All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Panorama Virtual Appliance 11.0

Certificate#4935StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorPalo Alto Networks, Inc.
High review priority  ·  no TCB surface named  ·  last validated 18 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/1/2027
CaveatInterim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy
VendorPalo Alto Networks, Inc.

Approved Algorithms (30)

AlgorithmACVP Cert
AES-CBCA3454
AES-CFB128A3454
AES-CTRA3454
AES-GCMA3454
Conditioning Component AES-CBC-MAC SP800-90BA1791
Counter DRBGA3454
ECDSA KeyGen (FIPS186-4)A3454
ECDSA KeyVer (FIPS186-4)A3454
ECDSA SigGen (FIPS186-4)A3454
ECDSA SigVer (FIPS186-4)A3454
HMAC-SHA-1A3454
HMAC-SHA2-224A3454
HMAC-SHA2-256A3454
HMAC-SHA2-384A3454
HMAC-SHA2-512A3454
KAS-ECC-SSC Sp800-56Ar3A3454
KAS-FFC-SSC Sp800-56Ar3A3454
KDF SNMPA3454
KDF SSHA3454
RSA KeyGen (FIPS186-4)A3454
RSA SigGen (FIPS186-4)A3454
RSA SigVer (FIPS186-4)A3454
Safe Primes Key GenerationA3454
Safe Primes Key VerificationA3454
SHA-1A3454
SHA2-224A3454
SHA2-256A3454
SHA2-384A3454
SHA2-512A3454
TLS v1.2 KDF RFC7627A3454

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Panorama Virtual Appliance 11.0
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Panorama Virtual Appliance 11.0
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

Panorama Virtual Appliance 11.0 Version: 1.1 Revision Date: November 25, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Page 2
Table of Contents
#SectionPage
Page 3
  1. General The Panorama Virtual Appliance 11.0 from Palo Alto Networks Inc., hereafter referred to as “Panorama VM” or the “cryptographic module” are multi-chip standalone cryptographic modules designed to fulfill FIPS 140-3 level 1 requirements. The Panorama VM provides a centralized monitoring and management of multiple Palo Alto Networks next-generation (NG) firewalls and Wildfire appliances. For purposes of this validation, the exact software version of the module tested was 11.0.4. The cryptographic module meets the overall requirements applicable to Level 1 security of FIPS 140-3. Table 1 - Security Levels ISO/IEC 24759 Section
  2. FIPS 140-3 Section Title Security Level
1 General 1
2 Cryptographic Module Specification 1
3 Cryptographic Module Interfaces 1
4 Roles, Services, and Authentication 3
5 Software/Firmware Security 1
6 Operational Environment 1
7 Physical Security N/A
8 Non-Invasive Security N/A
9 Security Parameter Management 1
10 Self-Tests 1
11 Life-Cycle Assurance 3
12 Mitigation of Other Attacks N/A

Overall Level 1

  1. Cryptographic Module Specification The tested operational environments are highlighted in Table
  2. Table 2 – Tested Operational Environments Operating System Hardware Platform Processor PAA/Acceleration VMware ESXi v7.0 Dell PowerEdge R740 Intel Gold 6248 N/A KVM on Ubuntu 20.04 Dell PowerEdge R740 Intel Gold 6248 N/A Hyper-V 2019 on Microsoft Dell PowerEdge R740 Intel Gold 6248 N/A Hyper-V Server 2019 © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 3
Page 4

Table 3

Page 5

Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above and Section 11 will result in the module operating in a non-compliant state. Selecting Panorama, Management-Only, and Log Collector System Modes The Panorama VM supports multiple configurations that provide varying services. The Cryptographic Officer can initialize the module into different System Mode. The module supports the following System Modes:

Page 6

Approved and Allowed Algorithms The cryptographic modules support the following Approved algorithms. Only the algorithms, modes, and key sizes specified in this table are used by the module. The CAVP certificate may contain more tested options than listed in this table. Table 4

128 and 256 bits

AES-GCM GCM** Encryption A3454 [SP 800-38D] Decryption Counter DRBG A3454 Counter DRBG AES 256 bits with Derivation Function Enabled Random Bit Generator [SP 800-90Arev1] ECDSA KeyGen ECDSA KeyGen Key Generation A3454 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA KeyVer ECDSA KeyVer Public Key Validation A3454 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA SigGen ECDSA SigGen P-256, P-384, P-521 with SHA2-224, SHA2-256, Signature Generation A3454 (FIPS 186-4) (FIPS 186-4) SHA2-384, and SHA2-512 ECDSA SigVer ECDSA SigVer P-256, P-384, P-521 with SHA-1, SHA2-224, A3454 Signature Verification (FIPS 186-4) (FIPS 186-4) SHA2-256, SHA2-384, and SHA2-512 A3454 HMAC-SHA-1 HMAC HMAC-SHA-1 with λ=96, 160 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-224 HMAC-SHA2-224 with λ=224 HMAC Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS-ECC-SSC KAS Ephemeral Unified Model: P-256/P-384/P-521 A3454 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A3454 KAS dhEphem: MODP-2048 Key Exchange 800-56Ar3 KDF SNMP [SP Engine ID: A3454 800-135rev1] SNMPv3 KDF 80001F88043030303030 SNMPv3 (CVL) 343935323630 © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 6

Page 7

KDF SSH [SP SHA-1, SHA2-256, A3454 800-135rev1] SSHv2 KDF SSH SHA2-512 (CVL) RSA KeyGen RSA KeyGen (FIPS Key Pair Generation A3454 2048, 3072, and 4096 bits (FIPS 186-4) 186-4) (ANSI X9.31, RSASSA-PKCS1_v1-5, RSA SigGen RSA SigGen (FIPS Signature Generation A3454 RSASSA-PSS): 2048, 3072, and 4096-bit with (FIPS 186-4) 186-4) hashes SHA2-256/384/512 (ANSI X9.31, RSASSA-PKCS1_v1-5, RSASSA-PSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1 and RSA SigVer (FIPS RSA SigVer (FIPS SHA2-224+++/256/384/512 (Signature A3454 Signature Verification 186-4) 186-4) Verification) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Verification SHA-1 [FIPS SHA-1 A3454 SHA 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-224 [FIPS A3454 SHA2 SHA-224 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-256 [FIPS A3454 SHA2 SHA-256 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-384 [FIPS A3454 SHA2 SHA-384 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-512 [FIPS A3454 SHA2 SHA-512 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key A3454 Generation [RFC MODP-2048 Safe Primes Key Generation Generation 3526] Safe Primes Key Safe Primes Key A3454 Verification [RFC MODP-2048 Safe Primes Key Verification Verification 3526] TLS v1.2 KDF TLS1.2 KDF A3454 TLS v1.2 Hash Algorithm: SHA2-256, SHA2-384 TLS RFC7627 (CVL) SP 800-38A, FIPS AES Cert. 198-1, and SP A3454 and KTS [SP 800-38F. KTS (key 128, 192, and 256-bit keys providing 128, 192, or HMAC Key Wrapping 800-38F] wrapping and 256 bits of encryption strength Cert unwrapping) per IG A3454 D.G. SP 800-38D and SP AES-GCM 800-38F. KTS (key KTS [SP 128 and 256-bit keys providing 128 or 256 bits Cert. wrapping and Key Wrapping 800-38F] of encryption strength A3454 unwrapping) per IG D.G. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 7

Page 8

ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E69 KAS-ECC-S SC Cert. SP 800-56Arev3. #A3454, KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). Cert. #A3454 KAS-ECC-S SC Cert. #A3454, SP 800-56Arev3. TLS v1.2 KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). RFC7627 Cert. #A3454 KAS-FFC-S SC Cert. SP 800-56Arev3. #A3454, KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] strength Scenario 2 path (2). Cert. #A3454 KAS-FFC-S SC Cert. #A3454, SP 800-56Arev3. TLS v1.2 KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] strength Scenario 2 path (2). RFC7627 Cert. #A3454 Key Generation Note: The seeds used for asymmetric Vendor CKG (SP Section 5.1, Section Cryptographic Key Generation; SP 800-133rev2 key pair generation are produced using Affirmed 800-133rev2) 5.2 and IG D.H. the unmodified/direct output of the DRBG ** The module is compliant to IG C.H: GCM is used in the context of TLS and SSH:

Page 9

In all the above cases, the nonce explicit is always generated deterministically. Also, AES GCM keys are zeroized when the module is power-cycled. For each new TLS or SSH session, a new AES GCM key is established. The module does not have any algorithms that fall under: - Non-Approved Algorithms Allowed in the Approved Mode of Operation - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation The module is compliant to IG C.F: The module utilizes Approved modulus sizes 2048, 3072, and 4096 bits for RSA signatures. This functionality has been CAVP tested as noted above. The minimum number of Miller Rabin tests for each modulus size is implemented according to Table C.2 of FIPS 186-4. For modulus size 4096, the module implements the largest number of Miller-Rabin tests shown in Table C.2. RSA SigVer is CAVP tested for all three supported modulus sizes as noted above. The module does not perform FIPS 186-2 SigVer. All supported modulus sizes are CAVP testable and tested as noted above. The module does not implement RSA key transport in the Approved mode. Table 5 - Supported Protocols in the Approved Mode Supported Protocols* TLS 1.2 SSHv2 SNMPv3 *Note: These protocols have not been tested or reviewed by the CMVP or the CAVP. Cryptographic Boundary The Panorama Virtual Appliance is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file name in Section 11 (Panorama_pc-11.0.4) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 9

Page 10

Figure 1

Page 11

4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7

Page 12

CO, User, Self-Test Run self-test via CLI or WebUI Output results via System Logs Unauthenticated Show Status Show status via CLI or WebUI FIPS-CC Mode Indicator CO, User System Audit View system audit records via CLI or Audit records via System Logs CO, User WebUI Monitor System Status and View system status records via CLI or System status via System Logs CO, User Logs WebUI Panorama Log Collector Setup Configuring and managing Log Confirmation of service via CO Collectors configurations via CLI or Configuration Logs. WebUI Assumption of Roles The module supports distinct operator roles. The cryptographic module in Panorama or Management-Only mode enforces the separation of roles using unique authentication credentials associated with operator accounts. The Log Collector mode only supports one role, the Crypto-Officer (CO) role. The module does not provide a maintenance role or bypass capability. Table 8 - Roles and Authentication Role Authentication Method Authentication Strength CO Password-based Minimum length is eight1 (8) characters (95 possible characters). The probability that a random attempt will succeed or a false acceptance Memorized Secret (Unique will occur is 1/(958) which is less than 1/1,000,0002. The probability of Username/password) and/or successfully authenticating to the module within one minute is Single-Factor Cryptographic 10/(958), which is less than 1/100,000. The module’s configuration Software (certificate common supports at most ten failed attempts to authenticate in a one-minute name / public key-based period. authentication) Certificate/Public key-based The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. Memorized Secret (Unique Username/password) and/or The minimum equivalent strength supported is 112 bits. The Single-Factor Cryptographic probability that a random attempt will succeed is 1/(2112) which is less User than 1/1,000,000. The probability of successfully authenticating to Software (certificate common name / public key-based the module within a one minute period is 10/(2112), which is less than authentication) 1/100,000. The module supports at most 10 failed attempts and locks out afterwards. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: In FIPS-CC Mode, the module checks and enforces the minimum password length of eight (8) as specified in SP 800-63B. Passwords are securely stored hashed with salt value, with very restricted access control, and rate limiting mechanism for authentication attempts. SP 800-63B, Appendix A.4 establishes a minimum acceptable security strength of 10^6 based on the minimum acceptable random pin size of six (6) digits. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 12

Page 13

G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Note: Unless otherwise specified, all services are available in all system modes. If there is a service that is specific to a certain system mode, it is noted in the Description column. Table 9

Page 14

Perform panorama licensing, diagnostics, debug functions, manage Panorama support information and switch System System and between Panorama N/A N/A CO N/A Provisioning Configuration logs Management-only, and Logger modes. (Panorama or Management-Only Mode) Panorama Download and install Public Key for System and Software RSA SigVer (FIPS 186-4) CO W/E software updates Software Load Test Configuration logs Update CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W SNMPv3 Authentication W/E KDF SNMP Secret SNMPv3 Privacy Secret W/E HMAC-SHA-1 SNMPv3 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z RSA SigVer (FIPS 186-4) ECDSA SigVer CA Certificates G/R/E/W Presents configuration (FIPS 186-4) options for management interfaces and TLS Pre-Master Secret G/E/Z communication for peer TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z System and services (e.g., SNMP, CO Configuration logs RADIUS). CKG, TLS DHE/ECDHE Private Panorama KAS G/E/Z Import, Export, Save, Load, ECDSA KeyGen (FIPS 186-4), Components Manager Setup revert and validate ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public Panorama configurations KAS-ECC-SSC, KAS-FFC-SSC, Components and state role Safe Primes Key Generation, G/E/R/W/Z Safe Primes Key Verification (Panorama or HMAC-SHA2-256 TLS HMAC Keys Management-Only Mode) G/E/Z KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE Private G/E/Z Components KAS-ECC-SSC KAS-FFC-SSC Safe Primes Key Generation, SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Key Verification Components DRBG Seed Counter DRBG, ESV DRBG Key CO G/E System Logs © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 14

Page 15

DRBG V Entropy Input String Define access control N/A CO, User Password G/E/W methods via admin profiles, configure administrators RSA SigVer (FIPS 186-4) SSH Client Public Key W/E Manage and password profiles Panorama System and Configure local user CO Administrative Configuration logs database, authentication RSA SigVer (FIPS 186-4) Access SSH Host Public Key G/R/E/W profiles, sequence of ECDSA SigVer (FIPS 186-4) methods and access domains Configure High Availability RSA SigVer (FIPS 186-4) RSA Public Key G/R/E/W communication settings Configure High CO Configuration Logs Availability ECDSA SigVer (FIPS 186-4) ECDSA Public Key G/R/E/W (Panorama or Management-Only Mode) ECDSA SigGen (FIPS 186-4) RSA Private Keys G/R/W/E Configuration Logs RSA SigGen ECDSA Private Keys (FIPS 186-4) Manage RSA/ECDSA ECDSA SigVer Panorama certificates and private (FIPS 186-4) RSA Public Keys G/R/W/E Configuration Logs Certificate keys, certificate profiles, RSA SigVer ECDSA Public Keys CO Management revocation status, and (FIPS 186-4) usage; show status. DRBG Seed DRBG Key Counter DRBG, ESV G/E System Logs DRBG V Entropy Input String Configure log forwarding Panorama Log N/A N/A CO N/A Configuration Logs Setting (Panorama or Management-Only Mode) SNMPv3 Authentication W/E KDF SNMP Secret Configure communication SNMPv3 Privacy Secret W/E parameters and information for peer HMAC-SHA-1 SNMPv3 Authentication G/E/Z Panorama servers HMAC-SHA2-224 Key CO System Logs Server Profiles HMAC-SHA2-256 (Panorama or HMAC-SHA2-384 Management-Only Mode) HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z Set-up and define managed devices, device groups for firewalls Configure device deployment applications and licenses Setup Managed View current deployment Devices and information on the N/A N/A CO N/A Configuration Logs Deployment managed firewalls. It also allows you to manage software/firmware versions and schedule updates on the managed firewalls and managed log collectors. (Panorama or Management-Only Mode) Setup and manage other Log Collector management, Configure communication and storage System and Managed Log settings N/A CO, User Password CO G/E/W Configuration logs Collectors View current deployment information on the managed Log Collectors. It © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 15

Page 16

also allows you to manage software/firmware versions and schedule updates on managed log collectors. (Panorama or Management-Only Mode) Zeroize Overwrite all CSPs N/A All keys and SSPs CO Z Zeroization Indicator Run power up self-tests on Software Integrity CO, Self-Test demand by power cycling N/A E System Logs Verification Key User the module. CO, FIPS-CC Mode Show Status View status of the module N/A N/A N/A User Indicator Allows review of limited configuration and system status via SNMPv3, logs, dashboard, show status, and configuration screens. CO, System Audit N/A N/A N/A System Logs CO Only: Provides User configuration commit capability. (Panorama or Management-Only Mode) Review system status via the panorama system CLI, Monitor dashboard and logs; show CO, System Status status. N/A N/A N/A System Logs User and Logs (Panorama or Management-Only Mode) CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W TLS Pre-Master Secret G/E/Z TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z Presents configuration options for management CKG, TLS DHE/ECDHE Private KAS G/E/Z interfaces and ECDSA KeyGen (FIPS 186-4), Components communication for peer ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public services KAS-ECC-SSC, KAS-FFC-SSC, Components System and Panorama Log Safe Primes Key Generation, CO G/E/R/W/Z Import, Export, Save, Load, Configuration logs Collector Setup Safe Primes Key Verification revert and validate Panorama configurations HMAC-SHA2-256 TLS HMAC Keys G/E/Z and state KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z (Log Collector mode) KTS AES-GCM TLS Encryption Keys G/E/Z HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KDF SSH SSH DHE/ECDHE Private G/E/Z Components KAS KAS-ECC-SSC KAS-FFC-SSC © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 16

Page 17

Safe Primes Key Generation, Safe Primes Key Verification DRBG Seed DRBG V Counter DRBG, ESV G/E DRBG Key Entropy Input String Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled and that the service succeeded.

  1. Software/Firmware Security The module performs the Software Integrity test by using HMAC-SHA-256 (HMAC Cert. #A3454) during the Pre-Operational Self-Test. In addition, the module also conducts a software load test by using the Public Verification Key (RSA 2048 with SHA-256, Cert. #A3454) for the new validated software to be uploaded into the module. Any software loaded into this module that is not shown on the module certificate is out of scope of this validation, and requires a separate FIPS 140-3 validation. The pre-operational self-tests can be initiated by power cycling the module. When this is performed, the module automatically runs the cryptographic algorithm self-tests in addition to the pre-operational software integrity test.
  2. Operational Environment The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The hypervisor environment provides an isolated operating environment and is the single operator of the virtual machine. The tested operating environments isolate virtual systems into separate isolated process spaces. Each process space is logically separated from all other processes by the operating environments software and hardware. The module functions entirely within the process space of the isolated system as managed by the single operational environment. This implicitly meets the FIPS 140-3 requirement that only one (1) entity at a time can use the cryptographic module.
  3. Physical Security The module is a software only module; FIPS 140-3 physical security requirements are not applicable.
  4. Non-Invasive Security There are currently no defined Approved non-invasive attack mitigation test metrics in SP 800-140F.
  5. Sensitive Security Parameters Management The following table details all the sensitive security parameters utilized by the module. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 17
Page 18

Table 10

112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM

CA Certificates Session Key N/A certificates bits (FIPS 186-4) 186-4 plaintext RAM - Zeroize Encrypted (RSA 2048, 3072, and at session

4096 bits)

Cert. #A3454 termination (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the verification of TLS or SSH signatures, RSA SigVer Session Key

112 - 150 DRBG, FIPS HDD/RAM

RSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A3454 Plaintext and peer TLS handshake authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD

112 - 150 DRBG, FIPS HDD/RAM

RSA Private Keys (FIPS 186-4) Session Key N/A authentication or key bits 186-4 plaintext RAM - Zeroize Cert. #A3454 Encrypted establishment. at session (RSA 2048, 3072, or termination 4096-bit) ECDSA public keys managed as certificates for the verification of TLS or SSH signatures, ECDSA SigVer Session Key

128 - 256 DRBG, FIPS HDD/RAM

ECDSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A3454 Plaintext and peer TLS handshake authentication. (ECDSA P-256, P-384, or P-521) HDD

128 - 256 DRBG, FIPS HDD/RAM

ECDSA Private Keys (FIPS 186-4) Session Key N/A and authentication bits 186-4 plaintext RAM - Zeroize Cert. #A3454 Encrypted (P-256, P-384, or at session P-521) termination KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE 112 - 256 in key agreement KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits (KAS-FFC MODP-2048, Cert. #A3454 3 termination KAS-ECC P-256, P-384, P-521) KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE Public 112 - 256 Plaintext - TLS in key agreement KAS-FFC-SSC 800-56A Rev. N/A N/A session Components bits handshake (KAS-FFC MODP-2048, Cert. #A3454 3 termination KAS-ECC P-256, P-384, P-521) Secret value used to TLS v1.2 KDF KAS SP Zeroize at derive the TLS Master TLS Pre-Master Secret N/A RFC7627 800-56A Rev. N/A N/A RAM

Page 19

AES (128 or 256 bit) AES-CBC or Zeroize at

128 or 256 TLS v1.2 KDF TLS, KAS SP keys used in TLS

TLS Encryption Keys AES-GCM N/A RAM - plaintext session bits RFC7627 800-56A Rev. 3 connections (GCM; Cert. #A3454 termination CBC) HMAC-SHA2-256 Zeroize at HMAC keys used in TLS TLS v1.2 KDF TLS, KAS SP TLS HMAC Keys 256 bits HMAC-SHA2-384 N/A RAM - plaintext session connections ( 256, 384) RFC7627 800-56A Rev. 3 Cert. #A3454 termination (256, 384 bits) KAS-FFC or KAS-ECC public component KAS-ECC-SSC DRBG, SP Zeroize at SSH DHE/ECDHE 112 - 256 (KAS-FFC MODP-2048, KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits KAS-ECC P-256, Cert. #A3454 3 termination KAS-ECC P-384, KAS-ECC P-521) KAS-FFC or KAS-ECC Plaintext SSH public component KAS-ECC-SSC DRBG, SP handshake Zeroize at SSH DHE/ECDHE Public 112 - 256 (KAS-FFC Group 14, KAS-FFC-SSC 800-56A Rev. N/A RAM - plaintext session Components bits KAS-ECC P-256, Cert. #A3454 3 termination KAS-ECC P-384, KAS-ECC P-521) RSA SigVer (FIPS 186-4) SSH Host Public Key

112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM

SSH Host Public Key N/A N/A bits (FIPS 186-4) 186-4 plaintext Service RSA 4096, ECDSA P-256, P-384, or P-521) Cert. #A3454 Public RSA key used to RSA SigVer

112 - 150 Encrypted via HDD/RAM

SSH Client Public Key (FIPS 186-4) N/A N/A bits SSH or TLS plaintext Service (RSA 2048, 3072, and Cert. #A3454

4096 bits)

Used in all SSH connections to the AES-CBC, Zeroize at security module’s SSH Session Encryption 128 - 256 AES-CTR, or SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface. Keys bits AES-GCM 800-56A Rev. 3 termination (128, 192, or 256 bits: Cert. #A3454 CBC or CTR) (128 or 256 bits: GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 Zeroize at security module’s SSH Session 160 - 256 HMAC-SHA2-256 SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface Authentication Keys bits HMAC-SHA2-512 800-56A Rev. 3 termination (HMAC-SHA-1, Cert. #A3454 HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Used to check the Software integrity HMAC-SHA2-256, integrity of verification key ECDSA SigVer

128 bits N/A N/A N/A HDD - plaintext N/A crypto-related code.

(Note: This is not considered (FIPS 186-4) (HMAC-SHA-256 and an SSP) Cert. #A3454 ECDSA P-256) Used to authenticate RSA SigVer software/firmware and Public key for software

112 bits (FIPS 186-4) N/A N/A N/A HDD - plaintext N/A content to be installed

content load test Cert. #A3454 on the module (RSA

2048 with SHA-256)

Authentication string SHA2-256 Encrypted via HDD - a password CO, User Password N/A External N/A Zeroize Service with a minimum length Cert. #A3454 SSH or TLS hash (SHA2-256) of eight (8) characters. Encrypted via HDD/RAM

Page 20

Seed length = 384 bits Cert. #A3454 CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state Key used in the DRBG Key 256 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3454 values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state V used in the DRBG V 128 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3454 values SNMPv3 Authentication SNMPv3 secret used for KDF SNMP Encrypted via HDD/RAM

128 - 256 AES-CFB128 HDD/RAM - Zeroize

SNMPv3 Session Key KDF SNMP N/A N/A encryption key bits Cert. #A3454 Plaintext Service (AES-CFB128) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. The module utilizes the following entropy source, which is internal to the physical perimeter of the host GPC. Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of entropy Details ESV Cert. #E69

384 bits

Palo Alto Networks DRNG Entropy Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module. The pre-operational and conditional self-tests are performed automatically and do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test

Page 21

Note: the ECDSA and HMAC-SHA-256 KATs are performed prior to the Software integrity test Conditional self-tests Cryptographic algorithm self-tests

Page 22

Table 12 - Errors and Indicators Cause of Error Error State Indicator Conditional Cryptographic Algorithm Self-Test or Software FIPS-CC mode failure. <Algorithm test> failed. Integrity Test Failure Conditional Pairwise Consistency or Critical Functions Test System log prints an error message. Failure Conditional Software Load Test Failure System prints Invalid image message.

  1. Life-cycle Assurance The vendor provided life-cycle assurance documentation describes configuration management, design, finite state model, development, testing, delivery & operation, end of life procedures, and guidance. For details regarding the approved mode of operation, see “Approved Mode of Operation''. For details regarding secure installation, initialization, startup, and operation of the module, see below. Installation Instructions The module can be retrieved by downloading Panorama_pc-11.0.4 from the support site: https://support.paloaltonetworks.com/Support/Index, and a checksum (SHA-256) is available to ensure the module is correct: Panorama_pc-11.0.4: 44bee55cff1f5c875dacf505758d0e294aa19f62b98588a3bcb11992b7d0852e Alternatively, the module version can be obtained by running the following commands via CLI (as an authorized administrator): 1. request system software check 2. request system software download version 11.0.4 3. request system software install version 11.0.4 4. request restart system Palo Alto Network provides an Administrator Guide for additional information noted in the “References” section of this Security Policy. The module design corresponds to the module security rules. Module Enforced Security Rules This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-3 Level 1 module.
  2. The cryptographic module shall provide distinct operator roles. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services.
  3. The cryptographic module shall clear previous authentications on power cycle.
  4. The module shall support the generation of key material with the approved DRBG. The entropy provided must be greater than or equal to the strength of the key being generated. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 22
Page 23
  1. Data output shall be inhibited during self-tests and error states.
  2. Processes performing key generation and zeroization processes shall be logically isolated from the logical data output paths.
  3. The module does not output intermediate key generation values.
  4. Status information output from the module shall not contain CSPs or sensitive data that if misused could lead to a compromise of the module.
  5. There are no restrictions on which keys or CSPs are zeroized by the zeroization service.
  6. The module maintains separation between concurrent operators.
  7. The module does not support a maintenance interface or role.
  8. The module does not have any external input/output devices used for entry/output of data.
  9. The module does not enter or output plaintext CSPs.
  10. The cryptographic module provides identity-based authentication. Vendor Imposed Security Rules In FIPS-CC mode, the following rules shall apply:
  11. When FIPS-CC mode is enabled, the operator shall not install plugins. a. Checked via CLI using “show plugins installed”
  12. When FIPS-CC mode is enabled, the operator shall not use TACACS+. RADIUS may be used but must be protected by TLS protocol. a. Checked via CLI using “show deviceconfig” command Key to Entity The cryptographic module associates all keys (secret, private, or public) stored within, entered into or output from the module with authenticated operators of the module. Keys stored within the module are only made available to authenticated operators via TLS or SSH. Keys are only input or output from the module by the authenticated operator via a SSH or TLS protected communication. Any attempt to intervene in the key to entity relationship would require defeating the module TLS or SSH encryption and authentication/integrity mechanism.
  13. Mitigation of Other Attacks This module is not designed to mitigate other attacks outside the scope of FIPS 140-3.
  14. References [FIPS 140-3] FIPS Publication 140-3 Security Requirements for Cryptographic Modules [AGD] Panorama Administrator’s Guide Version 11.0
  15. Definitions and Acronyms AES – Advanced Encryption Standard CA – Certificate Authority CLI – Command Line Interface CO – Crypto-Officer CSP – Critical Security Parameter © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 23
Page 24

CVL