| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 9/22/2029 |
| Caveat | When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2137 |
| AES-CFB128 | A2137 |
| AES-CTR | A2137 |
| AES-GCM | A2137 |
| Counter DRBG | A2137 |
| ECDSA KeyGen (FIPS186-4) | A2137 |
| ECDSA KeyVer (FIPS186-4) | A2137 |
| ECDSA SigGen (FIPS186-4) | A2137 |
| ECDSA SigVer (FIPS186-4) | A2137 |
| HMAC-SHA-1 | A2137 |
| HMAC-SHA2-224 | A2137 |
| HMAC-SHA2-256 | A2137 |
| HMAC-SHA2-384 | A2137 |
| HMAC-SHA2-512 | A2137 |
| KAS-ECC-SSC Sp800-56Ar3 | A2137 |
| KAS-FFC-SSC Sp800-56Ar3 | A2137 |
| KDF IKEv2 | A2137 |
| KDF SNMP | A2137 |
| KDF SSH | A2137 |
| KDF TLS | A2137 |
| RSA KeyGen (FIPS186-4) | A2137 |
| RSA SigGen (FIPS186-4) | A2137 |
| RSA SigVer (FIPS186-4) | A2137 |
| Safe Primes Key Generation | A2137 |
| Safe Primes Key Verification | A2137 |
| SHA-1 | A2137 |
| SHA2-224 | A2137 |
| SHA2-256 | A2137 |
| SHA2-384 | A2137 |
| SHA2-512 | A2137 |
flowchart LR
%% Deterministic review-risk graph for WildFire 10.1 WF-500
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for WildFire 10.1 WF-500
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;WildFire 10.1 WF-500 Version: 0.8 Revision Date: February 13, 2025 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2025 Palo Alto Networks, Inc. Palo Alto Networks, Inc. is a registered trademark of Palo Alto Networks, Inc. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
1. General The Wildfire 10.1 WF-500 from Palo Alto Networks Inc., hereafter referred to as “WildFire” or the “cryptographic module” is a multi-chip standalone hardware cryptographic module designed to fulfill FIPS 140-3 level 2 requirements. The WildFire
10.1 WF-500 module identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) through
dynamic analysis, and automatically disseminates protection in near real-time to help security teams meet the challenge of advanced cyber-attacks. Unknown files are analyzed by WildFire (WF) in a scalable sandbox environment where new threats are identified, and protections are automatically developed and delivered in the form of an update. The result is a unique, closed loop approach to controlling cyber threats that begins with positive security controls to reduce the attack surface, inspection of all traffic, ports, and protocols to block all known threats, and rapid detection of unknown threats by observing their actual behavior. The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-3. Table 1
© 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 3
Note: Disabling “FIPS-CC” mode causes a complete factory reset, which is described in the Zeroization section below. The module does not support a degraded mode of operation. Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above or rules noted in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization To initiate the zeroization service, perform the following steps:
GCM* Encryption, A2137 AES-GCM [SP 800-38D] Decryption AES 256 bits with Counter DRBG A2137 CTR DRBG Derivation Function Random Bit Generator [SP 800-90Arev1] Enabled ECDSA KeyGen Key Generation A2137 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) ECDSA KeyVer Public Key Validation A2137 ECDSA KeyVer P-256, P-384, P-521 (FIPS 186-4) Only the algorithms, modes, and key sizes specified in this table are used by the module. The CAVP certificate may contain more tested options than listed in this table. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 5
CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) P-256, P-384, P-521 with ECDSA SigGen Signature Generation A2137 ECDSA SigGen SHA2-224, SHA2-256, (FIPS 186-4) SHA2-384, and SHA2-512 P-256, P-384, P-521 with ECDSA SigVer (FIPS 186- SHA-1, SHA2-224, SHA2A2137 ECDSA SigVer Signature Verification 4) 256, SHA2-384, and SHA2-512 HMAC-SHA-1 [FIPS 198A2137 HMAC HMAC-SHA-1 with λ=160 For Protocols 1] HMAC-SHA2-224 HMAC-SHA2-224 with A2137 HMAC For Protocols [FIPS 198-1] λ=224 HMAC-SHA2-256 HMAC-SHA2-256 with A2137 HMAC For Protocols [FIPS 198-1] λ=256 HMAC-SHA2-384 HMAC-SHA2-384 with A2137 HMAC For Protocols [FIPS 198-1] λ=384 HMAC-SHA2-512 HMAC-SHA2-512 with A2137 HMAC For Protocols [FIPS 198-1] λ=512 Ephemeral Unified Model: KAS-ECC-SSC SP800- KAS Key Agreement, Shared A2137 P-256/P-384/P-521 56Ar3 Secret Computation KAS-FFC-SSC SP 800- Key Agreement, Shared A2137 KAS dhEphem: MODP-2048 56Ar3 Secret Computation KDF IKEv2 SHA2-256, SHA2-384, A2137 IKEv2 KDF IKEv2 [SP 800-135rev1] (CVL) SHA2-512 Engine ID: KDF SNMP A2137 SNMPv3 KDF 80001F88043030303030 SNMPv3 [SP 800-135rev1] (CVL) 343935323630 KDF SSH [SP 800- SHA-1, SHA2-256, SHA2A2137 SSHv2 KDF SSH 135rev1] (CVL) 512 TLS 1.0/1.1 KDF, TLS1.2 TLS v1.0/1.1 KDF TLS [SP 800-135rev1] A2137 KDF TLS v1.2 Hash Algorithm: TLS (CVL) SHA2-256, SHA2-384 RSA KeyGen RSA KeyGen Key Pair Generation A2137 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) (ANSI X9.31, RSASSAPKCS1_v1-5, RSASSARSA SigGen RSA SigGen Signature Generation A2137 PSS): 2048, 3072, and (FIPS 186-4) (FIPS 186-4) 4096-bit with hashes SHA2-256/384/512 (ANSI X9.31, RSASSAPKCS1_v1-5, RSASSAPSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1 and SHA2RSA SigVer RSA SigVer A2137 224+++/256/384/512 Signature Verification (FIPS 186-4) (FIPS 186-4) (Signature Verification) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Generation/Verification SHA-1 A2137 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 6
CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) Digital Signature Generation/Verification A2137 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2137 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2137 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A2137 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key Safe Primes Key A2137 MODP-2048 Generation [RFC 3526] Generation Generation Safe Primes Key Safe Primes Key Safe Primes Key A2137 MODP-2048 Verification [RFC 3526] Verification Verification Key Wrapping. AES-CBC SP 800-38A, FIPS 198-1, 128, 192, and 256-bit keys or AES-CTR with HMACAES Cert. #A2137 and KTS and SP 800-38F. KTS (key providing 128, 192, or 256 SHA-1, HMAC-SHA2-256, HMAC Cert. #A2137 [SP 800-38F] wrapping and unwrapping) bits of encryption strength HMAC-SHA2-384, or per IG D.G. HMAC-SHA2-512 SP 800-38D and SP 800-
KTS 38F. KTS (key wrapping AES-GCM Cert. #A2137 providing 128 or 256 bits Key Wrapping. AES-GCM. [SP 800-38F] and unwrapping) per IG of encryption strength D.G. ESV Cert. #E130 Palo Alto Networks RTC SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC Cert. SP 800-56Arev3. KAS-ECC P-256, P-384 curves Key Exchange with #A2137, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128 or 192 bits protocol KDF #A2137 (2). of encryption strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A2137, KDF SSH Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A2137 or 256 bits of encryption protocol KDF (2). strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A2137, KDF TLS Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A2137 or 256 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A2137, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A2137 (2). KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A2137, KDF SSH Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A2137 (2). © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 7
CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A2137, KDF TLS Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A2137 (2). Key Generation Note: The seeds used for Cryptographic Key Vendor CKG asymmetric key pair Section 5.1, Section 5.2 Generation; SP 800Affirmed [ SP 800-133rev2] generation are produced
using the unmodified/direct output of the DRBG *The module is compliant to IG C.H: GCM is used in the context of TLS, IPsec/IKEv2, and SSH:
The cryptographic module supports the following non-Approved algorithms that are allowed for use in the Approved mode of operation: Table 4 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed Algorithm Caveat Use / Function MD5 Only allowed as the PRF in TLSv1.1 per IG Message digest used in TLSv1.0 2.4.AOnly allowed as the PRF in TLSv1.0 and v1.1 /v1.1 KDF only per IG 2.4.A The cryptographic module supports the following non-approved algorithms not allowed for use in the approved mode of operation. Table 5 - Supported Protocols in the Approved Mode Supported Protocols* TLS v1.1, 1.2 SSHv2 SNMPv3 IPsec and IKEv2 (*): These protocols have not been tested or reviewed by the CMVP or the CAVP. (**): See vendor imposed security rule in Security Rules section The module does not have any algorithms that fall under:
Figure 1 - Front view of WF-500 Figure 2 - Front view of WF-500 with opacity shield Figure 3 - Rear view of WF-500 with opacity shield Figure 4 - Right side of WF-500 with opacity shields Figure 5 - Left side of WF-500 with opacity shields © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 10
3. Cryptographic Module Interfaces The WF-500 provides the following ports and interfaces: Figure 6 - Front Ports and Interfaces Figure 7 - Rear Ports and Interfaces © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 11
Table 6 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface
2 Front LED Panel Status output LED information for
3 Drive LEDs Status output LED information
5 DB9 Data input, Control input, Console access (Note: In the
Data output, Status output, Approved mode, the Console Control output port is only available as Status output)
6 USB Disabled except for power None -- disabled except for
7 RJ45 Data input, Control input, Used for TLS and SSH
Data output, Status output, Control output Data input, Data Output Used for TLS and SSH Data input, Control input, SSH and or IKE/IPsec Data output, Status output Data input, Control input, SSH and or IKE/IPsec Data output, Status output
8 UID Button with LED Control input, Status output LED information to help
identify device NOTE: Port number 8 (VGA) is omitted intentionally because it is disabled and so N/A. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 12
4. Roles, Services, and Authentication Services When initialized into the Approved mode of operation, all authenticated services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. The Crypto-Officer (CO) may access all services and has the ability to define multiple Crypto-Officer roles. The User role provides read-only access to the system via the System Audit service. The Peer-to-Peer VPN role consists in managing the establishment of VPN connections between several WildFire WF-500 modules. Table 7
CO Configuration Management Configuring and managing Confirmation of service cryptographic parameters via Configuration/System and setting/modifying Logs communication Assumption of Roles The module supports distinct operator roles. The cryptographic module enforces the separation of roles using unique authentication credentials associated with operator accounts. The module supports concurrent operators with identity-based authentication. The module does not provide a maintenance role or bypass capability. Table 8
attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The module supports at most 60,000 new sessions per second to authenticate in a one-minute period. Certificate/Public key-based Username/password and/or The security modules support public-key based Peer-to-peer VPN certificate-based authentication using RSA 2048 and certificateauthentication based authentication using RSA 2048, RSA In FIPS-CC Mode, the module checks and enforces the minimum password length of eight (8) as specified in SP 800-63B. Passwords are securely stored hashed with salt value, with very restricted access control, and rate limiting mechanism for authentication attempts. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 14
3072, RSA 4096, ECDSA P-256, P-384, or P521. The minimum equivalent strength supported is
attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The module supports at most 60,000 new sessions per second to authenticate in a one-minute period. CSP Access Rights The following table defines the access to CSPs and the different module services. While in the Approved mode, all authenticated services and CSPs are accessed via authenticated TLS or SSH sessions. Approved and allowed algorithms, relevant CSPs, and public keys related to these protocols are used to access the services as listed in Table 15. The modes of access shown in the table are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 9
Primes Key Verification HMAC-SHA2- TLS HMAC Keys G/E/Z HMAC-SHA2KTS 384 TLS Encryption G/E/Z AES-CBC Keys KTS AES-GCM SSH G/E/Z DHE/ECDHE KDF SSH (CVL) Private Components KAS KAS-ECC-SSC SSH G/E/R/W/Z KAS-FFC-SSC DHE/ECDHE Safe Primes Key Public Generation, Safe Components Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2- Authentication
HMAC-SHA2KTS AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM CO, User G/E/W N/A Password Entropy Input G/E String DRBG Seed Counter DRBG, ESV DRBG V DRBG Key IPSec/IKE G/E/Z DHE/ECDHE KDF IKEv2 (CVL) Public Components CKG, IPSec/IKE G/E/Z ECDSA KeyGen DHE/ECDHE (FIPS 186-4), Private KAS ECDSA KeyVer Components (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2- IPSec/IKE G/E/Z
HMAC-SHA2- Keys KTS HMAC-SHA2IPSec/IKE Session AES-CBC Keys IPSec/IKE Session G/E/Z KTS AES-GCM Keys N/A Protocol Secrets W/E © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 16
RSA Public Keys G/R/E/W RSA SigVer (FIPS 186-4) ECDSA Public G/R/E/W ECDSA SigVer (FIPS 186-4) Keys RSA SigVer (FIPS 186-4) SSH Client Public W/E Key RSA SigVer (FIPS 186-4) SSH Host Public G/R/E/W ECDSA SigVer (FIPS 186-4) Key HMAC-SHA2-256, Firmware E ECDSA SigVer Integrity Check (FIPS 186-4) Key Public key for W/E firmware load RSA SigVer (FIPS 186-4) test CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private G/W/E ECDSA KeyGen Keys (FIPS 186-4) ECDSA SigGen (FIPS 186-4) KDF TLS (CVL) TLS Pre-Master G/E/Z Secret KDF TLS (CVL) TLS Master G/E/Z Secret Presents CKG, TLS DHE/ECDHE G/E/Z configuration ECDSA KeyGen Private options for KAS (FIPS 186-4), Components management ECDSA KeyVer TLS DHE/ECDHE G/E/R/W/Z interfaces and (FIPS 186-4), Public communication KAS-ECC-SSC, Components for peer services. KAS-FFC-SSC, Safe Primes Key Import, Export, Generation, Safe Save, Load, revert Primes Key and validate Verification configurations SSH G/E/Z System and state. DHE/ECDHE Configuration KDF SSH (CVL) Private Management Define access Components control methods via admin role KAS KAS-ECC-SSC SSH G/E/R/W/Z profiles, configure KAS-FFC-SSC DHE/ECDHE administrators/us Safe Primes Key Public ers, and password Generation, Safe Components profiles. Primes Key Verification Configure HMAC-SHA-1 SSH Session G/E/Z operators and HMAC-SHA2- Authentication authentication 256 Keys profiles. HMAC-SHA2KTS AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM CO, User G/E/W N/A Password Entropy Input G/E String Counter DRBG, ESV DRBG Seed DRBG V © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 17
DRBG Key KDF SNMP (CVL) SNMPv3 W/E Authentication Secret KDF SNMP (CVL) SNMPv3 Privacy W/E Secret HMAC-SHA-1 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key G/E/Z IPSec/IKE G/E/Z DHE/ECDHE KDF IKEv2 (CVL) Public Components CKG, IPSec/IKE G/E/Z ECDSA KeyGen DHE/ECDHE (FIPS 186-4), Private KAS ECDSA KeyVer Components (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2- IPSec/IKE G/E/Z
HMAC-SHA2- Keys KTS HMAC-SHA2IPSec/IKE Session AES-CBC Keys IPSec/IKE Session G/E/Z KTS AES-GCM Keys N/A Protocol Secrets W/E RSA SigVer (FIPS 186-4) SSH Host Public G/R/E/W ECDSA SigVer (FIPS 186-4) Key HMAC-SHA2-256, Firmware E ECDSA SigVer Integrity Check (FIPS 186-4) Key CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private G/W/E ECDSA KeyGen Keys (FIPS 186-4) ECDSA SigGen (FIPS 186-4) KDF TLS (CVL) TLS Pre-Master G/E/Z Configure data Secret submission, Data Analysis analysis and Management KDF TLS (CVL) TLS Master G/E/Z reporting Secret functions. CKG, TLS DHE/ECDHE G/E/Z KAS ECDSA KeyGen Private (FIPS 186-4), Components ECDSA KeyVer TLS DHE/ECDHE G/E/R/W/Z (FIPS 186-4), Public KAS-ECC-SSC, Components KAS-FFC-SSC, Safe Primes Key Generation, Safe © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 18
Primes Key Verification HMAC-SHA2- TLS HMAC Keys G/E/Z HMAC-SHA2KTS 384 TLS Encryption G/E/Z AES-CBC Keys KTS AES-GCM SSH G/E/Z DHE/ECDHE KDF SSH (CVL) Private Components KAS KAS-ECC-SSC SSH G/E/R/W/Z KAS-FFC-SSC DHE/ECDHE Safe Primes Key Public Generation, Safe Components Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2- Authentication
HMAC-SHA2KTS AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM CO, User G/E/W N/A Password DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private G/W/E ECDSA KeyGen Keys (FIPS 186-4) ECDSA SigGen (FIPS 186-4) SSH G/E/Z DHE/ECDHE KDF SSH (CVL) Private Components Review system, KAS KAS-ECC-SSC SSH G/E/R/W/Z configuration, KAS-FFC-SSC DHE/ECDHE Check Status debug logs, and Safe Primes Key Public show Generation, Safe Components configurations. Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2- Authentication
HMAC-SHA2KTS AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 19
CO, User G/E/W N/A Password DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String KDF SNMP (CVL) SNMPv3 W/E Authentication Secret KDF SNMP (CVL) SNMPv3 Privacy W/E Secret HMAC-SHA-1 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 Session Key G/E/Z CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private G/W/E ECDSA KeyGen Keys (FIPS 186-4) ECDSA SigGen (FIPS 186-4) SSH G/E/Z DHE/ECDHE KDF SSH (CVL) Private Components KAS KAS-ECC-SSC SSH G/E/R/W/Z KAS-FFC-SSC DHE/ECDHE Safe Primes Key Public Allows review of Generation, Safe Components limited Primes Key configuration and Verification system status via System Audit logs, dashboard HMAC-SHA-1 SSH Session G/E/Z and configuration HMAC-SHA2- Authentication screens. Provides 256 Keys no configuration HMAC-SHA2KTS commit capability. 512 AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM CO, User G/E/W N/A Password Entropy Input G/E String DRBG Seed Counter DRBG, ESV DRBG V DRBG Key CKG RSA Private Keys Peer-to-Peer G/W/E System Logs RSA KeyGen (FIPS 186-4) VPN RSA SigGen (FIPS 186-4) Configures CKG ECDSA Private G/W/E IKE/IPsec IKE/IPsec setup ECDSA KeyGen Keys Configuration for peer to peer (FIPS 186-4) VPN. ECDSA SigGen (FIPS 186-4) Entropy Input G/E Counter DRBG String © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 20
DRBG Seed DRBG V DRBG Key IPSec/IKE G/E/Z DHE/ECDHE KDF IKEv2 (CVL) Public Components CKG, IPSec/IKE G/E/Z ECDSA KeyGen DHE/ECDHE (FIPS 186-4), Private KAS ECDSA KeyVer Components (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2- IPSec/IKE G/E/Z
HMAC-SHA2- Keys KTS HMAC-SHA2IPSec/IKE Session AES-CBC Keys IPSec/IKE Session G/E/Z KTS AES-GCM Keys RSA Public Keys G/R/E/W RSA SigVer (FIPS 186-4) CA Certificates ECDSA Public G/R/E/W ECDSA SigVer (FIPS 186-4) Keys CA Certificates Console Output / Destroys all keys Zeroize N/A All Keys and SSPs CO Z Zeroization in the module indicator Run power up CO E System Logs self-tests on HMAC-SHA2-256, Firmware Self-Tests demand by power ECDSA SigVer Integrity Check cycling the (FIPS 186-4) Key module. View hardware status of the Show Status N/A N/A All N/A LEDs module via the LEDs. 5. Software/Firmware Security The module performs the Firmware Integrity test by using HMAC-SHA-256 and ECDSA signature verification (HMAC and ECDSA Cert. #A2137) during the Pre-Operational Self-Test. In addition, the module also conducts the firmware load test by using the Public Verification Key (RSA 2048 with SHA-256, Cert. #A2137) for the new validated firmware to be uploaded into the module via the System Operational Management service. The Firmware Integrity Verification key and Public key for Firmware Content Load Test used for the Firmware Integrity and Firmware Load test, respectively, are generated externally and delivered as part of the module firmware image. The pre-operational self-tests can be initiated by power cycling the module. When this is performed, the module automatically runs the cryptographic algorithm self-tests in addition to the pre-operational firmware integrity test. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 21
The module’s executable code is in the form of the compiled firmware image loaded onto the module. 6. Operational Environment The FIPS 140-3 Operational Environment requirements are not applicable. The operational environment is limited since the Module includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 22
7. Physical Security Physical Security Mechanisms The multi-chip standalone module is production quality and contains standard passivation. Chip components are protected by an opaque enclosure. There are tamper-evident seals that are applied on the module by the Crypto-Officer, and any unused seals are to be controlled by the Crypto-Officer. The Crypto-Officer must ensure that the module surface is clean and dry before applying the seals. The seals prevent removal of the opaque enclosure without evidence, which should be inspected by the Crypto-Officer every 30 days for evidence of tampering. If the seals or opacity shields show evidence of tamper, the Crypto-Officer should assume that the module has been compromised and contact Customer Support. Note: For ordering information, see Table 1 for physical kit part numbers and version. Opacity shields are included in the physical kits. Refer to Appendix A for instructions regarding installation of the tamper seals and opacity shields. Tamper-evident seals must be pressed firmly onto the adhering surfaces during installation, and once applied, the Crypto-Officer shall permit 24 hours of cure time for all tamper-evident seals. The placement of the twelve (12) tamper-evident seals are shown in Appendix A. Operator Required Actions The following table provides information regarding the various physical security mechanisms, and their recommended frequency of inspection/test. Table 10 - Physical Security Inspection Guidelines Physical Security Mechanism Recommended Frequency Inspection/Test Guidance Details of Inspection/Test Tamper-Evident Seals 30 days Verify integrity of tamper-evident seals in the locations specified in Appendix A. Front and Rear Opacity Shields 30 days Verify that the front and rear opacity shields have not been deformed from their original shape, thereby reducing their effectiveness. Vent Overlays 30 days Verify that the vent overlays have not been removed or deformed. All edges should maintain strong adhesion characteristics. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 23
112 bits DRBG, HDD/RAM –
CA Certificates SigVer (FIPS Session Key N/A RAM - Zeroize at certificates minimum 186-4) FIPS 186-4 plaintext Encrypted session (RSA 2048, 3072, and termination 4096 bits) Cert. #A2137 (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the TLS or SSH verification of Session Key RSA SigVer signatures,
112 bits DRBG, Encrypted or HDD/RAM –
RSA Public Keys (FIPS 186-4) N/A Zeroize Service establishment of TLS, minimum Cert. #A2137 FIPS 186-4 Plaintext plaintext operator TLS authentication and handshake peer authentication. (RSA 2048, 3072, or 4096-bit) © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 24
RSA Private keys for HDD
112 bits DRBG, HDD/RAM –
RSA Private Keys (FIPS 186-4) Session Key N/A RAM - Zeroize at authentication or key minimum Cert. #A2137 FIPS 186-4 plaintext Encrypted session establishment. termination (RSA 2048, 3072, or 4096-bit) ECDSA public keys managed as certificates for the TLS or SSH verification of ECDSA Session Key signatures, ECDSA Public 128 bits SigVer (FIPS DRBG, Encrypted or HDD/RAM
112 bits SSC RAM - Zeroize at session EC component used in
Private 800-56A N/A N/A minimum KAS-FFC-SSC plaintext termination TLS Components Cert. #A2137 Rev. 3 (DHE 2048, ECDHE P256, P-384, P-521) Diffie_Hellman or EC KAS-ECC- Diffie-Hellman TLS DHE/ECDHE DRBG, SP
112 bits SSC Plaintext - TLS Zeroize at session Ephemeral values used
Public 800-56A N/A N/A minimum KAS-FFC-SSC handshake termination in key agreement Components Cert. #A2137 Rev. 3 (DHE 2048, ECDHE P256, P-384, P-521) KAS-ECC- Secret value used to KDF TLS SSC or derive the TLS Master Cert. #A2137, TLS, KAS SP TLS Pre-Master KAS-FFC- RAM
160 bits TLS KDF RAM - Zeroize at session connections (SHA-1,
TLS HMAC Keys HMAC- N/A 800-56A Rev. minimum SHA2-384 (CVL) 3 plaintext termination 256, 384) Cert. #A2137 (160, 256, 384 bits) Diffie Hellman or EC SSH DHE/ECDHE KAS-ECC- DRBG, SP Diffie-Hellman private
112 bits SSC RAM - Zeroize at session
Private 800-56A N/A N/A (DH Group 14, ECDH Pminimum KAS-FFC-SSC plaintext termination Components Cert. #A2137 Rev. 3 256, ECDH P-384, ECDH P-521) SSH DHE/ECDHE KAS-ECC- DRBG, SP Plaintext SSH Diffie Hellman or EC
112 bits SSC handshake RAM - Zeroize at session
Public 800-56A N/A Diffie-Hellman public minimum KAS-FFC-SSC plaintext termination Components Cert. #A2137 Rev. 3 component (DH Group © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 25
14, ECDH P-256, ECDH P-384, ECDH P-521) RSA SigVer (FIPS 186-4) SSH Host Public Key SSH Host Public 112 bits ECDSA DRBG, HDD/RAM
Used in all SSH connections to the AES-CBC, security module’s SSH, KAS SP SSH Session 128 bits AES-CTR, or RAM - Zeroize at session command line N/A N/A 800-56A Rev. Encryption Keys minimum AES-GCM plaintext termination interface. Cert. #A2137 (128, 192, or 256 bits: CBC or CTR) (128 or 256 bits: GCM) Authentication keys used in all SSH HMAC-SHA-
1 connections to the
SSH Session HMAC- SSH, KAS SP security module’s
160 bits RAM - Zeroize at session
Authentication SHA2-256 N/A N/A 800-56A Rev. command line minimum HMAC- 3 plaintext termination Keys interface (HMAC-SHASHA2-512 1, HMAC-SHA2-256, Cert. #A2137 HMAC-SHA2-512) (160, 256, 512 bits) Diffie-Hellman or EC IPSec/IKE KAS-ECC- Diffie-Hellman private DBRG, SP DHE/ECDHE 112 bits SSC RAM - component used in 800-56A N/A N/A Power cycle Private minimum KAS-FFC-SSC plaintext key establishment Cert. #A2137 Rev. 3 Components (DHE 2048, ECDHE P256, P-384) Diffie-Hellman or EC IPSec/IKE KAS-ECC- Diffie-Hellman public DRBG, SP DHE/ECDHE 112 bits SSC RAM - component used in 800-56A N/A N/A Power cycle Public minimum KAS-FFC-SSC plaintext key agreement Cert. #A2137 Rev. 3 Components (DHE 2048, ECDHE P256, P-384) Used to encrypt AES-CBC, IPSec/IKE, KAS IPSec/IKE Session 128 bits RAM - Zeroize at session IKE/IPSec data. These AES-GCM N/A N/A SP 800-56A Keys minimum Cert. #A2137 Rev. 3 plaintext termination are AES CBC or GCM (128 or 256 bits). HMAC- (HMAC-SHA-256, SHASHA2-256 384 or SHA-512) Used IPSec/IKE HMAC- IPSec/IKE, KAS
256 bits RAM - Zeroize at session to authenticate the
Authentication SHA2-384 N/A N/A SP 800-56A minimum HMAC- Rev. 3 plaintext termination peer in an IKE/IPSec Keys SHA2-512 tunnel connection. Cert. #A2137 (256, 384, 512 bits) Authentication string TLS or SSH HDD - a CO, User with a minimum N/A N/A External Session Key N/A password Zeroize Service Password Encrypted length of eight (8) hash characters. HDD– TLS or SSH Secrets used by Plaintext Protocol Secrets N/A N/A External Session Key N/A Zeroize Service RADIUS or TACACS+ (8 Encrypted RAM
194 bits affirmed), N/A N/A Power cycle coming from the
String as per plaintext Counter entropy source © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 26
DRBG Cert. SP 800#A2137 90B Input length = 384 bits CKG (vendor DRBG seed coming affirmed), Entropy from the entropy Counter as per RAM DRBG Seed 194 bits N/A N/A Power cycle source DRBG Cert. SP 800- Plaintext #A2137 90B Seed length = 384 bits CKG (vendor affirmed), Entropy AES 256 CTR DRBG Counter as per RAM - State (V) used in the DRBG V 128 bits N/A N/A Power cycle DRBG Cert. SP 800- plaintext generation of random #A2137 90B values CKG (vendor affirmed), Entropy AES 256 CTR DRBG Counter as per RAM - State (Key) used in the DRBG Key 256 bits N/A N/A Power cycle DRBG Cert. SP 800- plaintext generation of random #A2137 90B values Used to support SNMPv3 KDF SNMP TLS or SSH HDD/RAM
128 bits AES-CFB128 SNMPv3 HDD/RAM - encryption key
Session Key N/A N/A Zeroize Service minimum Cert. #A2137 KDF (CVL) Plaintext (AES 128/192/256 CFB128) HDD
256 Cert. *Keys used to perform
image #A2137 power-up self-tests are not CSPs Note: SSPs are implicitly zeroized when power cycling and explicitly zeroized when using the zeroize service. © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 27
Table 12 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number Details of bits of entropy ESV Cert. #E130 The entropy source provides at least 0.506 bits of entropy per bit of output. The DRBG is seeded with 384bits of output from the entropy source. Therefore the Palo Alto Networks RTC DRBG is seeded with at least 194 bits of entropy before
Entropy Source generating keys. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy © 2025 Palo Alto Networks, Inc. WildFire 10.1 WF-500 Security Policy 28
■ Checked via CLI using “show shared” command Failure to follow these Security Rules will cause the module to operate in a non-compliant state.
Appendix A
Step 1: Remove the two pull handles and front modules on the left and right side of the appliance by removing the three (3) screws located behind each handle/module. There is no need to disconnect the LED circuit board attached to the end of the ribbon cable. Retain these screws for Step
Figure 10 - Attach Pull Handles and Front Modules Step 3: Secure the front opacity shield to the right and left front brackets that you installed in Step 2. Use two (2) screws (provided) on each side. Figure 11
Figure 12
Figure 14
Figure 16
Figure 18
Figure 19