| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/1/2027 |
| Caveat | Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy |
| Vendor | Palo Alto Networks, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A3454 |
| AES-CFB128 | A3454 |
| AES-CTR | A3454 |
| AES-GCM | A3454 |
| Conditioning Component AES-CBC-MAC SP800-90B | A1791 |
| Counter DRBG | A3454 |
| ECDSA KeyGen (FIPS186-4) | A3454 |
| ECDSA KeyVer (FIPS186-4) | A3454 |
| ECDSA SigGen (FIPS186-4) | A3454 |
| ECDSA SigVer (FIPS186-4) | A3454 |
| HMAC-SHA-1 | A3454 |
| HMAC-SHA2-224 | A3454 |
| HMAC-SHA2-256 | A3454 |
| HMAC-SHA2-384 | A3454 |
| HMAC-SHA2-512 | A3454 |
| KAS-ECC-SSC Sp800-56Ar3 | A3454 |
| KAS-FFC-SSC Sp800-56Ar3 | A3454 |
| KDF SNMP | A3454 |
| KDF SSH | A3454 |
| RSA KeyGen (FIPS186-4) | A3454 |
| RSA SigGen (FIPS186-4) | A3454 |
| RSA SigVer (FIPS186-4) | A3454 |
| Safe Primes Key Generation | A3454 |
| Safe Primes Key Verification | A3454 |
| SHA-1 | A3454 |
| SHA2-224 | A3454 |
| SHA2-256 | A3454 |
| SHA2-384 | A3454 |
| SHA2-512 | A3454 |
| TLS v1.2 KDF RFC7627 | A3454 |
flowchart LR
%% Deterministic review-risk graph for Panorama Virtual Appliance 11.0
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update</i>"]
C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>status output<br/>self-test</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>application</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Panorama Virtual Appliance 11.0
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update</i><br/>src: text:keyword"]
C3["[low] Self-test / status surface (referenced in text)<br/><i>status output<br/>self-test</i><br/>src: text:keyword"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>application</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C3,C5,C6 clueLow;Panorama Virtual Appliance 11.0 Version: 1.1 Revision Date: November 25, 2024 Palo Alto Networks, Inc. www.paloaltonetworks.com © 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
| # | Section | Page |
|---|
Overall Level 1
Table 3
Non-Compliant State Failure to follow the directions in the Approved Mode of Operation above and Section 11 will result in the module operating in a non-compliant state. Selecting Panorama, Management-Only, and Log Collector System Modes The Panorama VM supports multiple configurations that provide varying services. The Cryptographic Officer can initialize the module into different System Mode. The module supports the following System Modes:
Approved and Allowed Algorithms The cryptographic modules support the following Approved algorithms. Only the algorithms, modes, and key sizes specified in this table are used by the module. The CAVP certificate may contain more tested options than listed in this table. Table 4
AES-GCM GCM** Encryption A3454 [SP 800-38D] Decryption Counter DRBG A3454 Counter DRBG AES 256 bits with Derivation Function Enabled Random Bit Generator [SP 800-90Arev1] ECDSA KeyGen ECDSA KeyGen Key Generation A3454 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA KeyVer ECDSA KeyVer Public Key Validation A3454 P-256, P-384, P-521 (FIPS 186-4) (FIPS 186-4) ECDSA SigGen ECDSA SigGen P-256, P-384, P-521 with SHA2-224, SHA2-256, Signature Generation A3454 (FIPS 186-4) (FIPS 186-4) SHA2-384, and SHA2-512 ECDSA SigVer ECDSA SigVer P-256, P-384, P-521 with SHA-1, SHA2-224, A3454 Signature Verification (FIPS 186-4) (FIPS 186-4) SHA2-256, SHA2-384, and SHA2-512 A3454 HMAC-SHA-1 HMAC HMAC-SHA-1 with λ=96, 160 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-224 HMAC-SHA2-224 with λ=224 HMAC Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-256 HMAC HMAC-SHA2-256 with λ=256 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-384 HMAC HMAC-SHA2-384 with λ=384 Authentication for protocols [FIPS 198-1] A3454 HMAC-SHA2-512 HMAC HMAC-SHA2-512 with λ=512 Authentication for protocols [FIPS 198-1] KAS-ECC-SSC KAS Ephemeral Unified Model: P-256/P-384/P-521 A3454 Key Exchange Sp800-56Ar3 KAS-FFC-SSC SP A3454 KAS dhEphem: MODP-2048 Key Exchange 800-56Ar3 KDF SNMP [SP Engine ID: A3454 800-135rev1] SNMPv3 KDF 80001F88043030303030 SNMPv3 (CVL) 343935323630 © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 6
KDF SSH [SP SHA-1, SHA2-256, A3454 800-135rev1] SSHv2 KDF SSH SHA2-512 (CVL) RSA KeyGen RSA KeyGen (FIPS Key Pair Generation A3454 2048, 3072, and 4096 bits (FIPS 186-4) 186-4) (ANSI X9.31, RSASSA-PKCS1_v1-5, RSA SigGen RSA SigGen (FIPS Signature Generation A3454 RSASSA-PSS): 2048, 3072, and 4096-bit with (FIPS 186-4) 186-4) hashes SHA2-256/384/512 (ANSI X9.31, RSASSA-PKCS1_v1-5, RSASSA-PSS): 2048, 3072, 4096-bit (per IG C.F) with hashes SHA-1 and RSA SigVer (FIPS RSA SigVer (FIPS SHA2-224+++/256/384/512 (Signature A3454 Signature Verification 186-4) 186-4) Verification) +++ This Hash algorithm is not supported for ANSI X9.31 Digital Signature Verification SHA-1 [FIPS SHA-1 A3454 SHA 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-224 [FIPS A3454 SHA2 SHA-224 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-256 [FIPS A3454 SHA2 SHA-256 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-384 [FIPS A3454 SHA2 SHA-384 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Digital Signature Generation/Verification SHA2-512 [FIPS A3454 SHA2 SHA-512 180-4] Non-Digital Signature Applications (e.g. component of HMAC) Safe Primes Key Safe Primes Key A3454 Generation [RFC MODP-2048 Safe Primes Key Generation Generation 3526] Safe Primes Key Safe Primes Key A3454 Verification [RFC MODP-2048 Safe Primes Key Verification Verification 3526] TLS v1.2 KDF TLS1.2 KDF A3454 TLS v1.2 Hash Algorithm: SHA2-256, SHA2-384 TLS RFC7627 (CVL) SP 800-38A, FIPS AES Cert. 198-1, and SP A3454 and KTS [SP 800-38F. KTS (key 128, 192, and 256-bit keys providing 128, 192, or HMAC Key Wrapping 800-38F] wrapping and 256 bits of encryption strength Cert unwrapping) per IG A3454 D.G. SP 800-38D and SP AES-GCM 800-38F. KTS (key KTS [SP 128 and 256-bit keys providing 128 or 256 bits Cert. wrapping and Key Wrapping 800-38F] of encryption strength A3454 unwrapping) per IG D.G. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 7
ESV Cert. SP 800-90B ESV Palo Alto Networks DRNG Entropy Source Entropy #E69 KAS-ECC-S SC Cert. SP 800-56Arev3. #A3454, KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). Cert. #A3454 KAS-ECC-S SC Cert. #A3454, SP 800-56Arev3. TLS v1.2 KAS [SP P-256, P-384, and P-521 curves providing 128, KAS-ECC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] 192, or 256 bits of encryption strength Scenario 2 path (2). RFC7627 Cert. #A3454 KAS-FFC-S SC Cert. SP 800-56Arev3. #A3454, KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF SSH 800-56Arev3] strength Scenario 2 path (2). Cert. #A3454 KAS-FFC-S SC Cert. #A3454, SP 800-56Arev3. TLS v1.2 KAS [SP 2048-bit key providing 112 bits of encryption KAS-FFC per IG D.F Key Exchange with protocol KDF KDF 800-56Arev3] strength Scenario 2 path (2). RFC7627 Cert. #A3454 Key Generation Note: The seeds used for asymmetric Vendor CKG (SP Section 5.1, Section Cryptographic Key Generation; SP 800-133rev2 key pair generation are produced using Affirmed 800-133rev2) 5.2 and IG D.H. the unmodified/direct output of the DRBG ** The module is compliant to IG C.H: GCM is used in the context of TLS and SSH:
In all the above cases, the nonce explicit is always generated deterministically. Also, AES GCM keys are zeroized when the module is power-cycled. For each new TLS or SSH session, a new AES GCM key is established. The module does not have any algorithms that fall under: - Non-Approved Algorithms Allowed in the Approved Mode of Operation - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed - Non-Approved Algorithms Not Allowed in the Approved Mode of Operation The module is compliant to IG C.F: The module utilizes Approved modulus sizes 2048, 3072, and 4096 bits for RSA signatures. This functionality has been CAVP tested as noted above. The minimum number of Miller Rabin tests for each modulus size is implemented according to Table C.2 of FIPS 186-4. For modulus size 4096, the module implements the largest number of Miller-Rabin tests shown in Table C.2. RSA SigVer is CAVP tested for all three supported modulus sizes as noted above. The module does not perform FIPS 186-2 SigVer. All supported modulus sizes are CAVP testable and tested as noted above. The module does not implement RSA key transport in the Approved mode. Table 5 - Supported Protocols in the Approved Mode Supported Protocols* TLS 1.2 SSHv2 SNMPv3 *Note: These protocols have not been tested or reviewed by the CMVP or the CAVP. Cryptographic Boundary The Panorama Virtual Appliance is a software cryptographic module and requires an underlying general purpose computer (GPC) environment. The module consists of a GPC (multi-chip standalone embodiment) with the cryptographic boundary defined below. The cryptographic boundary (CB) includes all of the software components of the module, which is included in the file name in Section 11 (Panorama_pc-11.0.4) and also the configuration file that resides on the virtual machine’s virtual disk. The physical perimeter (PP) is defined by the enclosure around the host GPC on which it runs. Figure 1 depicts the boundary and illustrates the hardware components of a GPC. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 9
Figure 1
4. Roles, Services, and Authentication Roles and Services While in the Approved mode of operation, all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. Table 7
CO, User, Self-Test Run self-test via CLI or WebUI Output results via System Logs Unauthenticated Show Status Show status via CLI or WebUI FIPS-CC Mode Indicator CO, User System Audit View system audit records via CLI or Audit records via System Logs CO, User WebUI Monitor System Status and View system status records via CLI or System status via System Logs CO, User Logs WebUI Panorama Log Collector Setup Configuring and managing Log Confirmation of service via CO Collectors configurations via CLI or Configuration Logs. WebUI Assumption of Roles The module supports distinct operator roles. The cryptographic module in Panorama or Management-Only mode enforces the separation of roles using unique authentication credentials associated with operator accounts. The Log Collector mode only supports one role, the Crypto-Officer (CO) role. The module does not provide a maintenance role or bypass capability. Table 8 - Roles and Authentication Role Authentication Method Authentication Strength CO Password-based Minimum length is eight1 (8) characters (95 possible characters). The probability that a random attempt will succeed or a false acceptance Memorized Secret (Unique will occur is 1/(958) which is less than 1/1,000,0002. The probability of Username/password) and/or successfully authenticating to the module within one minute is Single-Factor Cryptographic 10/(958), which is less than 1/100,000. The module’s configuration Software (certificate common supports at most ten failed attempts to authenticate in a one-minute name / public key-based period. authentication) Certificate/Public key-based The security modules support public-key based authentication using RSA 2048 and certificate-based authentication using RSA 2048, RSA 3072, RSA 4096, ECDSA P-256, P-384, or P-521. Memorized Secret (Unique Username/password) and/or The minimum equivalent strength supported is 112 bits. The Single-Factor Cryptographic probability that a random attempt will succeed is 1/(2112) which is less User than 1/1,000,000. The probability of successfully authenticating to Software (certificate common name / public key-based the module within a one minute period is 10/(2112), which is less than authentication) 1/100,000. The module supports at most 10 failed attempts and locks out afterwards. Definition of CSPs Modes of Access The following table defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as: In FIPS-CC Mode, the module checks and enforces the minimum password length of eight (8) as specified in SP 800-63B. Passwords are securely stored hashed with salt value, with very restricted access control, and rate limiting mechanism for authentication attempts. SP 800-63B, Appendix A.4 establishes a minimum acceptable security strength of 10^6 based on the minimum acceptable random pin size of six (6) digits. © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 12
G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. Note: Unless otherwise specified, all services are available in all system modes. If there is a service that is specific to a certain system mode, it is noted in the Description column. Table 9
Perform panorama licensing, diagnostics, debug functions, manage Panorama support information and switch System System and between Panorama N/A N/A CO N/A Provisioning Configuration logs Management-only, and Logger modes. (Panorama or Management-Only Mode) Panorama Download and install Public Key for System and Software RSA SigVer (FIPS 186-4) CO W/E software updates Software Load Test Configuration logs Update CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W SNMPv3 Authentication W/E KDF SNMP Secret SNMPv3 Privacy Secret W/E HMAC-SHA-1 SNMPv3 Authentication G/E/Z HMAC-SHA2-224 Key HMAC-SHA2-256 HMAC-SHA2-384 HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z RSA SigVer (FIPS 186-4) ECDSA SigVer CA Certificates G/R/E/W Presents configuration (FIPS 186-4) options for management interfaces and TLS Pre-Master Secret G/E/Z communication for peer TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z System and services (e.g., SNMP, CO Configuration logs RADIUS). CKG, TLS DHE/ECDHE Private Panorama KAS G/E/Z Import, Export, Save, Load, ECDSA KeyGen (FIPS 186-4), Components Manager Setup revert and validate ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public Panorama configurations KAS-ECC-SSC, KAS-FFC-SSC, Components and state role Safe Primes Key Generation, G/E/R/W/Z Safe Primes Key Verification (Panorama or HMAC-SHA2-256 TLS HMAC Keys Management-Only Mode) G/E/Z KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z KTS AES-GCM TLS Encryption Keys G/E/Z KTS HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KAS KDF SSH SSH DHE/ECDHE Private G/E/Z Components KAS-ECC-SSC KAS-FFC-SSC Safe Primes Key Generation, SSH DHE/ECDHE Public G/E/R/W/Z Safe Primes Key Verification Components DRBG Seed Counter DRBG, ESV DRBG Key CO G/E System Logs © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 14
DRBG V Entropy Input String Define access control N/A CO, User Password G/E/W methods via admin profiles, configure administrators RSA SigVer (FIPS 186-4) SSH Client Public Key W/E Manage and password profiles Panorama System and Configure local user CO Administrative Configuration logs database, authentication RSA SigVer (FIPS 186-4) Access SSH Host Public Key G/R/E/W profiles, sequence of ECDSA SigVer (FIPS 186-4) methods and access domains Configure High Availability RSA SigVer (FIPS 186-4) RSA Public Key G/R/E/W communication settings Configure High CO Configuration Logs Availability ECDSA SigVer (FIPS 186-4) ECDSA Public Key G/R/E/W (Panorama or Management-Only Mode) ECDSA SigGen (FIPS 186-4) RSA Private Keys G/R/W/E Configuration Logs RSA SigGen ECDSA Private Keys (FIPS 186-4) Manage RSA/ECDSA ECDSA SigVer Panorama certificates and private (FIPS 186-4) RSA Public Keys G/R/W/E Configuration Logs Certificate keys, certificate profiles, RSA SigVer ECDSA Public Keys CO Management revocation status, and (FIPS 186-4) usage; show status. DRBG Seed DRBG Key Counter DRBG, ESV G/E System Logs DRBG V Entropy Input String Configure log forwarding Panorama Log N/A N/A CO N/A Configuration Logs Setting (Panorama or Management-Only Mode) SNMPv3 Authentication W/E KDF SNMP Secret Configure communication SNMPv3 Privacy Secret W/E parameters and information for peer HMAC-SHA-1 SNMPv3 Authentication G/E/Z Panorama servers HMAC-SHA2-224 Key CO System Logs Server Profiles HMAC-SHA2-256 (Panorama or HMAC-SHA2-384 Management-Only Mode) HMAC-SHA2-512 AES-CFB128 SNMPv3 Session Key G/E/Z Set-up and define managed devices, device groups for firewalls Configure device deployment applications and licenses Setup Managed View current deployment Devices and information on the N/A N/A CO N/A Configuration Logs Deployment managed firewalls. It also allows you to manage software/firmware versions and schedule updates on the managed firewalls and managed log collectors. (Panorama or Management-Only Mode) Setup and manage other Log Collector management, Configure communication and storage System and Managed Log settings N/A CO, User Password CO G/E/W Configuration logs Collectors View current deployment information on the managed Log Collectors. It © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 15
also allows you to manage software/firmware versions and schedule updates on managed log collectors. (Panorama or Management-Only Mode) Zeroize Overwrite all CSPs N/A All keys and SSPs CO Z Zeroization Indicator Run power up self-tests on Software Integrity CO, Self-Test demand by power cycling N/A E System Logs Verification Key User the module. CO, FIPS-CC Mode Show Status View status of the module N/A N/A N/A User Indicator Allows review of limited configuration and system status via SNMPv3, logs, dashboard, show status, and configuration screens. CO, System Audit N/A N/A N/A System Logs CO Only: Provides User configuration commit capability. (Panorama or Management-Only Mode) Review system status via the panorama system CLI, Monitor dashboard and logs; show CO, System Status status. N/A N/A N/A System Logs User and Logs (Panorama or Management-Only Mode) CKG RSA Private Keys G/W/E RSA KeyGen (FIPS 186-4) RSA SigGen (FIPS 186-4) CKG ECDSA Private Keys G/W/E ECDSA KeyGen ( FIPS 186-4) ECDSA SigGen (FIPS 186-4) RSA SigVer (FIPS 186-4) RSA Public Keys G/R/E/W ECDSA SigVer (FIPS 186-4) ECDSA Public Keys G/R/E/W TLS Pre-Master Secret G/E/Z TLS v1.2 KDF RFC7627 TLS Master Secret G/E/Z Presents configuration options for management CKG, TLS DHE/ECDHE Private KAS G/E/Z interfaces and ECDSA KeyGen (FIPS 186-4), Components communication for peer ECDSA KeyVer (FIPS 186-4), TLS DHE/ECDHE Public services KAS-ECC-SSC, KAS-FFC-SSC, Components System and Panorama Log Safe Primes Key Generation, CO G/E/R/W/Z Import, Export, Save, Load, Configuration logs Collector Setup Safe Primes Key Verification revert and validate Panorama configurations HMAC-SHA2-256 TLS HMAC Keys G/E/Z and state KTS HMAC-SHA2-384 AES-CBC TLS Encryption Keys G/E/Z (Log Collector mode) KTS AES-GCM TLS Encryption Keys G/E/Z HMAC-SHA-1 SSH Session G/E/Z HMAC-SHA2-256 Authentication Keys KTS HMAC-SHA2-512 AES-CBC, AES-CTR SSH Session Encryption G/E/Z Keys KTS AES-GCM KDF SSH SSH DHE/ECDHE Private G/E/Z Components KAS KAS-ECC-SSC KAS-FFC-SSC © 2024 Palo Alto Networks, Inc. Panorama VM 11.0 Security Policy 16
Safe Primes Key Generation, Safe Primes Key Verification DRBG Seed DRBG V Counter DRBG, ESV G/E DRBG Key Entropy Input String Note: Configuration/System Logs for Approved services above will indicate FIPS-CC mode is enabled and that the service succeeded.
Table 10
112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM
CA Certificates Session Key N/A certificates bits (FIPS 186-4) 186-4 plaintext RAM - Zeroize Encrypted (RSA 2048, 3072, and at session
Cert. #A3454 termination (ECDSA P-256, P-384, and P-521) RSA public keys managed as certificates for the verification of TLS or SSH signatures, RSA SigVer Session Key
112 - 150 DRBG, FIPS HDD/RAM
RSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A3454 Plaintext and peer TLS handshake authentication. (RSA 2048, 3072, or 4096-bit) RSA Private keys for HDD
112 - 150 DRBG, FIPS HDD/RAM
RSA Private Keys (FIPS 186-4) Session Key N/A authentication or key bits 186-4 plaintext RAM - Zeroize Cert. #A3454 Encrypted establishment. at session (RSA 2048, 3072, or termination 4096-bit) ECDSA public keys managed as certificates for the verification of TLS or SSH signatures, ECDSA SigVer Session Key
128 - 256 DRBG, FIPS HDD/RAM
ECDSA Public Keys (FIPS 186-4) Encrypted or N/A bits 186-4 plaintext Service operator authentication Cert. #A3454 Plaintext and peer TLS handshake authentication. (ECDSA P-256, P-384, or P-521) HDD
128 - 256 DRBG, FIPS HDD/RAM
ECDSA Private Keys (FIPS 186-4) Session Key N/A and authentication bits 186-4 plaintext RAM - Zeroize Cert. #A3454 Encrypted (P-256, P-384, or at session P-521) termination KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE 112 - 256 in key agreement KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits (KAS-FFC MODP-2048, Cert. #A3454 3 termination KAS-ECC P-256, P-384, P-521) KAS-FFC or KAS-ECC Ephemeral values used KAS-ECC-SSC DRBG, SP Zeroize at TLS DHE/ECDHE Public 112 - 256 Plaintext - TLS in key agreement KAS-FFC-SSC 800-56A Rev. N/A N/A session Components bits handshake (KAS-FFC MODP-2048, Cert. #A3454 3 termination KAS-ECC P-256, P-384, P-521) Secret value used to TLS v1.2 KDF KAS SP Zeroize at derive the TLS Master TLS Pre-Master Secret N/A RFC7627 800-56A Rev. N/A N/A RAM
AES (128 or 256 bit) AES-CBC or Zeroize at
128 or 256 TLS v1.2 KDF TLS, KAS SP keys used in TLS
TLS Encryption Keys AES-GCM N/A RAM - plaintext session bits RFC7627 800-56A Rev. 3 connections (GCM; Cert. #A3454 termination CBC) HMAC-SHA2-256 Zeroize at HMAC keys used in TLS TLS v1.2 KDF TLS, KAS SP TLS HMAC Keys 256 bits HMAC-SHA2-384 N/A RAM - plaintext session connections ( 256, 384) RFC7627 800-56A Rev. 3 Cert. #A3454 termination (256, 384 bits) KAS-FFC or KAS-ECC public component KAS-ECC-SSC DRBG, SP Zeroize at SSH DHE/ECDHE 112 - 256 (KAS-FFC MODP-2048, KAS-FFC-SSC 800-56A Rev. N/A N/A RAM - plaintext session Private Components bits KAS-ECC P-256, Cert. #A3454 3 termination KAS-ECC P-384, KAS-ECC P-521) KAS-FFC or KAS-ECC Plaintext SSH public component KAS-ECC-SSC DRBG, SP handshake Zeroize at SSH DHE/ECDHE Public 112 - 256 (KAS-FFC Group 14, KAS-FFC-SSC 800-56A Rev. N/A RAM - plaintext session Components bits KAS-ECC P-256, Cert. #A3454 3 termination KAS-ECC P-384, KAS-ECC P-521) RSA SigVer (FIPS 186-4) SSH Host Public Key
112 - 256 ECDSA SigVer DRBG, FIPS HDD/RAM
SSH Host Public Key N/A N/A bits (FIPS 186-4) 186-4 plaintext Service RSA 4096, ECDSA P-256, P-384, or P-521) Cert. #A3454 Public RSA key used to RSA SigVer
112 - 150 Encrypted via HDD/RAM
SSH Client Public Key (FIPS 186-4) N/A N/A bits SSH or TLS plaintext Service (RSA 2048, 3072, and Cert. #A3454
Used in all SSH connections to the AES-CBC, Zeroize at security module’s SSH Session Encryption 128 - 256 AES-CTR, or SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface. Keys bits AES-GCM 800-56A Rev. 3 termination (128, 192, or 256 bits: Cert. #A3454 CBC or CTR) (128 or 256 bits: GCM) Authentication keys used in all SSH connections to the HMAC-SHA-1 Zeroize at security module’s SSH Session 160 - 256 HMAC-SHA2-256 SSH, KAS SP KDF SSH N/A RAM - plaintext session command line interface Authentication Keys bits HMAC-SHA2-512 800-56A Rev. 3 termination (HMAC-SHA-1, Cert. #A3454 HMAC-SHA2-256, HMAC-SHA2-512) (160, 256, 512 bits) Used to check the Software integrity HMAC-SHA2-256, integrity of verification key ECDSA SigVer
128 bits N/A N/A N/A HDD - plaintext N/A crypto-related code.
(Note: This is not considered (FIPS 186-4) (HMAC-SHA-256 and an SSP) Cert. #A3454 ECDSA P-256) Used to authenticate RSA SigVer software/firmware and Public key for software
112 bits (FIPS 186-4) N/A N/A N/A HDD - plaintext N/A content to be installed
content load test Cert. #A3454 on the module (RSA
Authentication string SHA2-256 Encrypted via HDD - a password CO, User Password N/A External N/A Zeroize Service with a minimum length Cert. #A3454 SSH or TLS hash (SHA2-256) of eight (8) characters. Encrypted via HDD/RAM
Seed length = 384 bits Cert. #A3454 CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state Key used in the DRBG Key 256 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3454 values CKG (vendor affirmed), Counter AES 256 CTR DRBG Entropy as DRBG state V used in the DRBG V 128 bits per N/A N/A RAM - plaintext Power cycle generation of a random SP 800-90B Cert. #A3454 values SNMPv3 Authentication SNMPv3 secret used for KDF SNMP Encrypted via HDD/RAM
128 - 256 AES-CFB128 HDD/RAM - Zeroize
SNMPv3 Session Key KDF SNMP N/A N/A encryption key bits Cert. #A3454 Plaintext Service (AES-CFB128) Note: SSPs are implicitly zeroized when power is lost, or explicitly zeroized by the zeroize service. In the case of implicit zeroization, the SSPs are implicitly overwritten with random values due to their ephemeral memory being reset upon power loss. For the zeroization service and zeroization at session termination, the SSP's memory location is overwritten with random values. The module utilizes the following entropy source, which is internal to the physical perimeter of the host GPC. Table 11 - Non-Deterministic Random Number Generation Specification Entropy Source Minimum number of bits of entropy Details ESV Cert. #E69
Palo Alto Networks DRNG Entropy Source Entropy source provides full entropy, which is provided in the 384 bit seed. 10. Self-Tests The cryptographic module performs the following tests below. The operator can command the module to perform the pre-operational and cryptographic algorithm self-tests by cycling power of the module. The pre-operational and conditional self-tests are performed automatically and do not require any additional operator action. Pre-operational Self-Tests Pre-operational Software Integrity Test
Note: the ECDSA and HMAC-SHA-256 KATs are performed prior to the Software integrity test Conditional self-tests Cryptographic algorithm self-tests
Table 12 - Errors and Indicators Cause of Error Error State Indicator Conditional Cryptographic Algorithm Self-Test or Software FIPS-CC mode failure. <Algorithm test> failed. Integrity Test Failure Conditional Pairwise Consistency or Critical Functions Test System log prints an error message. Failure Conditional Software Load Test Failure System prints Invalid image message.
CVL