| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software-hybrid |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 10/10/2029 |
| Caveat | Interim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys) |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A2999 |
| AES-CTR | A2999 |
| AES-ECB | A2999 |
| AES-GCM | A2999 |
| Conditioning Component AES-CBC-MAC SP800-90B | A2873 |
| Counter DRBG | A1362 |
| Counter DRBG | A2999 |
| ECDSA KeyGen (FIPS186-4) | A2999 |
| ECDSA KeyVer (FIPS186-4) | A2999 |
| ECDSA SigGen (FIPS186-4) | A2999 |
| ECDSA SigVer (FIPS186-4) | A2999 |
| HMAC-SHA-1 | A2999 |
| HMAC-SHA2-256 | A2999 |
| HMAC-SHA2-384 | A2999 |
| HMAC-SHA2-512 | A2999 |
| KAS-ECC-SSC Sp800-56Ar3 | A2999 |
| KDF TLS | A2999 |
| RSA SigGen (FIPS186-4) | A2999 |
| RSA SigVer (FIPS186-4) | A2999 |
| SHA-1 | A2999 |
| SHA2-256 | A2999 |
| SHA2-256 | A3429 |
| SHA2-384 | A2999 |
| SHA2-512 | A2999 |
flowchart LR
%% Deterministic review-risk graph for GlobalProtect App
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>no authentication<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for GlobalProtect App
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>no authentication<br/>Show Status</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;GlobalProtect App (Android/iOS/Linux/macOS/Windows) Software Version: 6.0.10 Hardware Version: Intel Core i3-1215U Intel Core i7-1250U Apple M Series M1 Apple A Series A14 Qualcomm Snapdragon 888 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: October 3, 2024 Document Version: 1.20
| # | Section | Page |
|---|
1. General The table below provides the Security Levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks GlobalProtect App (hereinafter referred to as the Module). ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level 6. [Number Below]
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 1
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security 1
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks N/A
Overall 1 Table 1 - Security Levels
# Operating System Hardware Platform Processor PAA/Acceleration
1 Linux Ubuntu 20.04 HP Pavilion Intel Core i3-1215U AES-NI
2 Windows 11 HP Envy Intel Core i7-1250U AES-NI
3 macOS Big Sur 11 MacBook Air Apple M Series M1 NEON
4 iOS 16 iPhone 12 Mini Apple A Series A14 NEON
5 Android 12 Samsung Galaxy S21 Ultra Qualcomm Snapdragon 888 AES-NI
Table 2 - Tested Operational Environments # Operating System Hardware Platform
Table 2A - Vendor Affirmed Operational Environments The module utilizes the following Approved algorithms that have the following CAVP certificates: CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A1362 AES 256 bits without Derivation Counter DRBG Vetted conditioner for ESV CTR DRBG Function and with Prediction [SP 800-90Arev1] Cert. #E14 Resistance Enabled A2873 Conditioning Component Intel Conditioner for Entropy AES-CBC-MAC AES-CBC-MAC 128 bits Source [SP 800-90B] A2999 Encryption AES-CBC [SP 800-38A] CBC 128, 192 and 256 bits Decryption A2999 128, 192 and 256 bits Encryption AES-CTR [SP 800-38A] CTR Decryption Note: 128, 192, and 256 bits were tested, but not available for use A2999 Encryption AES-ECB [SP 800-38A] ECB 128, 192 and 256 bits Decryption A2999 128 and 256 bits AES-GCM GCM Encryption [SP 800-38D] Note: 192 bits tested, but not Decryption available for use A2999 Counter DRBG AES 256 bits with Derivation CTR DRBG Random Bit Generator [SP 800-90Arev1] Function Enabled A2999 ECDSA KeyGen Key Generation ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4)
4 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
A2999 Public Key Validation ECDSA KeyVer (FIPS 186-4) ECDSA KeyVer P-256, P-384, P-521 A2999 P-256, P-384, P-521 with Signature Generation ECDSA SigGen (FIPS 186-4) ECDSA SigGen SHA2-256, SHA2-384, and SHA2-512 A2999 P-256, P-384, P-521 with ECDSA SigVer (FIPS 186-4) ECDSA SigVer SHA2-256, SHA2-384, and Signature Verification SHA2-512 A2999 HMAC-SHA-1 [FIPS 198-1] HMAC HMAC-SHA-1 with λ=160 Authentication for protocols A2999 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A2999 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A2999 HMAC-SHA2-512 with λ=512 HMAC-SHA2-512 HMAC Authentication for protocols [FIPS 198-1] Note: Tested, but not available for use A2999 SP 800-56Arev3. KAS-ECC EphemeralUnified scheme using per IG D.F Scenario 2 path P-256/P-384/P-521 providing KAS-ECC-SSC SP 800-56Ar3 Key Exchange (2) 128/192/256 bits of strength A2999 KDF TLS TLS 1.2 KDF TLS v1.2 Hash Algorithm: TLS [SP 800-135rev1] (CVL) SHA2-256, SHA2-384 A2999 PKCS #1 v1.5: 2048, 3072, and RSA SigGen RSA SigGen Signature Generation 4096-bit with hashes (FIPS 186-4) (FIPS 186-4) SHA2-256/384/512 A2999 PKCS #1 v1.5: 2048, 3072, 4096-bit (per IG C.F) with hashes RSA SigVer RSA SigVer SHA2-256, SHA2-384, Signature Verification (FIPS 186-4) (FIPS 186-4) SHA2-512(Signature Verification) A2999 Non-Digital Signature SHA-1 SHA-1 [FIPS 180-4] SHA Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-256 [FIPS 180-4] SHA2 SHA2-256 Non-Digital Signature Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-384 [FIPS 180-4] SHA2 SHA2-384 Non-Digital Signature Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-512 [FIPS 180-4] SHA2 SHA2-512 Non-Digital Signature Applications (e.g. component of HMAC) A3429 Vetted conditioner for ESV SHA2-256 [FIPS 180-4] SHA2 SHA2-256 Cert. #E15 AES KTS SP 800-38A, FIPS 198-1, Cert. AES-CBC plus HMAC Key Wrapping [SP 800-38F] and SP 800-38F. KTS (key A2999 © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 5 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
and wrapping and unwrapping) 128, 192, and 256-bit keys HMAC per IG D.G. providing 128, 192, or 256 bits of Cert. encryption strength A2999 AES-GC SP 800-38D and SP AES-GCM KTS M Cert. 800-38F. KTS (key wrapping 128 and 256-bit keys providing 128 Key Wrapping [SP 800-38F] A2999 and unwrapping) per IG D.G. or 256 bits of encryption strength ESV Apple corecrypto physical entropy Cert. ESV [SP 800-90B] ESV Entropy source #E14 ESV Apple corecrypto non-physical Cert. ESV [SP 800-90B] ESV Entropy entropy source #E15 KAS-EC C-SSC Cert. SP 800-56Arev3. KAS-ECC P-256, P-384, and P-521 curves Key Exchange with protocol #A2999, KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128, 192, or 256 bits of KDF KDF TLS (2). encryption strength Cert. #A2999 N/A ENT (P) (SP 800-90B) ENT ENT (P) Entropy Key Generation Note: The seeds used for Cryptographic Key Vendor CKG asymmetric key pair generation Section 5.2 Generation; SP 800Affirmed (SP 800-133rev2) are produced using the
unmodified/direct output of the DRBG Table 3 - Approved Algorithms Notes:
6 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
Cryptographic Boundary Figure 1 below depicts the cryptographic boundary and physical perimeter (light blue color area). The cryptographic boundary includes all of the software components and the specified hardware components (CPU’s). The physical perimeter is the Tested Operational Environment’s Physical Perimeter (TOEPP) on which the module runs. Figure 1: Cryptographic Boundary * See details below regarding Operating Systems/Environments tested Figure 1B: Hardware Components © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 7 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
8 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
Security Configuring module with Logs provide configuration changes Configuration setup data details to support Management VPN establishment VPN Tunnel Initialize VPN connection System log provide VPN status Zeroize Command module to zeroize All SSPs zeroized (module uninstalled) Table 5 - Roles, Service Commands, Input and Output Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs Show Status Provides N/A N/A Crypto-Officer N/A System logs or information status window regarding the status of the system (fetched via GUI/CLI) Show Version Provides N/A N/A Crypto-Officer N/A Module information provides regarding version version information Self-Test Performs RSA SigVer (FIPS Software Integrity Crypto-Officer E System logs on-demand 186-4) Verification Key Self-Tests (executed via reboot of platform) Security Configures the N/A CA Certificates Crypto-Officer R/W/E System logs Configuration module with RSA Public Keys Management necessary setup RSA Private Keys details to support ECDSA Public Keys VPN ECDSA Private Keys establishment (updated via GUI/CLI) VPN Tunnel Creates an KAS KDF TLS TLS Pre-Master Secret Crypto-Officer G/E/Z System logs SSL/IPsec VPN KDF TLS TLS Master Secret G/E/Z tunnel (executed CKG, TLS ECDHE Public G/E/Z by operator ECDSA Components interaction with KeyGen (FIPS TLS ECDHE Private G/E/Z GUI/CLI) 186-4), ECDSA Components KeyVer (FIPS 186-4), KAS-ECC-SSC KTS HMAC-SHA2- TLS HMAC Keys G/E/Z HMAC-SHA2AES-CBC TLS Encryption Keys KTS AES-GCM CA Certificates W/E RSA SigVer (FIPS 186-4) © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 9 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS RSA Public Keys W/E 186-4) RSA SigGen (FIPS RSA Private Keys E 186-4) ECDSA SigVer (FIPS ECDSA Public Keys W/E 186-4) ECDSA SigGen (FIPS ECDSA Private Keys E 186-4) AES-CBC IPSec Session Keys W/E AES-GCM HMAC-SHA-1 IPSec Authentication W/E Keys Counter DRBG, Entropy Input String, G/E/Z ENT (P), ESV DRBG Seed Counter DRBG DRBG Key G/E/Z DRBG V G/E/Z Zeroize Removes all SSPs N/A All Keys and SSPs Crypto-Officer Z Removal of from the module module and (Performed via confirmation uninstall of the via OS status module) window Table 6 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Note: There is no table for non-Approved services as the module only supports Approved services. 5. Software/Firmware Security The module performs the Software Integrity test by verifying the digital signature of the module using RSA 2048 with SHA2-256 (Cert. #A2999) or RSA 3072 with SHA2-384 (Cert. #A2999) during the Pre-Operational Self-Test. RSA 2048 with SHA2-256 is used for Windows/macOS/iOS/Android (OE #2, 3, 4, 5 in Table 2) and RSA 3072 with SHA2-384 is used for Linux (OE #1 in Table 2). The Software Integrity Verification Key is used for this integrity test. The integrity test can be performed by restarting the GlobalProtect app service, which is noted in the Life-Cycle Assurance section for each platform. The test can also be performed by restarting the platform for which the module runs on. Either of the actions (restarting the GlobalProtect app service or restarting the host platform) can be used to perform the integrity test on demand. For information regarding the file type, see details in Operational Environment. The module comes packaged and ready for installation once it has been downloaded from the Palo Alto Networks support site.
10 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
Key/SSP Strength Security Generation Import/Export1 Establishment Storage2, 3 Zeroization4 Use & Related Keys Name/Type Function and Cert. Number RSA SigVer ECDSA/RSA Public key (FIPS 186-4), used to extend trust to a
112 - 256 ECDSA SigVer Import/Exporte Protected in Zeroization
CA Certificates N/A N/A root CA, intermediate CA, bits (FIPS 186-4) d in plaintext OS key store service and left/end entity certificates Cert. #A2999 Import: Yes from OS key RSA public keys managed store or as certificates for the RSA SigVer RSA Public 112 - 150 Plaintext during Protected in Zeroization verification of signatures, (FIPS 186-4) N/A N/A Keys bits TLS handshake OS key store service establishment of TLS, and Cert. #A2999 Export: peer authentication. (RSA Plaintext during 2048/3072/4096 bits) TLS handshake RSA Private key used for Imported: RSA SigGen authentication, and RSA Private 112 - 150 Encrypted via Protected in Zeroization (FIPS 186-4) N/A N/A signature generation Keys bits TLS OS key store service Cert. #A2999 (RSA 2048, 3072, or 4096 Exported: No bits). Import: Yes ECDSA public keys from OS key managed as certificates store or ECDSA SigVer for the verification of ECDSA Public 128 - 256 Plaintext during Protected in Zeroization (FIPS 186-4) N/A N/A signatures, establishment Keys bits TLS handshake OS key store service Cert. #A2999 of TLS, and peer Export: authentication. Plaintext during (P-256/384/521) TLS handshake ECDSA Imported: ECDSA Private key used ECDSA Private 128 - 256 SigGen (FIPS Encrypted via Protected in Zeroization for authentication, and N/A N/A Keys bits 186-4) TLS OS key store service signature generation Cert. #A2999 Exported: No (P-256, P-384 or P-521. ECDSA KeyGen (FIPS 186-4), ECDHE private TLS ECDHE Zeroized at
128 - 256 ECDSA RAM
Private CKG N/A N/A session bits KeyVer (FIPS Plaintext agreement Components termination 186-4), (P-256, P-384, P-521) KAS-ECC-SSC Cert. #A2999 Import: No Export: Only TLS ECDHE exits the module Zeroized at ECDHE public component
128 - 256 KAS-ECC-SSC RAM –
Public N/A N/A session used in key agreement bits Cert. #A2999 to the peer for Plaintext Components termination (P-256/384/521) TLS protocol implementation TLS Zeroized at Value used during TLS KDF TLS RAM
128 or AES-CBC, Derived using Zeroized at
TLS Encryption RAM
12 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
HMAC-SHA2256, Derived using Zeroized at HMAC keys used in TLS TLS HMAC 256 - 384 RAM
384 KDF termination (SHA2-256, SHA2-384)
Cert. #A2999 AES-CBC, Imported Zeroized at Used to encrypt sessions IPSec Session 128 bits RAM
Entropy Sources Minimum Number of Bits of Details Entropy Apple Non-Physical Entropy 384 bits The module uses entropy provided by Apple’s entropy source, which is Source covered by ESV cert. #E15. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Apple A Series processor) Apple Physical Entropy 384 bits The module uses entropy provided by Apple’s entropy source, which is Source covered by ESV cert. #E14. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Apple M Series processor) Intel RDSEED 384 bits Entropy provided by Intel CPU with RDSEED as the noise source to provide at least 384 bits of entropy to seed the DRBG. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Windows and Linux platforms) N/A 112 bits For Android platforms, the module performs an entropy load that meets FIPS 140-3 IG 9.3.A Scenario 2(b). The DRBG is seeded with 384 bits of data which is assumed to contain at least 112 bits of entropy. No assurance of the minimum strength of generated SSPs (e.g., keys) Table 9 - Non-Deterministic Random Number Generation Specification 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests (CASTs) by reloading the module or power cycling the underlying platform; these tests do not require any additional operator action. In the event that a Self-Test fails, the module will enter an error state until the issue is resolved, and provide a status output message with the failure. Pre-Operational Self-Tests Algorithm Self-Test Details Software Digital signature verification (PKCS #1 v1.5) using RSA 2048 bits with SHA2-256 or RSA 3072 Integrity Test bits with SHA2-384 (Linux) Note: The RSA and SHA2-256/SHA2-384 CASTs are performed prior to the Software Integrity Test. Table 10 - Pre-Operational Self-Tests Conditional Self-Tests Algorithm Self-Test Details AES ECB Encrypt KAT using AES ECB 128 bits AES ECB Decrypt KAT using AES ECB 128 bit AES GCM Encrypt KAT using AES GCM 256 bits AES GCM Decrypt KAT using AES GCM 256 bits Counter DRBG KAT: AES-256 Counter DRBG Note: DRBG Health Tests as specified in SP800-90A Section 11.3 are performed (i.e. instantiate/generate/reseed)
14 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
ECDSA Sign KAT using P-256 and SHA2-256 ECDSA Verify KAT using P-256 and SHA2-256 HMAC-SHA-1 KAT using HMAC-SHA-1 HMAC-SHA2-224 KAT using HMAC-SHA2-224 Note: Only used for self-test. HMAC-SHA2-256 KAT using HMAC-SHA2-256 HMAC-SHA2-384 KAT using HMAC-SHA2-384 HMAC-SHA2-512 KAT using HMAC-SHA2-512 RSA Sign KAT using RSA 2048 bits and SHA2-256 (PKCS #1 v1.5 and PKCS PSS) RSA Verify KAT using RSA 2048 bits and SHA2-256 (PKCS #1 v1.5 and PKCS PSS) SHA-1 KAT using SHA-1 SHA2-256 KAT using SHA2-256 SHA2-384 KAT using SHA2-384 SHA2-512 KAT using SHA2-512 SP 800-56Ar3 KAS-ECC-SSC KAT for KAS-ECC-SSC using P-256 (Shared Secret Computation) primitive Z value SP 800-135r1 KDF TLS KAT for TLSv1.2 KDF SP 800-90B Health Tests SP 800-90B Health Tests on the Entropy Source Table 11
Secure Delivery Procedures The security of the module is maintained during the transfer of these products from production sites to the customer through the following mechanisms:
16 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
○ HKEY_LOCAL_MACHINES\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\
○ Restart the GlobalProtect App application and GlobalProtect App service (PanGPS) ■ Launch Terminal ■ Execute the following commands: username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist iOS For the GlobalProtect App running on iOS, complete the steps below: ● Access the App Store on the Apple device ● Search for GlobalProtect and download the application ● Once the app has been downloaded, navigate to the MDM to initialize the Approved state (“FIPS-CC mode”) on the endpoint ● On the MDM service such as Workspace One, enter the following custom key: ○ Key: enable-fips-cc-mode ○ Value: yes ● Push the configuration to the iOS device, and then restart the application Android To initialize the GP App into its Approved state (“FIPS-CC mode”), follow the procedure below: ● Access the Google Play store ● Search for GlobalProtect and download the application ● Once the app has been downloaded, navigate to the MDM to initialize the Approved state (FIPS-CC mode) on the endpoint ● On the MDM service such as Workspace One, enter the following custom key: ○ Key: enable-fips-cc-mode ○ Value: yes ● Push the configuration to the Android device, and then restart the application End of Life / Sanitization End of life dates for software modules are announced publicly via Palo Alto Networks’ services website. Crypto-Officers shall follow the procedure below for the secure destruction of their module: Note: This process will cause the module to no longer function after it has wiped all configurations and keys. Linux
18 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.
This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)