1 Authentication Key G/E/Z Panorama servers HMAC-SHA2-224 CO System Logs Server Profiles HMAC-SHA2-256 (Panorama or HMAC-SHA2-384 Management-Only Mode) HMAC-SHA2-512 AES-CFB128 Session Key G/E/Z Set-up and define managed devices, device groups for firewalls Configure device deployment applications and licenses Setup Managed View current deployment Devices and information on the N/A N/A CO N/A Configuration Logs Deployment managed firewalls. It also allows you to manage software/firmware versions and schedule updates on the managed firewalls and managed log collectors. (Panorama or Management-Only Mode) Setup and manage other Log Collector management, Configure communication and storage System and Managed Log settings N/A CO, User Password CO G/E/W Configuration logs Collectors View current deployment information on the managed Log Collectors. It © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 15
also allows you to manage software/firmware versions and schedule updates on managed log collectors. (Panorama or Management-Only Mode) Zeroize Overwrite all CSPs N/A All keys and SSPs CO Z Zeroization Indicator Run power up self-tests on Software Integrity CO, Self-Test demand by power cycling N/A E System Logs Verification Key User the module. CO, FIPS-CC Mode Show Status View status of the module N/A N/A N/A User Indicator Allows review of limited configuration and system status via SNMPv3, logs, dashboard, show status, and configuration screens. CO, System Audit N/A N/A N/A System Logs CO Only: Provides User configuration commit capability. (Panorama or Management-Only Mode) Review system status via the panorama system CLI, Monitor dashboard and logs; show CO, System Status status. N/A N/A N/A System Logs User and Logs (Panorama or Management-Only Mode) CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W TLS Pre-Master Secret G/E/Z KDF TLS TLS Master Secret G/E/Z Presents configuration options for management CKG, TLS DHE/ECDHE Private KAS G/E/Z interfaces and ECDSA KeyGen (FIPS 186-4), Components communication for peer ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public services KAS-ECC-SSC, KAS-FFC-SSC, Components System and Panorama Log Safe Primes Key Generation, CO G/E/R/W/Z Import, Export, Save, Load, Configuration logs Collector Setup Safe Primes Key Verification revert and validate Panorama configurations HMAC-SHA2-256 TLS HMAC Keys G/E/Z and state KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z (Log Collector mode) KTS AES-GCM TLS Encryption Keys G/E/Z HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KDF SSH (CVL) SSH DHE/ECDHE Private G/E/Z Components KAS KAS-ECC-SSC KAS-FFC-SSC © 2024 Palo Alto Networks, Inc. Panorama VM 10.2 Security Policy 16
Safe Primes Key Generation, Safe Primes Key Verification DRBG Seed DRBG V Counter DRBG, ESV G/E DRBG Key Entropy Input String Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled and that the service succeeded.
Table 10
112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM
CA Certificates Session Key N/A certificates bits (FIPS 186-4) 186-4 plaintext RAM - Zeroize Encrypted (RSA 2048, 3072, and at session
Cert. #A2907 termination (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the verification of TLS or SSH signatures, RSA SigVer Session Key
112 - 150 DRBG, FIPS HDD/RAM
RSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A2907 Plaintext and peer TLS handshake authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD
112 - 150 DRBG, FIPS HDD/RAM
RSA Private Keys (FIPS 186-4) Session Key N/A authentication or key bits 186-4 plaintext RAM - Zeroize Cert. #A2907 Encrypted establishment. at session (RSA 2048, 3072, or termination 4096-bit) ECDSA public keys managed as certificates for the verification of TLS or SSH signatures, ECDSA SigVer Session Key
128 - 256 DRBG, FIPS HDD/RAM
ECDSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A2907 Plaintext and peer TLS handshake authentication. (ECDSA P-256, P-384, or P-521) HDD
128 - 256 DRBG, FIPS HDD/RAM
ECDSA Private Keys (FIPS 186-4) Session Key N/A and authentication bits 186-4 plaintext RAM - Zeroize Cert. #A2907 Encrypted (P-256, P-384, or at session P-521) termination KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE 112 - 256 in key agreement KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits (KAS-FFC MODP-2048, Cert. #A2907 3 termination KAS-ECC P-256, P-384, P-521) KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE Public 112 - 256 Plaintext - TLS in key agreement KAS-FFC-SSC 800-56A Rev. N/A RAM - plaintext session Components bits handshake (KAS-FFC MODP-2048, Cert. #A2907 3 termination KAS-ECC P-256, P-384, P-521) Secret value used to KAS SP Zeroize at derive the TLS Master KDF TLS TLS Pre-Master Secret N/A 800-56A Rev. N/A N/A RAM
3 termination and server random
nonces Zeroize at Secret value used to KDF TLS TLS Master Secret N/A KDF TLS N/A N/A RAM
AES (128 or 256 bit) AES-CBC or Zeroize at
128 or 256 TLS, KAS SP keys used in TLS
TLS Encryption Keys AES-GCM KDF TLS N/A RAM - plaintext session bits 800-56A Rev. 3 connections (GCM; Cert. #A2907 termination CBC) HMAC-SHA2-256 Zeroize at HMAC keys used in TLS TLS, KAS SP TLS HMAC Keys 256 bits HMAC-SHA2-384 KDF TLS N/A RAM - plaintext session connections ( 256, 384) 800-56A Rev. 3 Cert. #A2907 termination (256, 384 bits) KAS-FFC or KAS-ECC public component KAS-ECC-SSC DRBG, SP Zeroize at SSH DHE/ECDHE 112 - 256 (KAS-FFC MODP-2048, KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits KAS-ECC P-256, Cert. #A2907 3 termination KAS-ECC P-384, KAS-ECC P-521) KAS-FFC or KAS-ECC Plaintext SSH public component KAS-ECC-SSC DRBG, SP handshake Zeroize at SSH DHE/ECDHE Public 112 - 256 (KAS-FFC Group 14, KAS-FFC-SSC 800-56A Rev. N/A RAM - plaintext session Components bits KAS-ECC P-256, Cert. #A2907 3 termination KAS-ECC P-384, KAS-ECC P-521) RSA SigVer (FIPS 186-4) SSH Host Public Key
112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM
SSH Host Public Key N/A N/A bits (FIPS 186-4) 186-4 plaintext Service RSA 4096, ECDSA P-256, P-384, or P-521) Cert. #A2907 Public RSA key used to RSA SigVer
112 - 150 Encrypted via HDD/RAM
SSH Client Public Key (FIPS 186-4) N/A N/A bits SSH or TLS plaintext Service (RSA 2048, 3072, and Cert. #A2907
Used in all SSH connections to the AES-CBC, Zeroize at security module’s SSH Session Encryption 128 - 256 AES-CTR, or SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface. Keys bits AES-GCM 800-56A Rev. 3 termination (128, 192, or 256 bits: Cert. #A2907 CBC or CTR) (128 or 256 bits: GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 Zeroize at security module’s SSH Session 160 - 256 HMAC-SHA2-256 SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface Authentication Keys bits HMAC-SHA2-512 800-56A Rev. 3 termination (HMAC-SHA-1, Cert. #A2907 HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Used to check the Software integrity HMAC-SHA2-256, integrity of verification key ECDSA SigVer
128 bits N/A N/A N/A HDD - plaintext N/A crypto-related code.
(Note: This is not considered (FIPS 186-4) (HMAC-SHA-256 and an SSP) Cert. #A2907 ECDSA P-256) Used to authenticate RSA SigVer software/firmware and Public key for software
112 bits (FIPS 186-4) N/A N/A N/A HDD - plaintext N/A content to be installed
content load test Cert. #A2907 on the module (RSA
Authentication string SHA2-256 Encrypted via HDD - a password CO, User Password N/A External N/A Zeroize Service with a minimum length Cert. #A2907 SSH or TLS hash (SHA2-256) of eight (8) characters. Encrypted via HDD/RAM
Seed length = 384 bits Cert. #A2907 CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state Key used in the DRBG Key 256 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A2907 values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state V used in the DRBG V 128 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A2907 values SNMPv3 Authentication Used to support SNMPv3 KDF SNMP Encrypted via HDD/RAM
128 - 256 AES-CFB128 HDD/RAM - Zeroize
SNMPv3 Session Key KDF SNMP N/A N/A encryption key bits Cert. #A2907 Plaintext Service (AES-CFB 128) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. The module utilizes the following entropy source, which is internal to the physical perimeter of the host GPC. Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of entropy Details ESV Cert. #E69 Palo Alto Networks DRNG Entropy 256 bits Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module. The pre-operational and conditional self-tests are performed automatically and do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test
Note: the ECDSA and HMAC-SHA-256 KATs are performed prior to the Software integrity test Conditional self-tests Cryptographic algorithm self-tests
Table 12 - Errors and Indicators Cause of Error Error State Indicator Conditional Cryptographic Algorithm Self-Test or Software FIPS-CC mode failure. <Algorithm test> failed. Integrity Test Failure Conditional Pairwise Consistency or Critical Functions Test System log prints an error message. Failure Conditional Software Load Test Failure System prints Invalid image message.
Vendor Imposed Security Rules In FIPS-CC mode, the following rules shall apply:
RNG –Random number generator RSA