All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Panorama 11.0 M-200, M-300, M-600 and M-700

Certificate#4927StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
Medium review priority  ·  no TCB surface named  ·  last validated 19 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date12/18/2026
CaveatInterim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and physical kit installed as indicated in the Security Policy
VendorPalo Alto Networks, Inc.

Approved Algorithms (31)

AlgorithmACVP Cert
AES-CBCA3453
AES-CFB128A3453
AES-CTRA3453
AES-GCMA3453
Conditioning Component AES-CBC-MAC SP800-90BA2165
Conditioning Component AES-CBC-MAC SP800-90BA2518
Counter DRBGA3453
ECDSA KeyGen (FIPS186-4)A3453
ECDSA KeyVer (FIPS186-4)A3453
ECDSA SigGen (FIPS186-4)A3453
ECDSA SigVer (FIPS186-4)A3453
HMAC-SHA-1A3453
HMAC-SHA2-224A3453
HMAC-SHA2-256A3453
HMAC-SHA2-384A3453
HMAC-SHA2-512A3453
KAS-ECC-SSC Sp800-56Ar3A3453
KAS-FFC-SSC Sp800-56Ar3A3453
KDF SNMPA3453
KDF SSHA3453
RSA KeyGen (FIPS186-4)A3453
RSA SigGen (FIPS186-4)A3453
RSA SigVer (FIPS186-4)A3453
Safe Primes Key GenerationA3453
Safe Primes Key VerificationA3453
SHA-1A3453
SHA2-224A3453
SHA2-256A3453
SHA2-384A3453
SHA2-512A3453
TLS v1.2 KDF RFC7627A3453

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Panorama 11.0 M-200, M-300, M-600 and M-700
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Firmware Load</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Panorama 11.0 M-200, M-300, M-600 and M-700
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Firmware Load</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Panorama 11.0 M-200, M-300, M-600 and M-700 Version: 1.1 Revision Date: November 25, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Page 2
Table of Contents
#SectionPage
Page 3

1. General The Panorama M-200, M-300, M-600 and M-700 from Palo Alto Networks Inc., hereafter referred to as “Panorama M-Series”, “Panorama HW”, “modules”, or the “cryptographic modules” are multi-chip standalone cryptographic modules designed to fulfill FIPS 140-3 level 2 requirements. Panorama M-Series management appliances provide centralized management and visibility of Palo Alto Networks next generation firewalls. From a central location, you can gain insight into applications, users, and content traversing the firewalls. The knowledge of what is on the network, in conjunction with safe application enablement policies, maximizes protection and control while minimizing administrative effort. Your security team can centrally perform analysis, reporting, and forensics with the aggregated data over time, or on data stored on the local firewall. The Panorama M-Series management appliances’ individual management and logging components can be separated in a distributed manner to accommodate large volumes of log data. Panorama M-Series management appliances can be deployed in the following ways:

Page 4

The cryptographic module meets the overall requirements applicable to Level 2 security of FIPS 140-3. Table 1 - Security Levels ISO/IEC 24759 FIPS 140-3 Section Title Security Section 6. Level

1 General 2
2 Cryptographic Module Specification 2
3 Cryptographic Module Interfaces 2
4 Roles, Services, Authentication 3
5 Software/Firmware Security 2
6 Operational Environment N/A
7 Physical Security 2
8 Non-Invasive Security N/A
9 Sensitive Security Parameter Management 2
10 Self-Tests 2
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks N/A

Overall Level 2 © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 4

Page 5
  1. Cryptographic Module Specification The configurations for this validation are highlighted in Table
  2. Table 2 - Hardware Tested Configuration Module Hardware Firmware Version Distinguishing Features 910-000176 11.0.4 RJ45 interfaces, USB ports, LEDs Panorama M-200 Physical Kit: 920-000208 910-000271 11.0.4 RJ45 interfaces, USB ports, LEDs Panorama M-300 Physical Kit: 920-000319 910-000175 11.0.4 RJ45 interfaces, USB ports, LEDs, Panorama M-600 Physical Kit: 920-000209 SFP+ ports 910-000270 11.0.4 RJ45 interfaces, USB ports, LEDs, Panorama M-700 Physical Kit: 920-000318 SFP+ ports Approved Mode of Operation The following procedure will initialize the modules into the Approved mode of operation: ● Install physical kit opacity shields and tamper evidence seals according to the Physical Security Policy section. physical kits must be correctly installed to operate in the Approved mode of operation. The tamper evidence seals and opacity shields shall be installed for the module to operate in a Approved mode of operation. ● During initial boot up, break the boot sequence via the console port connection (by pressing the maint button when instructed to do so) to access the main menu. ● Select “Continue.” ● Select the “Set FIPS-CC Mode” option to initialize the Approved mode. ● Select “Enable FIPS-CC Mode”. ● When prompted, select “Reboot” and the module will re-initialize and continue into the Approved mode of operation (FIPS-CC mode). ● The module will reboot. ● In FIPS-CC mode, the console port is available only as a status output port. ● Once the module has finished booting, the Crypto Officer can authenticate using the default credentials that come with the module o Once authenticated, the module will automatically require the operator to change their password; and the default credential is overwritten The module will automatically indicate the Approved mode of operation in the following manner: ● Status output interface will indicate “**** FIPS-CC MODE ENABLED ****” via the CLI session. ● Status output interface will indicate “FIPS-CC mode enabled successfully” via the console port. ● The module will display “FIPS-CC” at all times in the status bar at the bottom of the web interface. ● The module will display “fips-cc” when “show system info” is entered via the CLI Should one or more power-up self-tests fail, the Approved mode of operation will not be achieved. Feedback will consist of: © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 5
Page 6
Page 7

Convert the M-600/M-700 appliance from PAN-DB mode to the Panorama Manager mode:

Page 8

Counter DRBG A3453 Counter DRBG AES 256 bits with Derivation Function Enabled Random Bit Generator [SP 800-90Arev1] ECDSA KeyGen Key Generation A3453 ECDSA KeyGen P-256, P-384, P-521 (FIPS 186-4) ECDSA KeyVer (FIPS Public Key Validation A3453 ECDSA KeyVer P-256, P-384, P-521 186-4) ECDSA SigGen P-256, P-384, P-521 with SHA2-224, SHA2-256, Signature Generation A3453 ECDSA SigGen (FIPS 186-4) SHA2-384, and SHA2-512 ECDSA SigVer (FIPS P-256, P-384, P-521 with SHA-1, SHA2-224, A3453 ECDSA SigVer Signature Verification 186-4) SHA2-256, SHA2-384, and SHA2-512 A3453 HMAC-SHA-1 [FIPS HMAC HMAC-SHA-1 with λ=96, 160 Authentication for protocols 198-1] A3453 HMAC-SHA2-224 HMAC-SHA2-224 with λ=224 HMAC Authentication for protocols [FIPS 198-1] A3453 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A3453 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A3453 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS-ECC-SSC KAS Ephemeral Unified Model: P-256/P-384/P-521 A3453 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A3453 KAS dhEphem: MODP-2048 Key Exchange 800-56Ar3 KDF SNMP [SP A3453 SNMPv3 KDF SNMPv3 800-135rev1] (CVL) KDF SSH [SP A3453 SSHv2 KDF SSH 800-135rev1] (CVL) RSA KeyGen RSA KeyGen Key Pair Generation A3453 2048, 3072, and 4096 bits (FIPS 186-4) (FIPS 186-4) (ANSI X9.31, RSASSA-PKCS1_v1-5, RSA SigGen RSA SigGen Signature Generation A3453 RSASSA-PSS): 2048, 3072, and 4096-bit with (FIPS 186-4) (FIPS 186-4) hashes 256/384/512 (ANSI X9.31, RSASSA-PKCS1_v1-5, RSASSA-PSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1/224+++/256/384/512 RSA SigVer RSA SigVer A3453 (Signature Verification) Signature Verification (FIPS 186-4) (FIPS 186-4) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Verification SHA-1 A3453 SHA-1 [FIPS 180-4] SHA Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-224 [FIPS A3453 SHA2 SHA-224 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-256 [FIPS A3453 SHA2 SHA-256 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature SHA2-384 [FIPS A3453 SHA2 SHA-384 Generation/Verification 180-4] © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 8

Page 9

Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-512 [FIPS A3453 SHA2 SHA-512 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key A3453 Generation [RFC MODP-2048 Safe Primes Key Generation Generation 3526] Safe Primes Key Safe Primes Key A3453 Verification [RFC MODP-2048 Safe Primes Key Verification Verification 3526] TLS v1.2 KDF TLS1.2 KDF A3453 TLS v1.2 Hash Algorithm: SHA2-256, SHA2-384 TLS RFC7627 (CVL) SP 800-38A, FIPS AES Cert. # 198-1, and SP A3453 and KTS 800-38F. KTS (key 128, 192, and 256-bit keys providing 128, 192, or HMAC Key Wrapping [SP 800-38F] wrapping and 256 bits of encryption strength Cert. # unwrapping) per IG A3453 D.G. SP 800-38D and SP AES-GCM 800-38F. KTS (key KTS 128 and 256-bit keys providing 128 or 256 bits Cert. # wrapping and Key Wrapping [SP 800-38F] of encryption strength A3453 unwrapping) per IG D.G. ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E64 ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E65 ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E66 KAS-ECC-S SC Cert. SP 800-56Arev3. #A3453, KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). Cert. #A3453 KAS-ECC-S SC Cert. #A3453, SP 800-56Arev3. TLS v1.2 KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). RFC7627 Cert. #A3453 KAS-FFC-S SC Cert. SP 800-56Arev3. #A3453, KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] strength Scenario 2 path (2). Cert. #A3453 KAS-FFC-S SC Cert. #A3453, SP 800-56Arev3. TLS v1.2 KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] strength Scenario 2 path (2). RFC7627 Cert. #A3453 © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 9

Page 10

Key Generation Cryptographic Key Note: The seeds used for asymmetric Vendor CKG Section 5.1, Section Generation; SP 800- key pair generation are produced using Affirmed (SP 800-133rev2) 5.2 133rev2 and IG D.H. the unmodified/direct output of the DRBG The module is compliant to IG C.H: GCM is used in the context of TLS and SSH:

Page 11

Table 4 - Supported Protocols in the Approved Mode TLSv1.2 SSHv2 SNMPv3 *Note: these protocols were not reviewed or tested by the CMVP or CAVP. Module Diagrams Figures 1 - 8 depict the modules and their interfaces. The cryptographic boundary consists of the physical perimeter of the hardware appliances with the physical kits installed. Please refer to the Physical Security section of this document for depictions of the modules with the physical kits installed. Figure 1 - M-200 Front Figure 2 - M-200 Rear Figure 3 - M-300 Front Figure 4 - M-300 Rear © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 11

Page 12

Figure 5 - M-600 Front Figure 6 - M-600 Rear Figure 7 - M-700 Front Figure 8 - M-700 Rear 3. Cryptographic Module Interfaces The modules are multi-chip standalone modules with ports and interfaces as shown below. The modules do not implement a control output interface. Table 5 - Ports and Interfaces Physical Interface Logical Interface Data that passes over port/interface LED Status output Module status via LED indicators Power Power N/A © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 12

Page 13

RJ45 Console Status output Self-test output RJ45 Ethernet Data input, control input, control output, TLS, SSH data output, status output SFP+ Data input, control input, data output, TLS (M-600, M-700) status output 4. Roles, Services, and Authentication Assumption of Roles The module supports distinct operator roles. The cryptographic module enforces the separation of roles using unique authentication credentials associated with operator accounts. The module supports concurrent operators. The module does not provide a maintenance role or bypass capability. Table 6

Page 14

Panorama Certificate Configuring and managing Confirmation of service via CO Management certificates via CLI or WebUI Configuration Logs Panorama Log Setting Configuring and managing log Confirmation of service via CO settings via CLI or WebUI Configuration Logs Panorama Server Profiles Configuring and managing Confirmation of service via CO Server configurations (e.g. Configuration Logs SNMP, etc.) via CLI or WebUI Setup Managed Devices and Configuring and managing Confirmation of service via Deployment Managed Devices configurations Configuration Logs CO (e.g., Versions, Licenses, etc.) via CLI or WebUI Configure Managed Log Configuring and managing Confirmation of service via CO Collectors Managed Log Collectors Configuration Logs configurations via CLI or WebUI CO, Zeroize Zeroize from CLI Zeroization Indicator Unauthentica ted CO, User, Self-Test Run self-test via CLI or WebUI Output results via System Logs Unauthentica ted Show Status Show status via CLI or WebUI FIPS-CC Mode Indicator CO, User System Audit View system audit records via Audit records via System Logs CO, User CLI or WebUI Monitor System Status and Logs View system status records via System status via System Logs CO, User CLI or WebUI Panorama Log Collector Setup Configuring and managing Log Confirmation of service via CO Collectors configurations via CLI Configuration Logs Panorama Pan-DB Setup Configuring and managing Confirmation of service via CO Pan-DB URL configurations via Configuration Logs CLI Manage Pan-DB Administrative Configuring and managing Confirmation of service via CO Access Administrator password via CLI Configuration Logs Table 7 - Roles and Authentication Role Authentication Method Authentication Strength CO Memorized Secret (Unique Password-based Username/password) and/or Minimum length is eight1 (8) characters (95 possible characters). Single-Factor Cryptographic The probability that a random attempt will succeed or a false Software (certificate common acceptance will occur is 1/(958) which is less than 1/1,000,0002. name / public key-based The probability of successfully authenticating to the module authentication) within one minute is 10/(958), which is less than 1/100,000. The In FIPS-CC Mode, the module checks and enforces the minimum password length of eight (8) as specified in SP 800-63B. Passwords are securely stored hashed with salt value, with very restricted access control, and rate limiting mechanism for authentication attempts. SP 800-63B, Appendix A.4 establishes a minimum acceptable security strength of 10^6 based on the minimum acceptable random pin size of six (6) digits. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 14

Page 15

module’s configuration supports at most ten failed attempts to authenticate in a one-minute period. Certificate/Public key-based The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA Memorized Secret (Unique 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. Username/password) and/or Single-Factor Cryptographic The minimum equivalent strength supported is 112 bits. The Software (certificate common probability that a random attempt will succeed is 1/(2112) which is User less than 1/1,000,000. The probability of successfully name / public key-based authentication) authenticating to the module within a one minute period is 10/(2112), which is less than 1/100,000. The module in FIPS-CC mode allows at most 10 failed attempts before a lockout occurs. Access Control Policy While in the Approved mode of operation all authenticated services and CSPs are accessed via authenticated SSH or TLS sessions. Access is restricted to authenticated operators only and no interface is provided to modify the public or private key. SNMPv3 authentication is supported but is not a method of module administration and does not allow read/write access of CSPs. Approved and allowed algorithms, relevant CSP and public keys related to these protocols are used to access the following services. CSP access by services is further described in the following tables. Additional service information and administrator guidance for Panorama can be found at https://docs.paloaltonetworks.com/. The Crypto-Officer may access all services, and through the “management of administrative access” service may define multiple Crypto-Officer roles with limited services. The User role provides read-only access to the System Audit service. When configured in the default mode, Panorama Manager provides services via web-browser based interface and a command line interface (CLI). For the Panorama Log Collector mode and PAN-DB mode, only the CLI is available for management. SSP Access Rights The table below defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 15

Page 16

G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Table 8 - Approved Services Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Indicator Keys and/or SSPs Show Version Query the module to display N/A N/A CO N/A Version displayed via the version System Logs / CLI / UI Perform panorama licensing, diagnostics, debug functions, manage Panorama support information and switch between Panorama System and System Provisioning N/A N/A CO N/A Management-only, and Configuration logs Logger modes. (Panorama or Management-Only Mode) Access web portal Connect to module’s web RSA SigVer (186-4) CA Certificates CO G/R/E/W System Logs portal to invoke services. RSA SigVer (186-4) RSA Public Keys G/R/E/W (Panorama or ECDSA SigVer (186-4) ECDSA Public Keys G/R/E/W Management-Only Mode) KAS TLS v1.2 KDF TLS Pre-Master G/E/Z RFC7627 Secret TLS v1.2 KDF TLS Master Secret G/E/Z RFC7627 CKG, TLS DHE/ECDHE G/E/Z ECDSA KeyGen Private Components (FIPS 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, TLS DHE/ECDHE G/E/Z Safe Primes Key Public Components Generation, Safe Primes Key Verification KTS TLS HMAC Keys G/E/Z HMAC-SHA2-256 HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z Counter DRBG, ESV DRBG Seed CO G/E Configuration/System DRBG V Logs DRBG Key Entropy Input String Access CLI Connect to module’s CLI via KTS HMAC-SHA-1 SSH Session CO, User G/E/Z System Logs SSH HMAC-SHA2-256 Authentication Keys © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 16

Page 17

HMAC-SHA2-512 AES-CBC SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM G/E/Z KAS KDF SSH SSH DHE/ECDHE G/E/Z Private Components KAS-ECC-SSC SSH DHE/ECDHE G/E/R/W/Z KAS-FFC-SSC Public Components Safe Primes Key Generation Safe Primes Key Verification Counter DRBG, ESV DRBG Seed CO G/E Configuration/System Logs DRBG V DRBG Key Entropy Input String Panorama Firmware Download and install RSA SigVer (FIPS 186-4) Public Key for CO W/E System and Update firmware updates Firmware Load Test Configuration logs Panorama Manager Setup Presents configuration CKG RSA Private Keys CO G/W/E System and options for management RSA KeyGen (FIPS 186-4) Configuration logs interfaces and RSA SigGen (FIPS 186-4) communication for peer CKG ECDSA Private Keys G/W/E services (e.g., SNMP, ECDSA KeyGen RADIUS). ( FIPS 186-4) Import, Export, Save, Load, ECDSA SigGen revert and validate (FIPS 186-4) Panorama configurations and state role RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W (Panorama or Management-Only Mode) KDF SNMP SNMPv3 W/E Authentication Secret KDF SNMP SNMPv3 Privacy W/E Secret HMAC-SHA-1 SNMPv3 G/E/Z HMAC-SHA2-224 Authentication Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z RSA SigVer (FIPS 186-4) CA Certificates G/R/E/W ECDSA SigVer (FIPS 186-4) KAS TLS v1.2 KDF TLS Pre-Master G/E/Z RFC7627 Secret TLS v1.2 KDF TLS Master Secret G/E/Z RFC7627 CKG, TLS DHE/ECDHE G/E/Z ECDSA KeyGen Private Components (FIPS 186-4), TLS DHE/ECDHE G/E/R/W/Z ECDSA KeyVer Public Components (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, Safe Primes Key Generation, Safe Primes Key Verification KTS HMAC-SHA2-256 TLS HMAC Keys G/E/Z HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 17

Page 18

KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE G/E/Z KAS-ECC-SSC Private Components KAS-FFC-SSC Safe Primes Key Generation, Safe Primes Key Verification SSH DHE/ECDHE G/E/R/W/Z Public Components Counter DRBG, ESV Entropy Input String CO G/E System and DRBG Key Configuration Logs DRBG V DRBG Seed Manage Panorama Define access control N/A CO, User Password CO G/E/W System and Administrative Access methods via admin profiles, Configuration logs configure administrators and password profiles Configure local user database, authentication profiles, sequence of RSA SigVer (FIPS 186-4) SSH Client Public Key W/E methods and access domains. (Panorama, Management-Only, or Log Collector Mode) RSA SigVer (FIPS 186-4) SSH Host Public Key G/R/E/W ECDSA SigVer (FIPS 186-4) Configure High Configure High Availability RSA SigVer (FIPS 186-4) RSA Public Key CO G/R/E/W Configuration Logs Availability communication settings (Panorama or Management-Only Mode) ECDSA SigVer (FIPS 186-4) ECDSA Public Key G/R/E/W Panorama Certificate Manage RSA/ECDSA ECDSA SigGen RSA Private Keys CO G/R/W/E System and Management certificates and private (FIPS 186-4) ECDSA Private Keys Configuration logs keys, certificate profiles, RSA SigGen revocation status, and (FIPS 186-4) usage; show status. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 18

Page 19

(Panorama, ECDSA SigVer RSA Public Keys G/R/W/E Management-Only, or Log (FIPS 186-4) ECDSA Public Keys Collector Mode) RSA SigVer (FIPS 186-4) Counter DRBG DRBG Seed G/E DRBG V DRBG Key Entropy Input String Panorama Log Setting Configure log forwarding N/A N/A CO N/A Configuration Logs (Panorama or Management-Only Mode) Panorama Server Profiles Configure communication KDF SNMP SNMPv3 CO W/E System Logs parameters and information Authentication Secret for peer servers KDF SNMP SNMPv3 Privacy W/E Secret (Panorama or Management-Only Mode) HMAC-SHA-1 SNMPv3 G/E/Z HMAC-SHA2-224 Authentication Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z Setup Managed Devices Set-up and define managed N/A N/A CO N/A Configuration Logs and Deployment devices, device groups for firewalls Configure device deployment applications and licenses View current deployment information on the managed firewalls. It also allows you to manage firmware versions and schedule updates on the managed firewalls and managed log collectors. (Panorama or Management-Only Mode) Configure Managed Log Setup and manage other N/A CO, User Password CO G/E/W System and Collectors Log Collector management, Configuration logs communication and storage settings View current deployment information on the managed Log Collectors. It also allows you to manage firmware versions and schedule updates on managed log collectors. (Panorama or Management-Only Mode) Zeroize Zeroize all SSPs N/A All SSPs CO Z Zeroization Indicator Self-Test Run power up self-tests on N/A Firmware Integrity CO, User E System Logs demand by power cycling Verification Key the module. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 19

Page 20

Show Status View status of the module N/A N/A CO, User N/A FIPS-CC Mode Indicator System Audit Allows review of limited N/A N/A CO, User N/A System Logs configuration and system status via SNMPv3, logs, dashboard, show status, and configuration screens. CO Only: Provides configuration commit capability. (Panorama, Management-Only, or PAN-DB Mode) Monitor System Status and Review system status via N/A N/A CO, User N/A System Logs Logs the panorama system CLI, dashboard and logs; show status. (Panorama or Management-Only Mode) CKG RSA Private Keys CO G/W/E System and Panorama Log Collector Presents configuration RSA KeyGen (FIPS 186-4) Configuration logs Setup options for management RSA SigGen (FIPS 186-4) interfaces and communication for peer services Import, Export, Save, Load, CKG ECDSA Private Keys G/W/E revert and validate ECDSA KeyGen Panorama configurations ( FIPS 186-4) and state. ECDSA SigGen (FIPS 186-4) (Log Collector Mode only) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W KAS TLS v1.2 KDF TLS Pre-Master G/E/Z RFC7627 Secret TLS v1.2 KDF TLS Master Secret G/E/Z RFC7627 CKG, TLS DHE/ECDHE G/E/Z ECDSA KeyGen Private Components (FIPS 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, TLS DHE/ECDHE G/E/R/W/Z Safe Primes Key Public Components Generation, Safe Primes Key Verification © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 20

Page 21

KTS HMAC-SHA2-256 TLS HMAC Keys G/E/Z HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE G/E/Z Private Components KAS-ECC-SSC KAS-FFC-SSC Safe Primes Key Generation, Safe Primes Key Verification Counter DRBG, ESV DRBG Seed G/E DRBG V DRBG Key Entropy Input String Panorama Pan-DB Setup Presents configuration KAS TLS v1.2 KDF TLS Pre-Master CO G/E/Z System Logs options for management RFC7627 Secret interfaces and communication for peer services Import, Export, Save, Load, revert and validate TLS v1.2 KDF TLS Master Secret G/E/Z Panorama configurations RFC7627 and state. (PAN-DB Mode only) © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 21

Page 22

CKG, TLS DHE/ECDHE G/E/Z ECDSA KeyGen Private Components (FIPS 186-4), ECDSA KeyVer (FIPS 186-4), KAS-ECC-SSC, KAS-FFC-SSC, TLS DHE/ECDHE G/E/R/W/Z Safe Primes Key Public Components Generation, Safe Primes Key Verification KTS HMAC-SHA2-256 TLS HMAC Keys G/E/Z HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, SSH Session G/E/Z AES-CTR Encryption Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE G/E/Z Private Components KAS-ECC-SSC KAS-FFC-SSC Safe Primes Key Generation, Safe Primes Key Verification Counter DRBG, ESV DRBG Seed G/E DRBG V DRBG Key Entropy Input String © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 22

Page 23

Manage Pan-DB Update Administrator N/A CO, User Password CO G/E/W System and Administrative Access password. Configuration logs (PAN-DB Mode only) Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled and that the service succeeded.

  1. Software/Firmware Security The module performs the Firmware Integrity test by using HMAC-SHA-256 and ECDSA signature verification (HMAC and ECDSA Cert. #A3453) during the Pre-Operational Self-Test. In addition, the module also conducts the firmware load test by using RSA 2048 with SHA-256 (Cert. #A3453) for the new validated firmware to be uploaded into the module. The pre-operational self-tests can be initiated by power cycling the module. When this is performed, the module automatically runs the cryptographic algorithm self-tests in addition to the pre-operational firmware integrity test.
  2. Operational Environment The FIPS 140-3 Area 5 Operational Environment requirements are not applicable because the module contains a non-modifiable operational environment. The operational environment is limited since the module includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-3 CMVP. Any other firmware loaded into this module is out of the scope of this validation and requires a separate FIPS 140-3 validation. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 23
Page 24

7. Physical Security Physical Security Mechanisms The multi-chip standalone modules are production quality containing standard passivation. Chip components are protected by an opaque enclosure. There are tamper-evident seals that are applied on the modules by the Crypto-Officer. There are fifteen (15) for the M-200, fifteen (15) for the M-300, twenty-one (21) for the M-600, and twenty-one (21) for the M-700. All unused seals are to be controlled by the Crypto-Officer. The seals prevent removal of the opaque enclosure without evidence. The Crypto-Officer must ensure that the module surface is clean and dry. Tamper evident seals must be pressed firmly onto the adhering surfaces during installation and once applied, the Crypto-Officer shall permit 24 hours of cure time for all tamper evident seals. The seals prevent removal of the opaque enclosure without evidence. The Crypto-Officer should inspect the seals and shields for evidence of tamper every 30 days. If the seals show evidence of tamper, the Crypto-Officer should assume that the modules have been compromised and contact support. Note: For ordering information, see Table 2 for physical kit part numbers and versions. Opacity shields are included in the physical kits. Operator Required Actions The following table provides information regarding the various physical security mechanisms, and their recommended frequency of inspection/test. Table 9 - Physical Security Inspection Guidelines Physical Security Recommended Frequency Inspection/Test Guidance Details Mechanism of Inspection/Test Tamper Evident 30 days (M-200, M-300) Verify integrity of tamper-evident seals in the Seals locations identified in Section 7 of this Security Policy.

30 days (M-200, M-300) Verify that opacity shields and side rails have not

Front and Rear been loosened or deformed from their original shape, thereby Opacity Shields reducing their effectiveness. Side Rails Top Overlays 30 days (M-200, M-300) Verify top overlays have not been removed or deformed. All edges should maintain strong adhesion characteristics. Tamper Evident 30 days (M-600, M-700) Verify integrity of tamper-evident seals in the Seals locations specified in Section 7 of this Security Policy. Front and Rear 30 days (M-600, M-700) Verify that the front and rear opacity shields Opacity Shields have not been deformed from their original shape, thereby reducing their effectiveness. Vent Overlays 30 days (M-600, M-700) Verify that the vent overlays have not been removed or deformed. All edges should maintain strong adhesion characteristics. Refer to the following sections for instructions on installation and placement of the tamper seals and opacity shields. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 24

Page 25

M-200 Tamper Seal Installation (15 Seals) 1. Replace the top cover with the physical top cover. a. Remove the VOID WARRANTY label and cover screws (replacement label included in the kit). M-200 appliance—Remove the Void Warranty label that covers the left top cover screw then use a Phillips-head screwdriver to remove both screws as indicated in the illustration. b. Simultaneously depress the two (2) release buttons on top of the cover and slide the cover toward the back of the appliance to remove it. c. Slide the top cover (does not have vents) on the appliance until the release buttons click. Reinsert and slide cover into position and secure with the two (2) screws. Figure 9

Page 26
  1. On the left side of the M-200, firmly apply seven (7) tamper-evident seals as indicated in the illustration. Figure 10 – M-200: Side View Before Rail Installation Install the inner rack mount rail brackets as described in the “M-200 and M-600 Appliance Hardware Reference”. The front rack bracket that you replace in the next step is located on the front inner rails. Figure 11 – M-200: Inner Rack Mount Rail Brackets
  2. Attach the front cover brackets. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 26
Page 27

Replace the front rack-mount brackets (one bracket on each side) that are part of the inner-rack rails with the rack-mount brackets by removing and then reinstalling two screws on each bracket. The handles have standoffs that are used to secure the front cover. Figure 12

Page 28
  1. Attach the physical kit back cover to the back of the appliance. Slide the back cover onto the back of the appliance, insert two M4 x 0.7 x 8mm (one (1) screw on each side), and turn the screws clockwise to secure the cover.
  2. Apply a tamper-evident seal to each location shown in the following M-200 illustrations. Ensure you apply two (2) tamper-evident seals on the power supplies (see seals #14 and #15 on the rear illustration). Before you apply the tamper-evident seals, ensure that the appliance and physical kit surfaces are clean and dry. Firmly press one (1) seal on to each of the locations shown in the illustrations. Avoid touching the seals for at least 24 hours to allow time for the seals to properly adhere to the appliance and physical kit surfaces. Figure 14 – M-200: Seal locations on Top and Right Side Figure 15 – M-200: Seal Locations on Left Side and Rear M-300 Tamper Seal Installation (15 Seals)
  3. Replace the top cover with the FIPS top cover. a. Remove the VOID WARRANTY label and cover screws (replacement label included in the kit). © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 28
Page 29

M-300 appliance—Remove the Void Warranty label that covers the left top cover screw then use a Phillips-head screwdriver to remove both screws as indicated in the illustration. b. Simultaneously depress the two (2) release buttons on top of the cover and slide the cover toward the back of the appliance to remove it. c. Slide the physical kit top cover (does not have vents) on the appliance until the release buttons click. Reinsert and slide cover into position and secure with the two (2) screws. Figure 16

Page 30
  1. On the left side of the M-300, firmly apply seven (7) tamper-evident seals as indicated in the illustration. Figure 17 – M-300: Side View Before Rail Installation Install the inner rack mount rail brackets as described in the “M-300 and M-700 Appliance Hardware Reference”. The front rack bracket that you replace in the next step is located on the front inner rails. Figure 18 – M-200: Inner Rack Mount Rail Brackets
  2. Attach the physical kit front cover brackets. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 30
Page 31

Replace the front rack-mount brackets (one bracket on each side) that are part of the inner-rack rails with the physical kit rack-mount brackets by removing and then reinstalling two screws on each bracket. The physical kit handles have standoffs that are used to secure the front cover. Figure 19

Page 32
  1. Attach the physical kit back cover to the back of the appliance. Slide the back cover onto the back of the appliance, insert two M4 x 0.7 x 8mm (one (1) screw on each side), and turn the screws clockwise to secure the cover.
  2. Apply a tamper-evident seal to each location shown in the following M-300 illustrations. Ensure you apply two (2) tamper-evident seals on the power supplies (see seals #14 and #15 on the rear illustration). Note: Before you apply the tamper-evident seals, ensure that the appliance and physical kit surfaces are clean and dry. Firmly press one (1) seal on to each of the locations shown in the illustrations. Avoid touching the seals for at least 24 hours to allow time for the seals to properly adhere to the appliance and physical kit surfaces. Figure 21 – M-300: Seal locations on Top and Right Side Figure 22 – M-300: Seal Locations on Left Side and Rear M-600 Tamper Seal Installation (21 Seals)
  3. Replace the top cover with the FIPS top cover. a. Remove the VOID WARRANTY label and cover screws (replacement label included in the kit). © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 32
Page 33

Remove the Void Warranty label that covers the left side cover screw then use a Phillips-head screwdriver to remove both screws as indicated in the illustration. b. Simultaneously depress the two (2) release buttons on top of the cover and slide the cover toward the back of the appliance to remove it. c. Slide the physical kit top cover (does not have vents) on the appliance until the release buttons click. Replace the two screws that you removed from the old cover Figure 23

Page 34

Figure 24 – M-600: Front Cover Bracket

  1. Attach the physical kit front cover to the front of the appliance. Slide the M-600 physical kit front cover over the physical kit pull handle brackets and secure the cover by turning the thumb screws clockwise (one thumb screw on each side). Figure 25 – M-600: Physical Kit Front Cover
  2. Install a tamper-evident seal on the back of the appliance. This is seal #13 in the M-600 Figure
  3. You need to install this seal before you install the M-600 physical kit back cover.
  4. Attach the physical kit back cover to the back of the appliance. a. Slide the back cover onto the back of the appliance and turn the two (2) thumb screws clockwise until tight (one (1) screw on each side) to secure the cover.
  5. Apply a tamper-evident seal to each location shown in the following M-600 illustrations below. Also install the overlay stickers to cover vent openings (two (2) stickers on each side). You then install © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 34
Page 35

tamper-evident seals over the overlay stickers. Apply two (2) tamper-evident seals on the back side of the right rack handle (see seals #18 and #19 on the left side in Figure 54). Apply two (2) tamper-evident seals on the power supplies (see seals #11 and #12 with rear inset of Figure 53). Note: Before you apply the tamper-evident seals, ensure that the appliance and physical kit surfaces are clean and dry. Firmly press one (1) seal on to each of the locations shown in the illustrations. Avoid touching the seals for at least 24 hours to allow time for the seals to properly adhere to the appliance and physical kit surfaces. M-600 Seal Placement (21 Seals) Figure 26

Page 36

Figure 27

Page 37

Figure 29 – M-700: Top Cover Replacement

  1. Attach the physical kit front cover brackets. Remove the front pull handles by removing two (2) screws from each handle (one (1) handle on each side), insert the M-700 physical kit front-cover brackets under each handle, and then replace the handles and secure them using the screws that you removed. The physical kit handles have standoffs that are used to secure the front cover. Figure 30 – M-700: Front Cover Bracket
  2. Attach the physical kit front cover to the front of the appliance. Slide the M-700 physical front cover over the physical kit pull handle brackets and secure the cover by turning the thumb screws clockwise (one thumb screw on each side). © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 37
Page 38

Figure 31 – M-700: Physical Kit Front Cover

  1. Install a tamper-evident seal on the back of the appliance. This is seal #13 in the M-700 Figure
  2. You need to install this seal before you install the M-700 physical kit back cover.
  3. Attach the physical kit back cover to the back of the appliance. a. Slide the back cover onto the back of the appliance and turn the two (2) thumb screws clockwise until tight (one (1) screw on each side) to secure the cover.
  4. Apply a tamper-evident seal to each location shown in the following M-700 illustrations below. Also install the overlay stickers to cover vent openings (two (2) stickers on each side). You then install tamper-evident seals over the overlay stickers. Apply two (2) tamper-evident seals on the back side of the right rack handle (see seals #18 and #19 on the left side in Figure 54). Apply two (2) tamper-evident seals on the power supplies (see seals #11 and #12 with rear inset of Figure 53). Note: Before you apply the tamper-evident seals, ensure that the appliance and physical kit surfaces are clean and dry. Firmly press one (1) seal on to each of the locations shown in the illustrations. Avoid touching the seals for at least 24 hours to allow time for the seals to properly adhere to the appliance and physical kit surfaces. M-700 Seal Placement (21 Seals) Figure 32 – M-700: Tamper Seal Locations (Top and Rear) © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 38
Page 39

Figure 33

Page 40

9. Sensitive Security Parameters The following table details all the sensitive security parameters utilized by the module. Table 10 - SSPs Key/SSP/Name Strength Security Generati Import/Exp Establishm Storage Zeroization1 Use & Related Keys /Type Function and on ort ent Cert. Number ECDSA/RSA Public key Used to trust a root CA RSA SigVer (FIPS HDD

4096 bits)

Cert. #A3453 termination (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the verification of TLS or SSH signatures, RSA SigVer Session Key DRBG, FIPS HDD/RAM

128 bits minimum (FIPS 186-4) Encrypted or N/A Zeroize Service

Keys 186-4 plaintext operator authentication Cert. #A3453 Plaintext and peer TLS handshake authentication. (ECDSA P-256, P-384, or P-521) HDD

128 bits minimum (FIPS 186-4) Session Key N/A RAM - Zeroize at and authentication

Keys 186-4 plaintext Cert. #A3453 Encrypted session (P-256, P-384, or termination P-521) KAS-FFC or KAS-ECC Ephemeral values used TLS DHE/ECDHE KAS-ECC-SSC DRBG, SP Zeroize at session in key agreement Private 112 bits minimum KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext termination (KAS-FFC MODP-2048, Components Cert. #A3453 3 KAS-ECC P-256, P-384, P-521) KAS-FFC or KAS-ECC Ephemeral values used TLS DHE/ECDHE KAS-ECC-SSC DRBG, SP Plaintext - TLS Zeroize at session in key agreement Public 112 bits minimum KAS-FFC-SSC 800-56A Rev. N/A N/A handshake termination (KAS-FFC MODP-2048, Components Cert. #A3453 3 KAS-ECC P-256, P-384, P-521) Secret value used to TLS v1.2 KDF KAS SP derive the TLS Master TLS Pre-Master Zeroize at session N/A RFC7627, 800-56A Rev. N/A N/A RAM

Page 41

TLS v1.2 KDF Secret value used to TLS Master TLS v1.2 KDF Zeroize at session N/A RFC7627 N/A N/A RAM

128 bits minimum AES-GCM N/A RAM - plaintext

Keys RFC7627 800-56A Rev. 3 termination connections (GCM; Cert. #A3453 CBC) HMAC keys used in TLS HMAC-SHA2-256 TLS v1.2 KDF TLS, KAS SP Zeroize at session connections (SHA-256, TLS HMAC Keys 256 bits minimum HMAC-SHA2-384 N/A RAM - plaintext RFC7627 800-56A Rev. 3 termination SHA-384) Cert. #A3453 ( 256, 384 bits) KAS-FFC or KAS-ECC SSH public component KAS-ECC-SSC DRBG, SP DHE/ECDHE Zeroize at session (KAS-FFC MODP-2048,

112 bits minimum KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext

Private termination KAS-ECC P-256, Cert. #A3453 3 Components KAS-ECC P-384, KAS-ECC P-521) KAS-FFC or KAS-ECC SSH Plaintext SSH public component KAS-ECC-SSC DRBG, SP handshake DHE/ECDHE Zeroize at session (KAS-FFC MODP-2048,

112 bits minimum KAS-FFC-SSC 800-56A Rev. N/A RAM - plaintext

Public termination KAS-ECC P-256, Cert. #A3453 3 Components KAS-ECC P-384, KAS-ECC P-521) RSA SigVer (FIPS 186-4) SSH Host Public Key SSH Host Public ECDSA SigVer DRBG, FIPS HDD/RAM

112 bits minimum N/A N/A Zeroize Service

Key (FIPS 186-4) 186-4 plaintext RSA 4096, ECDSA P-256, P-384, or P-521) Cert. #A3453 Public RSA key used to RSA SigVer SSH Client Public Encrypted via HDD/RAM

112 bits minimum (FIPS 186-4) N/A N/A Zeroize Service

Key SSH or TLS plaintext (RSA 2048, 3072, and Cert. #A3453

4096 bits)

Used in all SSH connections to the AES-CBC, security module’s SSH Session AES-CTR, or SSH, KAS SP Zeroize at session

128 bits minimum KDF SSH N/A RAM - plaintext command line interface.

Encryption Keys AES-GCM 800-56A Rev. 3 termination (128, 192, or 256 bits: Cert. #A3453 CBC or CTR) (128 or 256 bits: GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 SSH Session security module’s HMAC-SHA2-256 SSH, KAS SP Zeroize at session Authentication 160 bits minimum KDF SSH N/A RAM - plaintext command line interface HMAC-SHA2-512 800-56A Rev. 3 termination Keys (HMAC-SHA-1, Cert. #A3453 HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Used to check the integrity of HMAC-SHA2-256, Firmware crypto-related code. ECDSA SigVer HDD integrity 128 bits N/A N/A N/A N/A (HMAC-SHA-256 and (FIPS 186-4) plaintext verification key ECDSA P-256) (Note: Cert. #A3453 This is not considered an SSP) Used to authenticate Public Key for RSA SigVer firmware and content to HDD Firmware Load 112 bits (FIPS 186-4) N/A N/A N/A N/A be installed on the plaintext Test Cert. #A3453 firewall (RSA 2048 with SHA-256) Authentication string CO, User SHA2-256 Encrypted via HDD - a password Zeroize N/A External N/A with a minimum length Password Cert. #A3453 SSH or TLS hash (SHA2-256) Service of eight (8) characters. Encrypted via HDD/RAM

Page 42

CKG (vendor Entropy input string affirmed), Counter Entropy as coming from the Entropy Input DRBG

384 bits per N/A N/A RAM - plaintext Power cycle entropy source

String SP 800-90B Cert. #A3453 Input length = 384 bits CKG (vendor affirmed), Counter DRBG seed coming from Entropy as DRBG the entropy source DRBG Seed 384 bits per N/A N/A RAM - Plaintext Power cycle SP 800-90B Cert. #A3453 Seed length = 384 bits CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state Key used in the DRBG Key 256 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3453 values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state V used in the DRBG V 128 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3453 values SNMPv3 SNMPv3 secret used for Authentication KDF SNMP Encrypted via HDD/RAM

128 bits minimum KDF SNMP N/A N/A encryption key

Key Cert. #A3453 Plaintext Service (AES-CFB 128) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. Table 11

Page 43

10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module; these tests do not require any additional operator action. Pre-operational Self-Tests Pre-operational Firmware Integrity Test

Page 44

Conditional Firmware Load test ● Firmware Load Test – Verify RSA 2048 with SHA-256 signature on firmware at time of load Conditional Critical Functions Tests ● SP 800-56A Rev. 3 Assurance Tests (Based on Sections 5.5.2, 5.6.2, and 5.6.3) Error Handling In the event of a conditional test failure, the module will output a description of the error. These are summarized below. Table 12 - Errors and Indicators Cause of Error Error State Indicator Conditional Cryptographic Algorithm Self-Test or Firmware FIPS-CC mode failure. <Algorithm test> failed. Integrity Test Failure Conditional Pairwise Consistency or Critical Functions Test System log prints an error message. Failure Conditional Firmware Load Test Failure System prints Invalid image message.

  1. Life-cycle Assurance The vendor provided life-cycle assurance documentation that describes configuration management, design, finite state model, development, testing, delivery + operation, end of life procedures, and guidance. For details regarding the secure installation, initialization, startup, and operation of the module, see section “Modes of Operation”. Palo Alto Network provides an Administrator Guide for additional information noted in the “References” section of this Security Policy. Module Enforced Security Rules The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 2 module.
  2. The cryptographic module shall provide distinct operator roles. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services.
  3. The cryptographic module provides identity-based authentication
  4. The cryptographic module shall clear previous authentications on power cycle.
  5. The module shall support the generation of key material with the approved DRBG. The entropy provided must be greater than or equal to the strength of the key being generated.
  6. Data output shall be inhibited during power-up self-tests and error states.
  7. Processes performing key generation and zeroization processes shall be logically isolated from the logical data output paths.
  8. The module does not output intermediate key generation values.
  9. Status information output from the module shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  10. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  11. The module maintains separation between concurrent operators.
  12. The module does not support a maintenance interface or role.
  13. The module does not have any external input/output devices used for entry/output of data. © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 44
Page 45
  1. The module does not enter or output plaintext CSPs. Vendor imposed security rules In FIPS-CC mode, the following rules shall apply:
  2. When FIPS-CC mode is enabled, the operator shall not install plugins. a. Checked via CLI using “show plugins installed”
  3. When FIPS-CC mode is enabled, the operator shall not use TACACS+. RADIUS may be used but must be protected by TLS protocol. a. Checked via CLI using “show deviceconfig” command Failure to follow these Security Rules will cause the module to operate in a non-compliant state. Key to Entity The cryptographic module associates all keys (secret, private, or public) stored within, entered into or output from the module with authenticated operators of the module. Keys stored within the module are only made available to authenticated operators via TLS or SSH. Keys are only input or output from the module by the authenticated operator via a SSH or TLS protected communication. Any attempt to intervene in the key to entity relationship would require defeating the module TLS or SSH encryption and authentication/integrity mechanism.
  4. Mitigation of Other Attacks The module is not designed to mitigate any specific attacks outside the scope of FIPS 140-3. These requirements are not applicable.
  5. References [FIPS 140-3] FIPS Publication 140-3 Security Requirements for Cryptographic Modules [AGD] Panorama Administrator’s Guide Version 11.0
  6. Definitions and Acronyms AES – Advanced Encryption Standard CA – Certificate Authority CLI – Command Line Interface CO – Crypto-Officer CSP – Critical Security Parameter CVL – Component Validation List DB9 – D-sub series, E size, 9 pins DES – Data Encryption Standard DH – Diffie-Hellman © 2024 Palo Alto Networks, Inc. Panorama HW 11.0 Security Policy 45
Page 46

DRBG