| Standard | FIPS 140-3 |
|---|---|
| Overall level | 2 |
| Module type | Hardware |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 12/12/2026 |
| Caveat | Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and physical kit installed as indicated in the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3453 |
| AES-CFB128 | A3453 |
| AES-CTR | A3453 |
| AES-GCM | A3453 |
| Conditioning Component AES-CBC-MAC SP800-90B | A2518 |
| Counter DRBG | A3453 |
| ECDSA KeyGen (FIPS186-4) | A3453 |
| ECDSA KeyVer (FIPS186-4) | A3453 |
| ECDSA SigGen (FIPS186-4) | A3453 |
| ECDSA SigVer (FIPS186-4) | A3453 |
| HMAC-SHA-1 | A3453 |
| HMAC-SHA2-224 | A3453 |
| HMAC-SHA2-256 | A3453 |
| HMAC-SHA2-384 | A3453 |
| HMAC-SHA2-512 | A3453 |
| KAS-ECC-SSC Sp800-56Ar3 | A3453 |
| KAS-FFC-SSC Sp800-56Ar3 | A3453 |
| KDF IKEv2 | A3453 |
| KDF SNMP | A3453 |
| KDF SSH | A3453 |
| RSA KeyGen (FIPS186-4) | A3453 |
| RSA SigGen (FIPS186-4) | A3453 |
| RSA SigVer (FIPS186-4) | A3453 |
| Safe Primes Key Generation | A3453 |
| Safe Primes Key Verification | A3453 |
| SHA-1 | A3453 |
| SHA2-224 | A3453 |
| SHA2-256 | A3453 |
| SHA2-384 | A3453 |
| SHA2-512 | A3453 |
| TLS v1.2 KDF RFC7627 | A3453 |
flowchart LR
%% Deterministic review-risk graph for WildFire 11.0 WF-500 and WF-500-B
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>update<br/>firmware load</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for WildFire 11.0 WF-500 and WF-500-B
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>update<br/>firmware load</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;WildFire 11.0 WF-500 and WF-500-B Version: 1.3 Revision Date: November 14, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks, Inc. is a registered trademark of Palo Alto Networks, Inc. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
1 General 2
2 Cryptographic Module Specification 2
3 Cryptographic Module Interfaces 2
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 2
6 Operational Environment N/A
7 Physical Security 2
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 2
10 Self-Tests 2
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks N/A
Overall Level 2 © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 2
2. Cryptographic Module Specification The Palo Alto Networks, Inc. WildFire 11.0 WF-500 and WF-500-B is a multi-chip standalone hardware module. The cryptographic boundary includes all firmware components contained within the physical enclosure of the module. Figures below provide images of the module with the physical kit’s opacity shields in place. See the Physical Security section for details regarding the module’s physical security mechanisms. Table 2 - Cryptographic Module Tested Configuration Model Hardware [Part Number and Firmware Version Distinguishing Features Version] WF-500 910-000097 11.0.4 RJ45 interfaces, USB ports, LEDs Physical Kit: 920-000145 WF-500-B 910-000270 11.0.4 RJ45 interfaces, USB ports, LEDs, SFP+ Physical Kit: 920-000318 ports Approved Mode of Operation The following section details the procedure necessary to place the module into the Approved mode of operation.
Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above and Section 11 will result in the module operating in a non-compliant state. Zeroization To initiate the zeroization service, perform the following steps:
GCM** Encryption A3453 AES-GCM [SP 800-38D] Decryption AES 256 bits with Counter DRBG A3453 CTR DRBG Derivation Function Random Bit Generator [SP 800-90Arev1] Enabled ECDSA KeyGen Key Generation A3453 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) A3453 ECDSA KeyVer ECDSA KeyVer P-256, P-384, P-521 Public Key Validation © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 4
(FIPS 186-4) P-256, P-384, P-521 with ECDSA SigGen Signature Generation A3453 ECDSA SigGen SHA2-224, SHA2-256, (FIPS 186-4) SHA2-384, and SHA2-512 P-256, P-384, P-521 with SHA-1, SHA2-224, A3453 ECDSA SigVer (FIPS 186-4) ECDSA SigVer Signature Verification SHA2-256, SHA2-384, and SHA2-512 A3453 Authentication for HMAC-SHA-1 [FIPS 198-1] HMAC HMAC-SHA-1 with λ=160 protocols A3453 HMAC-SHA2-224 with HMAC-SHA2-224 Authentication for HMAC λ=224 [FIPS 198-1] protocols A3453 HMAC-SHA2-256 HMAC-SHA2-256 with Authentication for HMAC [FIPS 198-1] λ=256 protocols A3453 HMAC-SHA2-384 HMAC-SHA2-384 with Authentication for HMAC [FIPS 198-1] λ=384 protocols A3453 HMAC-SHA2-512 HMAC-SHA2-512 with Authentication for HMAC [FIPS 198-1] λ=512 protocols Ephemeral Unified Model: KAS-ECC-SSC KAS A3453 P-256/P-384/P-521 Key Exchange (SP 800-56Ar3) KAS-FFC-SSC A3453 KAS dhEphem: MODP-2048 Key Exchange (SP 800-56Ar3) KDF IKEv2 SHA2-256, SHA2-384, A3453 IKEv2 KDF IKEv2 [SP 800-135rev1] (CVL) SHA2-512 Engine ID: KDF SNMP A3453 SNMPv3 KDF 80001F88043030303030 SNMPv3 [SP 800-135rev1] (CVL) 343935323630 KDF SSH [SP 800-135rev1] SHA-1, SHA2-256, A3453 SSHv2 KDF SSH (CVL) SHA2-512 RSA KeyGen RSA KeyGen Key Pair Generation A3453 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) (ANSI X9.31, RSASSA-PKCS1_v1-5, RSA SigGen RSA SigGen Signature Generation A3453 RSASSA-PSS): 2048, 3072, (FIPS 186-4) (FIPS 186-4) and 4096-bit with hashes SHA2-256/384/512 (ANSI X9.31, RSASSA-PKCS1_v1-5, RSASSA-PSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1 and RSA SigVer RSA SigVer A3453 SHA2-224+++/256/384/5 Signature Verification (FIPS 186-4) (FIPS 186-4)
+++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Verification SHA-1 A3453 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature A3453 SHA2-224 [FIPS 180-4] SHA2 SHA-224 Generation/Verification © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 5
Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3453 SHA2-256 [FIPS 180-4] SHA2 SHA-256 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3453 SHA2-384 [FIPS 180-4] SHA2 SHA-384 Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification A3453 SHA2-512 [FIPS 180-4] SHA2 SHA-512 Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key Safe Primes Key A3453 MODP-2048 Generation [RFC 3526] Generation Generation Safe Primes Key Safe Primes Key Safe Primes Key A3453 MODP-2048 Verification [RFC 3526] Verification Verification TLS v1.2 KDF RFC7627 TLS1.2 KDF TLS v1.2 Hash Algorithm: A3453 TLS (CVL) SHA2-256, SHA2-384 Key Wrapping. AES-CBC or SP 800-38A, FIPS 198-1, AES-CTR with 128, 192, and 256-bit keys AES Cert. #A3453 and KTS and SP 800-38F. KTS (key HMAC-SHA-1, providing 128, 192, or 256 HMAC Cert. #A3453 [SP 800-38F] wrapping and unwrapping) HMAC-SHA2-256, bits of encryption strength per IG D.G. HMAC-SHA2-384, or HMAC-SHA2-512 SP 800-38D and SP
KTS 800-38F. KTS (key AES-GCM Cert. #A3453 providing 128 or 256 bits Key Wrapping [SP 800-38F] wrapping and unwrapping) of encryption strength per IG D.G. ESV Cert. #E64 Palo Alto Networks DRNG SP 800-90B ESV Entropy Entropy Source ESV Cert. #E130 Palo Alto Networks RTC SP 800-90B ESV Entropy Entropy Source KAS-ECC-SSC Cert. SP 800-56Arev3. KAS-ECC P-256, P-384 curves Key Exchange with #A3453, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path providing 128 or 192 bits protocol KDF #A3453 (2). of encryption strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3453, KDF SSH Cert. curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path #A3453 or 256 bits of encryption protocol KDF (2). strength KAS-ECC-SSC Cert. P-256, P-384, and P-521 SP 800-56Arev3. KAS-ECC #A3453, TLS v1.2 KDF curves providing 128, 192, Key Exchange with KAS [SP 800-56Arev3] per IG D.F Scenario 2 path RFC7627 Cert. #A3453 or 256 bits of encryption protocol KDF (2). strength KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3453, KDF IKEv2 Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A3453 (2). KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3453, KDF SSH Cert. KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF #A3453 (2). © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 6
KAS-FFC-SSC Cert. SP 800-56Arev3. KAS-FFC 2048-bit key providing 112 Key Exchange with #A3453, TLS v1.2 KDF KAS [SP 800-56Arev3] per IG D.F Scenario 2 path bits of encryption strength protocol KDF RFC7627 Cert. #A3453 (2). Key Generation Cryptographic Key Note: The seeds used for Vendor CKG Generation; SP 800- asymmetric key pair Section 5.1, Section 5.2 Affirmed (SP 800-133rev2) 133rev2 and IG D.H generation are produced (asymmetric seeds). using the unmodified/direct output of the DRBG *The module is compliant to IG C.H: GCM is used in the context of TLS, IPsec/IKEv2, and SSH:
186-2 SigVer. All supported modulus sizes are CAVP testable and tested as noted above. The module does not implement RSA key transport in the approved mode. Table 4 - Supported Protocols in the Approved Mode Supported Protocols* TLS 1.2 SSHv2 SNMPv3 IPsec and IKEv2 *Note: No parts of these protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Module Diagrams Figures 1 - 4 depict the modules and their interfaces. The cryptographic boundary includes the physical perimeter of the enclosure of the appliance and all logical components within. Please refer to the ‘Physical Security’ section for depictions of the module with the physical kit installed. Figure 1 - WF-500 Front Figure 2 - WF-500 Rear © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 8
Figure 3 - WF-500-B Front Figure 4 - WF-500-B Rear 3. Cryptographic Module Interfaces The module is a multi-chip standalone with ports and interfaces as shown below. The module does not implement a control output interface. Table 5 - Ports and Interfaces Physical Port Logical Interface Data that passes over port/interface LED Status output Module status via LED indicators Console Status output Self-test output Power Power N/A RJ45 Ethernet Data input, control input, data output, status output TLS, IPSec, or SSH SFP+ (WF-500-B) Data input, control input, data output, status output TLS Note: USB and IPMI ports are present but not used (i.e. disabled). © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 9
4. Roles, Services, and Authentication Services When initialized into the Approved mode of operation, all authenticated services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. The module implements two Crypto-Officer roles, one User role, and an Unauthenticated role. The Crypto-Officer (CO) role may access all services and has the ability to manage multiple other COs/Users. The Peer-to-Peer VPN is a Crypto-Officer role that consists of managing the establishment of VPN connections between several WF-500 and WF-500-B modules. The User role provides read-only access to the system via the System Audit service. The Unauthenticated role invokes services which do not require the assumption of an authorized role per FIPS 140-3 IG 4.1.A. Table 6
CO, Peer-to-Peer VPN IKE/IPsec configuration Initialize VPN connection Confirmation of service via System Logs Unauthenticated Zeroize Initialize factory reset via Confirmation of zeroization Maintenance Mode via console output Unauthenticated Self-Tests Power removal Confirmation of self-test output/logs Unauthenticated Show Status (LEDs) N/A LEDs Assumption of Roles The module supports distinct authorized operator roles. The cryptographic module enforces the separation of roles using unique authentication credentials associated with operator accounts. The module supports concurrent operators with identity-based authentication. The module does not provide a maintenance role or bypass capability. Table 7
The minimum equivalent strength supported is
will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 6,000/(2112), which is less than 1/100,000. The module supports at most 100 new sessions per second to authenticate in a one-minute period. Certificate/Public key-based The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, Memorized Secret (Unique P-384, or P-521. Username/password) and/or Single-Factor Cryptographic The minimum equivalent strength supported is Peer-to-peer VPN Software (certificate common 112 bits. The probability that a random attempt name / public key-based will succeed is 1/(2112) which is less than authentication 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 6,000/(2112), which is less than 1/100,000. The module supports at most 100 new sessions per second to authenticate in a one-minute period. SSP Access Rights The table below defines the relationship between access to SSPs and the different module services. The modes of access shown in the table are defined as: G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 8
diagnostics and (FIPS 186-4) debug functions. TLS v1.2 KDF RFC7627 TLS Pre-Master Secret G/E/Z TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z CKG, TLS DHE/ECDHE Private G/E/Z ECDSA KeyGen (FIPS Components 186-4), ECDSA KeyVer KAS TLS DHE/ECDHE Public G/E/R/W/Z (FIPS 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys G/E/Z KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM SSH Shared Secret G/E/Z KDF SSH SSH DHE/ECDHE Private G/E/Z Components CKG, ECDSA KeyGen (FIPS 186-4), ECDSA KeyVer KAS (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe SSH DHE/ECDHE Public G/E/R/W/Z Primes Key Generation, Components Safe Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, SSH Session Encryption G/E/Z AES-CTR Keys KTS AES-GCM N/A CO, User Password G/E/W DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String G/E/Z KDF IKEv2 IPSec/IKE Shared Secret CKG, IPSec/IKE DHE/ECDHE G/E/Z ECDSA KeyGen (FIPS Private Components 186-4), ECDSA KeyVer KAS (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe IPSec/IKE DHE/ECDHE G/E/R/W/Z Primes Key Generation, Public Components Safe Primes Key Verification HMAC-SHA2-256 IPSec/IKE Authentication G/E/Z HMAC-SHA2-384 Keys KTS HMAC-SHA2-512 AES-CBC IPSec/IKE Session Keys KTS AES-GCM IPSec/IKE Session Keys G/E/Z N/A Protocol Secrets W/E RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W RSA SigVer (FIPS 186-4) SSH Client Public Key W/E © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 13
RSA SigVer (FIPS 186-4) SSH Host Public Key G/R/E/W ECDSA SigVer (FIPS 186-4) HMAC-SHA2-256, E Firmware Integrity ECDSA SigVer Verification Key (FIPS 186-4) Public Key for Firmware W/E RSA SigVer (FIPS 186-4) Load Test CKG RSA Private Keys G/W/E System Logs RSA KeyGen (FIPS 186-4) CO RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen (FIPS 186-4) ECDSA SigGen (FIPS 186-4) TLS v1.2 KDF RFC7627 TLS Pre-Master Secret G/E/Z TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z CKG, TLS DHE/ECDHE Private G/E/Z ECDSA KeyGen (FIPS Components 186-4), ECDSA KeyVer KAS TLS DHE/ECDHE Public G/E/R/W/Z (FIPS 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification Presents G/E/Z KDF SSH configuration SSH Shared Secret options for SSH DHE/ECDHE Private G/E/Z management Components interfaces and KAS communication for peer services. CKG, ECDSA KeyGen (FIPS Import, Export, 186-4), ECDSA KeyVer (FIPS 186-4), Save, Load, revert KAS-ECC-SSC, and validate KAS-FFC-SSC, Safe SSH DHE/ECDHE Public G/E/R/W/Z configurations and Primes Key Generation, Components System state. Safe Primes Key Configuration Verification Management Define access control methods via admin role profiles, configure administrators/use HMAC-SHA-1 SSH Session G/E/Z rs, and password HMAC-SHA2-256 Authentication Keys profiles. KTS HMAC-SHA2-512 AES-CBC, SSH Session Encryption G/E/Z Configure AES-CTR Keys operators and KTS AES-GCM authentication N/A CO, User Password G/E/W profiles. DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String KDF SNMP SNMPv3 Authentication W/E Secret KDF SNMP SNMPv3 Privacy Secret W/E HMAC-SHA-1 SNMPv3 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z KDF IKEv2 IPSec/IKE Shared Secret G/E/Z KAS © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 14
CKG, IPSec/IKE DHE/ECDHE G/E/Z ECDSA KeyGen (FIPS Private Components 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe IPSec/IKE DHE/ECDHE G/E/R/W/Z Primes Key Generation, Public Components Safe Primes Key Verification HMAC-SHA2-256 IPSec/IKE Authentication G/E/Z HMAC-SHA2-384 Keys KTS HMAC-SHA2-512 AES-CBC IPSec/IKE Session Keys KTS AES-GCM IPSec/IKE Session Keys G/E/Z N/A Protocol Secrets W/E RSA SigVer (FIPS 186-4) SSH Host Public Key G/R/E/W ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key W/E HMAC-SHA2-256, E Firmware Integrity ECDSA SigVer Verification Key (FIPS 186-4) CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen (FIPS 186-4) ECDSA SigGen (FIPS 186-4) TLS v1.2 KDF RFC7627 TLS Pre-Master Secret G/E/Z TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z CKG, TLS DHE/ECDHE Private G/E/Z ECDSA KeyGen (FIPS Components 186-4), ECDSA KeyVer KAS TLS DHE/ECDHE Public G/E/R/W/Z (FIPS 186-4), Components KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification HMAC-SHA2-256 TLS HMAC Keys G/E/Z KTS HMAC-SHA2-384 Configure data AES-CBC TLS Encryption Keys G/E/Z submission, Data Analysis KTS AES-GCM Management analysis and reporting KDF SSH G/E/Z functions. SSH Shared Secret SSH DHE/ECDHE Private G/E/Z Components CKG, ECDSA KeyGen (FIPS 186-4), ECDSA KeyVer KAS (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe SSH DHE/ECDHE Public G/E/R/W/Z Primes Key Generation, Components Safe Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, SSH Session Encryption G/E/Z AES-CTR Keys KTS AES-GCM RSA SigVer (FIPS 186-4) SSH Host Public Key R/E © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 15
ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key W/E N/A CO, User Password G/E/W DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String CKG RSA Private Keys CO G/W/E System Logs RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen (FIPS 186-4) ECDSA SigGen (FIPS 186-4) G/E/Z KDF SSH SSH Shared Secret SSH DHE/ECDHE Private G/E/Z Components KAS CKG, ECDSA KeyGen (FIPS 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe SSH DHE/ECDHE Public G/E/R/W/Z Primes Key Generation, Components Safe Primes Key Verification Review system, configuration, Check Status debug logs, and HMAC-SHA-1 SSH Session G/E/Z show HMAC-SHA2-256 Authentication Keys configurations. HMAC-SHA2-512 KTS AES-CBC, SSH Session Encryption G/E/Z AES-CTR Keys KTS AES-GCM RSA SigVer (FIPS 186-4) SSH Host Public Key R/E ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key W/E N/A CO, User Password G/E/W DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String KDF SNMP SNMPv3 Authentication W/E Secret KDF SNMP SNMPv3 Privacy Secret W/E HMAC-SHA-1 SNMPv3 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z Firmware Used to load/install Public Key for Firmware CO W/E System Logs RSA SigVer (FIPS 186-4) Update new firmware Load Test Allows review of RSA SigGen (FIPS 186-4) RSA Private Keys CO, E System Logs User limited ECDSA SigGen ECDSA Private Keys E System Audit configuration and (FIPS 186-4) system status via KAS KDF SSH G/E/Z © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 16
logs, dashboard and SSH Shared Secret configuration SSH DHE/ECDHE Private G/E/Z screens. Provides Components no configuration commit capability. CKG, ECDSA KeyGen (FIPS 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe SSH DHE/ECDHE Public G/E/R/W/Z Primes Key Generation, Components Safe Primes Key Verification HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, SSH Session Encryption G/E/Z AES-CTR Keys KTS AES-GCM RSA SigVer (FIPS 186-4) SSH Host Public Key R/E ECDSA SigVer (FIPS 186-4) RSA SigVer (FIPS 186-4) SSH Client Public Key W/E N/A CO, User Password G/E/W DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String CKG RSA Private Keys CO, G/W/E System Logs RSA KeyGen (FIPS 186-4) Peer-to RSA SigGen (FIPS 186-4) -Peer VPN CKG ECDSA Private Keys G/W/E ECDSA KeyGen (FIPS 186-4) ECDSA SigGen (FIPS 186-4) DRBG Seed G/E DRBG V Counter DRBG, ESV DRBG Key Entropy Input String G/E/Z KDF IKEv2 IPSec/IKE Shared Secret CKG, IPSec/IKE DHE/ECDHE G/E/Z Configures ECDSA KeyGen (FIPS Private Components IKE/IPsec Configuration IKE/IPsec setup for KAS 186-4), ECDSA KeyVer peer to peer VPN. (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe IPSec/IKE DHE/ECDHE G/E/R/W/Z Primes Key Generation, Public Components Safe Primes Key Verification HMAC-SHA2-256 IPSec/IKE Authentication G/E/Z HMAC-SHA2-384 Keys KTS HMAC-SHA2-512 IPSec/IKE Session Keys AES-CBC IPSec/IKE Session Keys G/E/Z KTS AES-GCM RSA Public Keys G/R/E/W RSA SigVer (FIPS 186-4) CA Certificates © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 17
ECDSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) CA Certificates Unauth Destroys all keys in Console Output / Zeroize N/A All Keys and SSPs enticat Z the module Zeroization indicator ed Run power up Unauth E System Logs HMAC-SHA2-256, self-tests on demand Firmware Integrity enticat Self-Tests ECDSA SigVer by power cycling the Verification Key ed (FIPS 186-4) module. View hardware status Unauth Show Status of the module via the N/A N/A enticat N/A LEDs (LEDs) LEDs. ed Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled and that the service succeeded. The module does not implement a non-Approved Mode, so does not implement any Non-Approved Services.
Figure 5 - Remove Front Handles and Modules
Figure 6 – Secure the Front Brackets Figure 7 - Attach Pull Handles and Front Modules
Figure 8
Figure 13 - Apply Tamper-Evident Seals on Vent Overlays and Side Opening
Figure 15 - Apple Tamper-Evident Seals on the Bottom of the Appliance
Remove the Void Warranty label that covers the left side cover screw then use a Phillips-head screwdriver to remove both screws as indicated in the illustration. b. Simultaneously depress the two (2) release buttons on top of the cover and slide the cover toward the back of the appliance to remove it. c. Slide the physical kit top cover (does not have vents) on the appliance until the release buttons click. Replace the two screws that you removed from the old cover Figure 17
Figure 19 – WF-500-B: FIPS Front Cover
Figure 20
Figure 22 – WF-500-B: Tamper Seals Location for Side Rails
112 bits KAS-FFC-S RAM
Pre-Master RFC7627 N/A N/A minimum SC, SP plaintext termination with client and server Secret Cert. 800-56A random nonces #A3453 Rev. 3 TLS v1.2 KDF TLS v1.2 TLS Master RAM
Secret plaintext termination the TLS session keys Cert. RFC7627 #A3453 © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 31
AES-CBC or TLS TLS v1.2 AES (128 or 256 bit) keys
128 bits AES-GCM TLS, KAS SP RAM - Zeroize at session
Encryption KDF N/A used in TLS connections minimum Cert. 800-56A Rev. 3 plaintext termination Keys RFC7627 (GCM; CBC) #A3453 HMAC-SHA 2-256 TLS v1.2 HMAC keys used in TLS TLS HMAC 256 bits HMAC-SHA TLS, KAS SP RAM - Zeroize at session KDF N/A connections (SHA-256, 384) Keys minimum 2-384 800-56A Rev. 3 plaintext termination RFC7627 (256, 384 bits) Cert. #A3453 KAS-ECC-SS SSH C Counter Diffie Hellman or EC DHE/ECDHE 112 bits KAS-FFC-SS DRBG, SP RAM - Zeroize at session Diffie-Hellman private (DH N/A N/A Private minimum C 800-56A plaintext termination MODP-2048, ECDH P-256, Components Cert. Rev. 3 ECDH P-384, ECDH P-521) #A3453 KAS-ECC-SS Diffie Hellman or EC SSH C Counter Plaintext SSH Diffie-Hellman public DHE/ECDHE 112 bits KAS-FFC-SS DRBG, SP handshake RAM - Zeroize at session N/A component (DH Public minimum C 800-56A plaintext termination MODP-2048, ECDH P-256, Components Cert. Rev. 3 ECDH P-384, ECDH P-521) #A3453 KAS-ECC-S Diffie Hellman or EC SC or KDF SSH Diffie-Hellman shared secret SSH Shared 112 bits KAS-FFC-S RAM - Zeroize at session Cert. N/A N/A (DH MODP-2048, ECDH Secret minimum SC, SP plaintext termination #A3453 P-256, ECDH P-384, ECDH 800-56A P-521) Rev. 3 RSA SigVer (FIPS 186-4) ECDSA SSH Host Public Key (RSA Counter SSH Host 112 bits SigVer (FIPS HDD/RAM 2048, RSA 3072, RSA 4096, DRBG, FIPS N/A N/A Zeroize Service Public Key minimum 186-4)
128 bits SSH, KAS SP RAM - Zeroize at session command line interface.
Encryption AES-GCM KDF SSH N/A minimum 800-56A Rev. 3 plaintext termination (128, 192, or 256 bits: CBC Keys Cert. or CTR) #A3453 (128 or 256 bits: GCM) HMAC-SHA Authentication keys used in -1 all SSH connections to the HMAC-SHA SSH Session security module’s command
160 bits 2-256 SSH, KAS SP RAM - Zeroize at session
Authenticati KDF SSH N/A line interface (HMAC-SHA-1, minimum HMAC-SHA 800-56A Rev. 3 plaintext termination on Keys HMAC-SHA2-256, 2-512 HMAC-SHA2-512) (160, Cert. 256, 512 bits) #A3453 KAS-ECC-SS Diffie-Hellman or EC IPSec/IKE C Counter Diffie-Hellman private DHE/ECDHE 112 bits KAS-FFC-SS DBRG, SP RAM - Zeroize at session component used in key N/A N/A Private minimum C 800-56A plaintext termination establishment Components Cert. Rev. 3 (DHE MODP-2048, ECDHE #A3453 P-256, P-384) KAS-ECC-SS Diffie-Hellman or EC IPSec/IKE C Counter Diffie-Hellman public DHE/ECDHE 112 bits KAS-FFC-SS DRBG, SP RAM - Zeroize at session component used in key N/A N/A Public minimum C 800-56A plaintext termination agreement Components Cert. Rev. 3 (DHE MODP-2048, ECDHE #A3453 P-256, P-384) Diffie Hellman or EC KAS-ECC-S IPSec/IKE KDF IKEv2 Diffie-Hellman shared secret
112 bits SC or RAM - Zeroize at session
Shared Cert. N/A N/A (DH MODP-2048, ECDH minimum KAS-FFC-S plaintext termination Secret #A3453 P-256, ECDH P-384, ECDH SC, SP P-521) © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 32
800-56A Rev. 3 AES-CBC, IPSec/IKE, KAS Used to encrypt IKE/IPSec IPSec/IKE 128 bits AES-GCM RAM - Zeroize at session N/A N/A SP 800-56A data. These are AES CBC or Session Keys minimum Cert. plaintext termination Rev. 3 GCM (128 or 256 bits) #A3453 HMAC-SHA -1 HMAC-SHA 2-256 HMAC keys for IPSec/IKE IPSec/IKE, KAS
160 bits HMAC-SHA RAM - Zeroize at session authentication
Authenticati N/A N/A SP 800-56A minimum 2-384 plaintext termination (HMAC-SHA-256/384/512) on Keys Rev. 3 HMAC-SHA (key size 256, 384, 512 bits) 2-512 Cert. #A3453 HMAC-SHA Used to check the integrity 2-256, of crypto-related code. Firmware Import only, ECDSA (HMAC-SHA-256 and Integrity TLS or SSH HDD -
128 bits SigVer Pre-loaded N/A N/A ECDSA P-256)
Verification Session Key plaintext (FIPS 186-4) Key Encrypted Cert. (Note: This is not considered an #A3453 SSP) RSA SigVer Import only, Used to authenticate Public Key (FIPS 186-4) TLS or SSH HDD - firmware and content to be for Firmware 112 bits Pre-loaded N/A N/A Cert. Session Key plaintext installed on the module (RSA Load Test #A3453 Encrypted 2048 with SHA-256) HDD - a SHA2-256 TLS or SSH Authentication string with a CO, User password N/A Cert. External Session Key N/A Zeroize Service minimum length of eight (8) Password hash #A3453 Encrypted characters. (SHA2-256) TLS or SSH Secrets used by RADIUS or Protocol HDD/RAM N/A N/A External Session Key N/A Zeroize Service TACACS+ (8 characters Secrets
384 bits Entropy input string coming
Counter Entropy as Entropy (E64) RAM - from the entropy source DRBG per N/A N/A Power cycle Input String 194 bits plaintext SP 800-90B (E130) Input length = 384 bits Cert. #A3453 CKG (vendor affirmed),
384 bits DRBG seed coming from the
Counter Entropy as (E64) RAM - entropy source DRBG Seed DRBG per N/A N/A Power cycle
SP 800-90B (E130) Seed length = 384 bits Cert. #A3453 CKG (vendor affirmed), Counter Entropy as AES 256 CTR DRBG state RAM DRBG Key 256 bits DRBG per N/A N/A Power cycle Key used in the generation of plaintext SP 800-90B a random values Cert. #A3453 CKG (vendor affirmed), Counter Entropy as AES 256 CTR DRBG state V RAM DRBG V 128 bits DRBG per N/A N/A Power cycle used in the generation of a plaintext SP 800-90B random values Cert. #A3453 © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 33
SNMPv3 KDF SNMP TLS or SSH Used to support SNMPv3 Authenticati HDD/RAM N/A Cert. N/A Session Key N/A Zeroize Service services on Secret
160 bits 2-256 HDD/RAM
Authenticati KDF SNMP N/A N/A Zeroize Service /512 Authentication minimum HMAC-SHA
Entropy Source the 384 bit seed. [WF-500-B] ESV Cert. #E130 Entropy source provides 0.50694395678 bits of entropy per bit of output. The DRBG requests 384 bits of data from Palo Alto Networks RTC
194 bits the entropy source, so is seeded with at least 194 bits of
Entropy Source entropy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy [WF-500] 10. Self-Tests The cryptographic module automatically performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. © 2024 Palo Alto Networks, Inc. Palo Alto Networks WildFire 11.0 WF-500 and WF-500-B Security Policy Page 34
Pre-operational Self-Tests Pre-operational Software/Firmware Integrity Test
Error Handling In the event of a conditional test failure, the module will output a description of the error. These are summarized below. Table 12 - Errors and Indicators Cause of Error Error State Indicator Conditional Cryptographic Algorithm Self-Test or FIPS-CC mode failure. <Algorithm test> failed. Software Integrity Test Failure Conditional Pairwise Consistency or Critical Functions System log prints an error message. Test Failure Conditional Firmware Load Test Failure System prints Invalid image message.