All modules
CMVP Validated Module · FIPS 140-3 Security Policy

GlobalProtect App

Certificate#4828StandardFIPS 140-3Level1TypeSoftware-hybridEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 21 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware-hybrid
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date10/10/2029
CaveatInterim validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. No assurance of the minimum strength of generated SSPs (e.g., keys)
VendorPalo Alto Networks, Inc.

Approved Algorithms (24)

AlgorithmACVP Cert
AES-CBCA2999
AES-CTRA2999
AES-ECBA2999
AES-GCMA2999
Conditioning Component AES-CBC-MAC SP800-90BA2873
Counter DRBGA1362
Counter DRBGA2999
ECDSA KeyGen (FIPS186-4)A2999
ECDSA KeyVer (FIPS186-4)A2999
ECDSA SigGen (FIPS186-4)A2999
ECDSA SigVer (FIPS186-4)A2999
HMAC-SHA-1A2999
HMAC-SHA2-256A2999
HMAC-SHA2-384A2999
HMAC-SHA2-512A2999
KAS-ECC-SSC Sp800-56Ar3A2999
KDF TLSA2999
RSA SigGen (FIPS186-4)A2999
RSA SigVer (FIPS186-4)A2999
SHA-1A2999
SHA2-256A2999
SHA2-256A3429
SHA2-384A2999
SHA2-512A2999

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for GlobalProtect App
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>no authentication<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for GlobalProtect App
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>no authentication<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>IPSEC<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

GlobalProtect App (Android/iOS/Linux/macOS/Windows) Software Version: 6.0.10 Hardware Version: Intel Core i3-1215U Intel Core i7-1250U Apple M Series M1 Apple A Series A14 Qualcomm Snapdragon 888 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Revision Date: October 3, 2024 Document Version: 1.20

Page 2
Table of Contents
#SectionPage
Page 3

1. General The table below provides the Security Levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks GlobalProtect App (hereinafter referred to as the Module). ISO/IEC 24759 Section FIPS 140-3 Section Title Security Level 6. [Number Below]

1 General 1

2 Cryptographic Module Specification 1

3 Cryptographic Module Interfaces 1

4 Roles, Services, and Authentication 1

5 Software/Firmware Security 1

6 Operational Environment 1

7 Physical Security 1

8 Non-Invasive Security N/A

9 Sensitive Security Parameter Management 1

10 Self-Tests 1

11 Life-Cycle Assurance 3

12 Mitigation of Other Attacks N/A

Overall 1 Table 1 - Security Levels

  1. Cryptographic Module Specification The GlobalProtect App is a software-hybrid cryptographic module that runs on commercially available operating systems and mobile devices to provide security for users. Its cryptographic boundary is the entire software of the package, which is noted in Section 6 of this Security Policy. The GlobalProtect App secures traffic using TLS or IPsec, and allows users to connect to corporate networks to access their company's resources from anywhere in the world. The module uses GlobalProtect App version 6.0.10 and meets an overall Security Level of
  2. The GlobalProtect App provides only an Approved mode of operation, and is configured during initialization to operate only in an Approved mode of operation when in the operational state. Details regarding how to enter the Approved mode of operation is noted in the Life-Cycle Assurance section under Secure Operation. The Life-Cycle Assurance section also provides details regarding proper download/installation as well as steps to zeroize the module. The module is classified as a multi-chip standalone software-hybrid module. FIPS 140-3 conformance testing was performed at Security Level 1 with the following configurations noted in the table below. © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 3 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
Page 4

# Operating System Hardware Platform Processor PAA/Acceleration

1 Linux Ubuntu 20.04 HP Pavilion Intel Core i3-1215U AES-NI

2 Windows 11 HP Envy Intel Core i7-1250U AES-NI

3 macOS Big Sur 11 MacBook Air Apple M Series M1 NEON

4 iOS 16 iPhone 12 Mini Apple A Series A14 NEON

5 Android 12 Samsung Galaxy S21 Ultra Qualcomm Snapdragon 888 AES-NI

Table 2 - Tested Operational Environments # Operating System Hardware Platform

1 Windows 11 ARM Devices
2 Windows 10 Intel and ARM Devices
3 macOS Big Sur, Monterey Intel Devices
4 macOS Big Sur, Ventura ARM Devices
5 RedHat 8.1 GPC
6 CentOS 8.3 GPC
7 Google Android 13 Pixel 4 and Pixel 6
8 Apple iOS Apple iPhone

Table 2A - Vendor Affirmed Operational Environments The module utilizes the following Approved algorithms that have the following CAVP certificates: CAVP Algorithm and Mode/Method Description/Key Size(s) / Use / Function Cert Standard Key Strength(s) A1362 AES 256 bits without Derivation Counter DRBG Vetted conditioner for ESV CTR DRBG Function and with Prediction [SP 800-90Arev1] Cert. #E14 Resistance Enabled A2873 Conditioning Component Intel Conditioner for Entropy AES-CBC-MAC AES-CBC-MAC 128 bits Source [SP 800-90B] A2999 Encryption AES-CBC [SP 800-38A] CBC 128, 192 and 256 bits Decryption A2999 128, 192 and 256 bits Encryption AES-CTR [SP 800-38A] CTR Decryption Note: 128, 192, and 256 bits were tested, but not available for use A2999 Encryption AES-ECB [SP 800-38A] ECB 128, 192 and 256 bits Decryption A2999 128 and 256 bits AES-GCM GCM Encryption [SP 800-38D] Note: 192 bits tested, but not Decryption available for use A2999 Counter DRBG AES 256 bits with Derivation CTR DRBG Random Bit Generator [SP 800-90Arev1] Function Enabled A2999 ECDSA KeyGen Key Generation ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4)

4 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 5

A2999 Public Key Validation ECDSA KeyVer (FIPS 186-4) ECDSA KeyVer P-256, P-384, P-521 A2999 P-256, P-384, P-521 with Signature Generation ECDSA SigGen (FIPS 186-4) ECDSA SigGen SHA2-256, SHA2-384, and SHA2-512 A2999 P-256, P-384, P-521 with ECDSA SigVer (FIPS 186-4) ECDSA SigVer SHA2-256, SHA2-384, and Signature Verification SHA2-512 A2999 HMAC-SHA-1 [FIPS 198-1] HMAC HMAC-SHA-1 with λ=160 Authentication for protocols A2999 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A2999 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A2999 HMAC-SHA2-512 with λ=512 HMAC-SHA2-512 HMAC Authentication for protocols [FIPS 198-1] Note: Tested, but not available for use A2999 SP 800-56Arev3. KAS-ECC EphemeralUnified scheme using per IG D.F Scenario 2 path P-256/P-384/P-521 providing KAS-ECC-SSC SP 800-56Ar3 Key Exchange (2) 128/192/256 bits of strength A2999 KDF TLS TLS 1.2 KDF TLS v1.2 Hash Algorithm: TLS [SP 800-135rev1] (CVL) SHA2-256, SHA2-384 A2999 PKCS #1 v1.5: 2048, 3072, and RSA SigGen RSA SigGen Signature Generation 4096-bit with hashes (FIPS 186-4) (FIPS 186-4) SHA2-256/384/512 A2999 PKCS #1 v1.5: 2048, 3072, 4096-bit (per IG C.F) with hashes RSA SigVer RSA SigVer SHA2-256, SHA2-384, Signature Verification (FIPS 186-4) (FIPS 186-4) SHA2-512(Signature Verification) A2999 Non-Digital Signature SHA-1 SHA-1 [FIPS 180-4] SHA Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-256 [FIPS 180-4] SHA2 SHA2-256 Non-Digital Signature Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-384 [FIPS 180-4] SHA2 SHA2-384 Non-Digital Signature Applications (e.g. component of HMAC) A2999 Digital Signature Generation/Verification SHA2-512 [FIPS 180-4] SHA2 SHA2-512 Non-Digital Signature Applications (e.g. component of HMAC) A3429 Vetted conditioner for ESV SHA2-256 [FIPS 180-4] SHA2 SHA2-256 Cert. #E15 AES KTS SP 800-38A, FIPS 198-1, Cert. AES-CBC plus HMAC Key Wrapping [SP 800-38F] and SP 800-38F. KTS (key A2999 © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 5 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 6

and wrapping and unwrapping) 128, 192, and 256-bit keys HMAC per IG D.G. providing 128, 192, or 256 bits of Cert. encryption strength A2999 AES-GC SP 800-38D and SP AES-GCM KTS M Cert. 800-38F. KTS (key wrapping 128 and 256-bit keys providing 128 Key Wrapping [SP 800-38F] A2999 and unwrapping) per IG D.G. or 256 bits of encryption strength ESV Apple corecrypto physical entropy Cert. ESV [SP 800-90B] ESV Entropy source #E14 ESV Apple corecrypto non-physical Cert. ESV [SP 800-90B] ESV Entropy entropy source #E15 KAS-EC C-SSC Cert. SP 800-56Arev3. KAS-ECC P-256, P-384, and P-521 curves Key Exchange with protocol #A2999, KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128, 192, or 256 bits of KDF KDF TLS (2). encryption strength Cert. #A2999 N/A ENT (P) (SP 800-90B) ENT ENT (P) Entropy Key Generation Note: The seeds used for Cryptographic Key Vendor CKG asymmetric key pair generation Section 5.2 Generation; SP 800Affirmed (SP 800-133rev2) are produced using the

133 and IG D.H.

unmodified/direct output of the DRBG Table 3 - Approved Algorithms Notes:

6 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 7

Cryptographic Boundary Figure 1 below depicts the cryptographic boundary and physical perimeter (light blue color area). The cryptographic boundary includes all of the software components and the specified hardware components (CPU’s). The physical perimeter is the Tested Operational Environment’s Physical Perimeter (TOEPP) on which the module runs. Figure 1: Cryptographic Boundary * See details below regarding Operating Systems/Environments tested Figure 1B: Hardware Components © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 7 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 8
  1. Cryptographic Module Interfaces The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to the following FIPS 140-3 defined logical interfaces: data input, data output, control input, control output (N/A), status output, and power. The logical interfaces and their mapping are described in the following table. Physical Port Logical Interface Data that passes over port/interface Physical ports of the tested platform Status Output GUI status window and log files generated and output via GUI/CLI Physical ports of the tested platform Data Input Portal information, keys from OS certificate store or during TLS/IPsec negotiation Physical ports of the tested platform Data Output Keys for establishing secure sessions such as TLS Physical ports of the tested platform Control Input GUI/CLI, string value from pangps.xml, com.paloaltonetworks.gp.pangps.plist, MDM, or Windows Registry (See Secure Operation section below) Table 4 - Ports and Interfaces Note: Physical ports include items such as LAN/USB/Monitor/Keyboard.
  2. Roles, Services, and Authentication The module supports one role, which is the Crypto-Officer. The module does not provide a maintenance role or bypass capability, and services for both roles are noted below. There is no authentication supported by the module, and self-initiated cryptographic output capability is not supported. Role Service Input Output Crypto-Officer Show Status Request system status Module displays status information Show Version Query module for version Module displays version information information Self-Test Command module to run Module provides output of Self-Test results Self-Tests via logs

8 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 9

Security Configuring module with Logs provide configuration changes Configuration setup data details to support Management VPN establishment VPN Tunnel Initialize VPN connection System log provide VPN status Zeroize Command module to zeroize All SSPs zeroized (module uninstalled) Table 5 - Roles, Service Commands, Input and Output Service Description Approved Keys and/or SSPs Roles Access rights Indicator Security to Keys Functions and/or SSPs Show Status Provides N/A N/A Crypto-Officer N/A System logs or information status window regarding the status of the system (fetched via GUI/CLI) Show Version Provides N/A N/A Crypto-Officer N/A Module information provides regarding version version information Self-Test Performs RSA SigVer (FIPS Software Integrity Crypto-Officer E System logs on-demand 186-4) Verification Key Self-Tests (executed via reboot of platform) Security Configures the N/A CA Certificates Crypto-Officer R/W/E System logs Configuration module with RSA Public Keys Management necessary setup RSA Private Keys details to support ECDSA Public Keys VPN ECDSA Private Keys establishment (updated via GUI/CLI) VPN Tunnel Creates an KAS KDF TLS TLS Pre-Master Secret Crypto-Officer G/E/Z System logs SSL/IPsec VPN KDF TLS TLS Master Secret G/E/Z tunnel (executed CKG, TLS ECDHE Public G/E/Z by operator ECDSA Components interaction with KeyGen (FIPS TLS ECDHE Private G/E/Z GUI/CLI) 186-4), ECDSA Components KeyVer (FIPS 186-4), KAS-ECC-SSC KTS HMAC-SHA2- TLS HMAC Keys G/E/Z HMAC-SHA2AES-CBC TLS Encryption Keys KTS AES-GCM CA Certificates W/E RSA SigVer (FIPS 186-4) © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 9 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 10

ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS RSA Public Keys W/E 186-4) RSA SigGen (FIPS RSA Private Keys E 186-4) ECDSA SigVer (FIPS ECDSA Public Keys W/E 186-4) ECDSA SigGen (FIPS ECDSA Private Keys E 186-4) AES-CBC IPSec Session Keys W/E AES-GCM HMAC-SHA-1 IPSec Authentication W/E Keys Counter DRBG, Entropy Input String, G/E/Z ENT (P), ESV DRBG Seed Counter DRBG DRBG Key G/E/Z DRBG V G/E/Z Zeroize Removes all SSPs N/A All Keys and SSPs Crypto-Officer Z Removal of from the module module and (Performed via confirmation uninstall of the via OS status module) window Table 6 - Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Note: There is no table for non-Approved services as the module only supports Approved services. 5. Software/Firmware Security The module performs the Software Integrity test by verifying the digital signature of the module using RSA 2048 with SHA2-256 (Cert. #A2999) or RSA 3072 with SHA2-384 (Cert. #A2999) during the Pre-Operational Self-Test. RSA 2048 with SHA2-256 is used for Windows/macOS/iOS/Android (OE #2, 3, 4, 5 in Table 2) and RSA 3072 with SHA2-384 is used for Linux (OE #1 in Table 2). The Software Integrity Verification Key is used for this integrity test. The integrity test can be performed by restarting the GlobalProtect app service, which is noted in the Life-Cycle Assurance section for each platform. The test can also be performed by restarting the platform for which the module runs on. Either of the actions (restarting the GlobalProtect app service or restarting the host platform) can be used to perform the integrity test on demand. For information regarding the file type, see details in Operational Environment. The module comes packaged and ready for installation once it has been downloaded from the Palo Alto Networks support site.

10 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 11
  1. Operational Environment The module has a modifiable operational environment, and was tested on the following environments operating on a general-purpose computing platform. For details regarding platforms tested on, see Table
  2. To properly run the module on the operating environments, see Life-Cycle Assurance for details on configuring the systems. Platform Package Name Linux PanGPLinux-6.0.10.tgz Windows GlobalProtect64-6.0.10.msi macOS GlobalProtect-6.0.10.pkg iOS 6.0.10 on App Store Android 6.0.10 on Google Play Table 7 - GlobalProtect Package Names To install, download the following from the Palo Alto Networks Support site (https://support.paloaltonetworks.com/) or on the mobile platform (e.g. Apple App Store or Google Play). Operator porting rules: The CMVP allows user porting of a validated software module to an operational environment which was not included as part of the validation testing. An operator may install and run the GlobalProtect App on any general purpose computer (GPC) or platform using the specified operating system on the validation certificate or other compatible operating system and affirm the modules continued FIPS 140-3 validation compliance. The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys when ported and executed in an operational environment not listed on the validation certificate.
  3. Physical Security The module is a multi-chip standalone software-hybrid module that meets Level 1 physical security requirements. Physical security is provided by the production grade components on the GPC that the module runs on. The production grade components also come with standard passivation applied to them.
  4. Non-Invasive Security No approved Non-Invasive attack mitigation test metrics are defined at this time.
  5. Sensitive Security Parameter Management The following table details all the sensitive security parameters utilized by the module. © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 11 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)
Page 12

Key/SSP Strength Security Generation Import/Export1 Establishment Storage2, 3 Zeroization4 Use & Related Keys Name/Type Function and Cert. Number RSA SigVer ECDSA/RSA Public key (FIPS 186-4), used to extend trust to a

112 - 256 ECDSA SigVer Import/Exporte Protected in Zeroization

CA Certificates N/A N/A root CA, intermediate CA, bits (FIPS 186-4) d in plaintext OS key store service and left/end entity certificates Cert. #A2999 Import: Yes from OS key RSA public keys managed store or as certificates for the RSA SigVer RSA Public 112 - 150 Plaintext during Protected in Zeroization verification of signatures, (FIPS 186-4) N/A N/A Keys bits TLS handshake OS key store service establishment of TLS, and Cert. #A2999 Export: peer authentication. (RSA Plaintext during 2048/3072/4096 bits) TLS handshake RSA Private key used for Imported: RSA SigGen authentication, and RSA Private 112 - 150 Encrypted via Protected in Zeroization (FIPS 186-4) N/A N/A signature generation Keys bits TLS OS key store service Cert. #A2999 (RSA 2048, 3072, or 4096 Exported: No bits). Import: Yes ECDSA public keys from OS key managed as certificates store or ECDSA SigVer for the verification of ECDSA Public 128 - 256 Plaintext during Protected in Zeroization (FIPS 186-4) N/A N/A signatures, establishment Keys bits TLS handshake OS key store service Cert. #A2999 of TLS, and peer Export: authentication. Plaintext during (P-256/384/521) TLS handshake ECDSA Imported: ECDSA Private key used ECDSA Private 128 - 256 SigGen (FIPS Encrypted via Protected in Zeroization for authentication, and N/A N/A Keys bits 186-4) TLS OS key store service signature generation Cert. #A2999 Exported: No (P-256, P-384 or P-521. ECDSA KeyGen (FIPS 186-4), ECDHE private TLS ECDHE Zeroized at

128 - 256 ECDSA RAM

Private CKG N/A N/A session bits KeyVer (FIPS Plaintext agreement Components termination 186-4), (P-256, P-384, P-521) KAS-ECC-SSC Cert. #A2999 Import: No Export: Only TLS ECDHE exits the module Zeroized at ECDHE public component

128 - 256 KAS-ECC-SSC RAM –

Public N/A N/A session used in key agreement bits Cert. #A2999 to the peer for Plaintext Components termination (P-256/384/521) TLS protocol implementation TLS Zeroized at Value used during TLS KDF TLS RAM

128 or AES-CBC, Derived using Zeroized at

TLS Encryption RAM

12 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 13

HMAC-SHA2256, Derived using Zeroized at HMAC keys used in TLS TLS HMAC 256 - 384 RAM

384 KDF termination (SHA2-256, SHA2-384)

Cert. #A2999 AES-CBC, Imported Zeroized at Used to encrypt sessions IPSec Session 128 bits RAM

Page 14

Entropy Sources Minimum Number of Bits of Details Entropy Apple Non-Physical Entropy 384 bits The module uses entropy provided by Apple’s entropy source, which is Source covered by ESV cert. #E15. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Apple A Series processor) Apple Physical Entropy 384 bits The module uses entropy provided by Apple’s entropy source, which is Source covered by ESV cert. #E14. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Apple M Series processor) Intel RDSEED 384 bits Entropy provided by Intel CPU with RDSEED as the noise source to provide at least 384 bits of entropy to seed the DRBG. This entropy source provides full entropy per output. The DRBG is seeded with 384 bits of entropy from this source. (Windows and Linux platforms) N/A 112 bits For Android platforms, the module performs an entropy load that meets FIPS 140-3 IG 9.3.A Scenario 2(b). The DRBG is seeded with 384 bits of data which is assumed to contain at least 112 bits of entropy. No assurance of the minimum strength of generated SSPs (e.g., keys) Table 9 - Non-Deterministic Random Number Generation Specification 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests (CASTs) by reloading the module or power cycling the underlying platform; these tests do not require any additional operator action. In the event that a Self-Test fails, the module will enter an error state until the issue is resolved, and provide a status output message with the failure. Pre-Operational Self-Tests Algorithm Self-Test Details Software Digital signature verification (PKCS #1 v1.5) using RSA 2048 bits with SHA2-256 or RSA 3072 Integrity Test bits with SHA2-384 (Linux) Note: The RSA and SHA2-256/SHA2-384 CASTs are performed prior to the Software Integrity Test. Table 10 - Pre-Operational Self-Tests Conditional Self-Tests Algorithm Self-Test Details AES ECB Encrypt KAT using AES ECB 128 bits AES ECB Decrypt KAT using AES ECB 128 bit AES GCM Encrypt KAT using AES GCM 256 bits AES GCM Decrypt KAT using AES GCM 256 bits Counter DRBG KAT: AES-256 Counter DRBG Note: DRBG Health Tests as specified in SP800-90A Section 11.3 are performed (i.e. instantiate/generate/reseed)

14 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 15

ECDSA Sign KAT using P-256 and SHA2-256 ECDSA Verify KAT using P-256 and SHA2-256 HMAC-SHA-1 KAT using HMAC-SHA-1 HMAC-SHA2-224 KAT using HMAC-SHA2-224 Note: Only used for self-test. HMAC-SHA2-256 KAT using HMAC-SHA2-256 HMAC-SHA2-384 KAT using HMAC-SHA2-384 HMAC-SHA2-512 KAT using HMAC-SHA2-512 RSA Sign KAT using RSA 2048 bits and SHA2-256 (PKCS #1 v1.5 and PKCS PSS) RSA Verify KAT using RSA 2048 bits and SHA2-256 (PKCS #1 v1.5 and PKCS PSS) SHA-1 KAT using SHA-1 SHA2-256 KAT using SHA2-256 SHA2-384 KAT using SHA2-384 SHA2-512 KAT using SHA2-512 SP 800-56Ar3 KAS-ECC-SSC KAT for KAS-ECC-SSC using P-256 (Shared Secret Computation) primitive Z value SP 800-135r1 KDF TLS KAT for TLSv1.2 KDF SP 800-90B Health Tests SP 800-90B Health Tests on the Entropy Source Table 11

Page 16

Secure Delivery Procedures The security of the module is maintained during the transfer of these products from production sites to the customer through the following mechanisms:

16 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 17

○ HKEY_LOCAL_MACHINES\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\

Page 18

○ Restart the GlobalProtect App application and GlobalProtect App service (PanGPS) ■ Launch Terminal ■ Execute the following commands: username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist username>$ launchctl unload -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangps.plist username>$ launchctl load -S Aqua /Library/LaunchAgents/com.paloaltonetworks.gp.pangpa.plist iOS For the GlobalProtect App running on iOS, complete the steps below: ● Access the App Store on the Apple device ● Search for GlobalProtect and download the application ● Once the app has been downloaded, navigate to the MDM to initialize the Approved state (“FIPS-CC mode”) on the endpoint ● On the MDM service such as Workspace One, enter the following custom key: ○ Key: enable-fips-cc-mode ○ Value: yes ● Push the configuration to the iOS device, and then restart the application Android To initialize the GP App into its Approved state (“FIPS-CC mode”), follow the procedure below: ● Access the Google Play store ● Search for GlobalProtect and download the application ● Once the app has been downloaded, navigate to the MDM to initialize the Approved state (FIPS-CC mode) on the endpoint ● On the MDM service such as Workspace One, enter the following custom key: ○ Key: enable-fips-cc-mode ○ Value: yes ● Push the configuration to the Android device, and then restart the application End of Life / Sanitization End of life dates for software modules are announced publicly via Palo Alto Networks’ services website. Crypto-Officers shall follow the procedure below for the secure destruction of their module: Note: This process will cause the module to no longer function after it has wiped all configurations and keys. Linux

  1. Launch the Terminal
  2. Issue the following command: a. sudo apt-get remove globalprotect Windows
  3. Select Start > Control Panel > Programs > Programs and Features

18 Palo Alto Networks GlobalProtect App © 2024 Palo Alto Networks, Inc.

This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)

Page 19
  1. Select GlobalProtect from the list, and then click Uninstall
  2. When prompted to continue the uninstall, click Yes. macOS
  3. Issue the following as an administrator on the macOS device: a. sudo /Applications/GlobalProtect.app/Contents/Resources/uninstall_gp.sh iOS
  4. Tap and hold the GlobalProtect App icon until the icon jiggles
  5. Tap the X on the top-left corner of the icon
  6. When prompted, select Delete GlobalProtect
  7. Tap Done or press/swipe for the home button to return to the home screen Android
  8. Launch the Settings app
  9. Tap Apps & Notifications
  10. Tap GlobalProtect
  11. Tap Uninstall Administrator/User Guidance Palo Alto Networks provides documentation for all products, which can be accessed here: https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/globalprotect/6-0/globalprotect-app-user-guide/glob alprotect-app-user-guide.pdf
  12. Mitigation of Other Attacks This module is not designed to mitigate against any other attacks outside of the FIPS 140-3 scope. © 2024 Palo Alto Networks, Inc. Palo Alto Networks GlobalProtect App 19 This Security Policy is non-proprietary and may be reproduced only in its entirety (without revision)