All modules
CMVP Validated Module · FIPS 140-3 Security Policy

SonicWall NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700

Certificate#4995StandardFIPS 140-3Level2TypeHardwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorSonicWall, Inc.
Low review priority  ·  no TCB surface named  ·  last validated 16 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level2
Module typeHardware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date3/30/2027
CaveatInterim validation. When operated in approved mode
VendorSonicWall, Inc.

Approved Algorithms (27)

AlgorithmACVP Cert
AES-CBCA6598
AES-GCMA6598
Conditioning Component AES-CBC-MAC SP800-90BA2138
ECDSA KeyGen (FIPS186-5)A6598
ECDSA KeyVer (FIPS186-5)A6598
ECDSA SigGen (FIPS186-5)A6598
ECDSA SigVer (FIPS186-5)A6598
Hash DRBGA6598
HMAC-SHA-1A6598
HMAC-SHA2-256A6598
HMAC-SHA2-384A6598
HMAC-SHA2-512A6598
KAS-ECC-SSC Sp800-56Ar3A6598
KAS-FFC-SSC Sp800-56Ar3A6598
KDF IKEv1A6598
KDF IKEv2A6598
RSA KeyGen (FIPS186-5)A6598
RSA SigGen (FIPS186-5)A6598
RSA SigVer (FIPS186-5)A6598
Safe Primes Key GenerationA6598
Safe Primes Key VerificationA6598
SHA-1A6598
SHA2-256A6598
SHA2-384A6598
SHA2-512A6598
TLS v1.2 KDF RFC7627A6598
TLS v1.3 KDFA6598

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for SonicWall NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>upgrade<br/>Update</i>"]
    C3["[low] Self-test / status surface<br/>(referenced in text)<br/><i>Status Output<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>bootloader<br/>application</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Possible only, some<br/>services may process input<br/>before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for SonicWall NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>upgrade<br/>Update</i><br/>src: text:keyword"]
    C3["[low] Self-test / status surface (referenced in text)<br/><i>Status Output<br/>Show Status</i><br/>src: text:keyword"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>IKEV</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>bootloader<br/>application</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C3,C5,C6 clueLow;

Security Policy, page by page

Page 1

SonicWall, Inc. SonicWall NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700 Firmware Version: SonicOS/X 7.0.1 Date: March 18th, 2025 Prepared for: Prepared by: SonicWall, Inc. Acumen Security, LLC.

1033 McCarthy Boulevard 2400 Research Blvd.

Suite 395 Milpitas, CA 95035 Rockville, MD 20850 United States of America United States of America Phone: Phone: +1 703 375 9820 www.sonicwall.com www.acumensecurity.net Public Material

Page 2

Introduction Federal Information Processing Standards Publication 140-3

Page 3
Table of Contents
#SectionPage
Page 4

List of Figures Figure 10. Tamper-evident seal placements for NSa 4700/5700/6700 and NSsp 10700/11700/13700 ... 35 Public Material

Page 5

1. General This document describes the cryptographic module security policy for the SonicWall, Inc. SonicWALL NSa 4700, Nsa 5700, NSa 6700, NSsp 10700, NSsp 11700 and NSsp 13700 models (FW version: SonicOS/X 7.0.1) cryptographic module (also referred to as the “module” hereafter). It contains the specification of the security rules, under which the cryptographic module operates, including the security rules derived from the requirements of the FIPS 140-3 standard. The Module, a hardware cryptographic module, meets the overall security level 2 requirements. The following table lists the level of validation for each area in FIPS 140-3: ISO/IEC 24759 FIPS 140-3 Section Title Security Level Section 6. [Number Below]

1 General 2

2 Cryptographic module specification 2

3 Cryptographic module interfaces 2

4 Roles, services, and authentication 3

5 Software/Firmware security 2

6 Operational environment N/A

7 Physical security 2

8 Non-invasive security N/A

9 Sensitive security parameter management 2

10 Self-tests 2

11 Life-cycle assurance 2

12 Mitigation of other attacks 2

Table 1 - Security Levels Public Material

Page 6
  1. Cryptographic Module Specification The module is an Internet security appliance, which provides stateful packet filtering firewall, deep packet inspection, virtual private network (VPN), and traffic shaping services. The module is intended for use by US Federal agencies and other markets that require FIPS 140-3 validated cryptographic modules. The appliance Encryption technology uses Suite B algorithms. Suite B algorithms are approved by the U.S. government for protecting both Unclassified and Classified data. Module Description and Cryptographic Boundary The cryptographic module is defined as a multi-chip standalone hardware module. The cryptographic boundary of the module is the surfaces and edges of the device enclosure, inclusive of the physical ports. The physical form of the Module is depicted below. Figure
  2. Front view of the NSa 4700 Figure
  3. Front view of the NSa 5700 Figure
  4. Rear view of the NSa 4700/NSa 5700 Figure
  5. Front view of the NSa 6700 Public Material – May be reproduced only in its original entirety (without revision).
Page 7

Figure

  1. Rear view of the NSa 6700 Figure
  2. Front view of the NSsp 10700 Figure
  3. Front View of the NSsp 11700 Figure
  4. Front View of the NSsp 13700 Figure
  5. Rear View of the NSsp 10700/NSsp 11700/NSsp 13700 Public Material – May be reproduced only in its original entirety (without revision).
Page 8

The cryptographic module tested configurations can be found in the table below: Model Hardware Firmware Version Distinguishing Features [Part Number and Version] NSa 4700 101-500668-55 (Rev A) SonicOS/X 7.0.1 Optional add in 1TB storage and redundant power supply, field replacement power supply and fan modules Nsa 5700 101-500667-52 (Rev A) SonicOS/X 7.0.1 Optional add in 1TB storage and redundant power supply, field replacement power supply and fan modules NSa 6700 101-500685-55 (Rev A) SonicOS/X 7.0.1 Optional add in 1TB storage and redundant power supply, field replacement power supply and fan modules NSsp 10700 101-500684-51 (Rev B) SonicOS/X 7.0.1 Field replacement power supply and fan modules NSsp 11700 101-500683-51 (Rev B) SonicOS/X 7.0.1 Field replacement power supply and fan modules NSsp 13700 101-500647-54 (Rev B) SonicOS/X 7.0.1 Field replacement power supply and fan modules Table 2 - Cryptographic Module Tested Configuration Public Material

Page 9

Cryptographic Algorithms The Module implements the Approved and Non-Approved but Allowed cryptographic functions listed in the tables below. CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) AES FIPS 197 Key Sizes: 128, 192, A6598 CBC Encrypt, Decrypt SP800-38A 256 AES Authenticated FIPS 197 Key Sizes: 128, 192, Encrypt, A6598 SP800-38D GCM [38D]1 256 Authenticated Tag Len: 128 Decrypt, Message Authentication A2138 AES Conditioning Conditioning Key Size: 128 FIPS 197 Component CBC- component used Payload Length: 128 SP800-90B MAC in Entropy Source The module’s AES-GCM implementation conforms to IG C.H scenario #1 following RFC 5288 for TLS. The module is compatible with TLSv1.2 (RFC 7627) and provides support for the acceptable GCM cipher suites from Section 3.3.1 of SP 800-52 Rev1 or SP 800-52 Rev2. The counter portion of the IV is set by the module within its cryptographic boundary. The construction of the 64-bit nonce_explicit part of the IV is deterministic via a monotonically increasing counter. When the IV exhausts the maximum number of possible values for a given session key, the first party, client or server, to encounter this condition will trigger a handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for use with the AES GCM encryption/decryption shall be established. The module’s AES GCM implementation also conforms to IG C.H Scenario #5 following RFC 8446 for TLS 1.3 and provides support for the acceptable GCM cipher suites from Section B.4 of RFC 8446 and confirms that the IV is generated and used within the protocol’s implementation. Public Material

Page 10

CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) Vendor CKG Affirmed NIST SP 800133rev2 Section 4 Key Generation N/A CVL KDF TLS v1.3 A6598 RFC 8446 (as per Section 7.1 of SHA2-256, SHA2- Key Derivation RFC 8446) 384 CVL IKEv1 A6598 NIST SP 800- SHA2-256, SHA2- Key Derivation Digital Signature and 135rev1 384, SHA2-512 PSK CVL IKEv2 SHA2-256, SHA2A6598 NIST SP 800- Key Derivation DH 224-521 bits 384, SHA2-512 135rev1 CVL SHA2-256, SHA2A6598 NIST SP 800- TLS v1.2 (RFC 7627) Key Derivation 384, SHA2-512 135rev1 P-224, P-256, P-384, A6598 ECDSA (FIPS186-5) SigGen Signature P-521 Generation A6598 ECDSA (FIPS186-5) SigVer P-256, P-384, P-521 Signature Verification Deterministic A6598 DRBG Mode: SHA2-256 Random Bit SP800-90Arev1 Hash DRBG Entropy Input: 256 Generation Nonce: 128 Public Material

Page 11

CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) A6598 ECDSA P-224, P-256, P-384, Key Pair KeyGen FIPS PUB 186-5 P-521 Generation A6598 ECDSA P-224, P-256, P-384, Key Pair KeyVer FIPS PUB 186-5 P-521 Validation MAC: 32-160 Message HMAC Increment 8 Authentication, A6598 FIPS PUB 198-1 HMAC-SHA-1 Key Length: 8- KDF Primitive

524288 Increment 8

MAC: 32-256 A6598 HMAC Increment 8 FIPS PUB 198-1 HMAC-SHA-256 Key Length: 8-

524288 Increment 8

MAC: 32-384 A6598 HMAC Increment 8 FIPS PUB 198-1 HMAC-SHA-384 Key Length: 8-

524288 Increment 8

MAC: 32-512 A6598 HMAC Increment 8 FIPS PUB 198-1 HMAC-SHA-512 Key Length: 8-

524288 Increment 8

Domain Parameter KAS-FFC-SSC (SP 800- Generation 56Arev3 Shared Methods: FB, FC, A6598 KAS-1 Secret Computation, ffdhe2048, MODP- Key Agreement [IG D.F] Per Scenario 2 of IG 2048; provides 112 D.F) bits of encryption strength Domain Parameter KAS-ECC-SSC (SP 800- Generation 56Arev3 Shared Methods: P-256, PA6598 KAS-2 Secret Computation, 384, P-521; provides Key Agreement [IG D.F] Per Scenario 2 of IG between 128 and D.F) 256 bits of encryption strength Public Material

Page 12

CAVP Cert Algorithm and Mode/Method Description / Key Use / Function Standard Size(s) / Key Strength(s) AES-CBC (Key Sizes: Key Transport/ A6598 KTS-1 AES-CBC with HMAC- 128, 256); HMAC- Authentication [IG D.G] SHA-1 SHA-1; provides 128 (TLS 1.2) or 256 bits of encryption strength AES-CBC (Key Sizes: Key Transport/ A6598 KTS-2 AES-CBC with HMAC- 128, 256); HMAC- Authentication [IG D.G] SHA2-256 SHA2-256; provides (TLS 1.2)

128 or 256 bits of

encryption strength AES-GCM (Key Sizes: Key Transport A6598 KTS-3 AES-GCM 128, 256); provides (TLS 1.3) [IG D.G] 128 or 256 bits of encryption strength A6598 RSA KeyGen Mod: 2048, 3072, Key Generation (FIPS 186-5) 4096 A6598 RSA Mod: 2048, 3072, Signature SigGen: PKCS 1.5 (FIPS 186-5) 4096 Generation A6598 RSA Mod: 2048, 3072, Signature SigVer: PKCS 1.5 (FIPS 186-5) 4096 Verification Safe Prime Groups: NIST SP 800-56A, A6598 Safe Primes ffdhe2048, MODP- Key Generation Rev3 2048 Safe Prime Groups: NIST SP 800-56A, A6598 Safe Primes ffdhe2048, MODP- Key Verification Rev3 2048 SHA-1 Message Length: 0- Message Digest A6598 SHS SHA-256 65536 Increment 8 Generation FIPS PUB 180-4 SHA-384 SHA-512 Intel entropy source For seeding DRBG N/A SP 800-90B N/A is used and meets SP800-90B and IG D.K compliance Table 3

Page 13

Algorithm Caveat Use / Function DSA Allowed per I.G. C.K resolution #3. Used as part of SP 800-56Ar3 key (PQGGen and KeyGen tests agreement performed) Table 4

Page 14

Protocol2 Key Exchange Auth Cipher Integrity IKEv1 DH Group 14, 19, 20, 21 RSA and ECDSA AES CBC HMAC-SHA-256-128 digital signature 128/192/256 HMAC-SHA-384-192 HMAC-SHA-512-256 IKEv2 DH Group 14, 19, 20, 21 RSA and ECDSA AES CBC HMAC-SHA-256-128 Digital Signature 128/192/256 HMAC-SHA-384-192 HMAC-SHA-512-256 Shared Key Message Integrity Code IPsec ESP IKEv1 or IKEv2 with optional: IKEv1, AES CBC HMAC-SHA-256-128 Diffie-Hellman (L=2048, IKEv2 128/192/256 HMAC-SHA-384-192 N=224, 256) HMAC-SHA-512-256 EC Diffie-Hellman P-256, P-

384 and P-521

TLS 1.2 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS 1.3 TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384 Table 6 - Security Relevant Protocols Used in Approved Mode Modes of Operation Approved Mode of Operation The Approved mode configuration can be determined by the operator, by checking the state of the “Approved Mode” checkbox on the System/Settings page over the web interface or issuing “show fips” command over the console. When the “Approved mode” checkbox is selected, the module executes a compliance checking procedure, examining all settings related to the security rules described below. The operator is responsible for appropriately updating these settings during setup and will be prompted by the compliance tool if a setting has been modified taking the module out of compliance. The “Approved mode” checkbox and corresponding system flag (“fips”), which can be queried over the console, will not be set unless all settings are compliant. The “Approved mode” checkbox and fips system flag are indicators that the module is running in the Approved mode of operation. No parts of the TLS or IKE protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. Public Material

Page 15

The module is not configured to operate in Approved mode by default. The following steps shall be taken during set-up of the module to enable Approved mode of operation:

  1. The default Administrator and User passwords shall be immediately changed and be at least eight (8) characters.
  2. The RADIUS/TACACS+ shared secrets shall be at least eight (8) characters.
  3. Traffic between the module and the RADIUS/TACACS+ server shall be secured via an IPsec tunnel. *Note: This step only needs to be performed if RADIUS or TACACS+ is supported. • LDAP cannot be enabled in Approved mode without being protected by TLS • LDAP cannot be enabled in Approved mode without selecting 'Require valid certificate from server' • LDAP cannot be enabled in Approved mode without valid local certificate for TLS
  4. IKE shall be configured with 3rd Party Certificates or Preshared key for IPsec Keying Mode when creating VPN tunnels. o RSA Certificates lengths shall be 2048-bit or greater in size. o ECDSA Certificates curves shall be P-256, P-384 or P-521 only. or o Preshared key lengths shall be no less than 8 characters.
  5. When creating VPN tunnels, ESP shall be enabled for IPSec.
  6. Approved algorithms shall be used for encryption and authentication when creating VPN tunnels.
  7. Group 14, 19, 20 or 21 shall be used for IKE Phase 1 DH Group. SHA-256 and higher shall be used for Authentication 8. “Advanced Routing Services” shall not be enabled. 9. “Group VPN management” shall not be enabled.
  8. SNMP or SSH shall not be enabled.
  9. The “SonicWALL Read-Only Admins,” group, satisfies neither the Cryptographic Officer nor the User Role and shall not be used in the Approved mode operation. Note: Once the Approved mode of operation is enabled, SonicOSX enforces all of the above items. (Operators will not be allowed to change these features while in Approved mode of operation.) Additionally: The operator shall not enable the following : • USB interface(s) • Wireless interface • 802.11i wireless security Public Material – May be reproduced only in its original entirety (without revision).
Page 16

Non-Approved Mode of Operation The Cryptographic Module provides the same set of services in the non-Approved mode as in the Approved mode but allows the following additional administration options and non-approved services which are not used in the Approved mode of operation. The following services shall be disabled before placing the module in Approved mode. The module does not transition to Approved mode until the following services are disabled. • AAA server authentication (the Approved mode requires operation of RADIUS or TACACS+ only within a secure VPN tunnel) • SSH • SNMP Security Rules and Guidance This section documents the security rules for the secure operation of the cryptographic module to implement the security requirements of FIPS 140-3.

  1. The module provides two distinct operator roles: User and Crypto Officer.
  2. The module provides identity-based authentication for the Crypto Officer and for the User.
  3. The module clears previous authentications on power cycle.
  4. An operator does not have access to any cryptographic services prior to assuming an authorized role.
  5. The module allows the operator to initiate the pre-operational or conditional self-tests on demand for periodic testing of the module by power cycling or resetting the module.
  6. Self-tests do not require any operator action.
  7. Data output is inhibited during, pre-operational self-tests, zeroization, and error states.
  8. Status information does not contain SSPs or sensitive data that if misused could lead to a compromise of the module.
  9. There are no restrictions on which keys or SSPs are zeroized by the zeroization service.
  10. The module does not support a maintenance interface or role.
  11. The module does not support manual key entry.
  12. The module does not have any proprietary external input/output devices used for entry/output of data.
  13. The module does not enter or output plaintext SSPs.
  14. The module does not output intermediate key values.
  15. The module does not support a bypass capability.
  16. Firmware upgraded in the non-approved mode cannot be used in the approved mode. (The module enforces the deletion of any firmware upgrade before the approved mode can be entered.) Public Material – May be reproduced only in its original entirety (without revision).
Page 17

Applicable Implementation Guidance 2.4.B Tracking the Component Validation List The key derivation functions for IKEv1, IKEv2, TLS v1.2 RFC7627, and TLS v1.3 are only used in the context of their respective protocols. C.B Validation Testing of Hash Algorithms and Higher Cryptographic Algorithm Using Hash Algorithms Every approved hash algorithm implementation has been CAVP tested as shown in Table

  1. C.F RSA Approved Parameter Sizes in FIPS 186-5 The RSA modulus lengths supported by the module for RSA signature generation are 2048, 3072, and 4096 bits. CAVP testing was performed for the implemented RSA signature algorithm implementation. For FIPS 186-5 signature verification, the module supports the allowed mod sizes of 2048, 3072, 4096. The MillerRabin testing rounds are consistent with Table B.1 of FIPS 186-5. C.H Key/IV Pair Uniqueness Requirements from SP 800-38D Please see Footnote #1. D.C References to the Support of Industry Protocols The KDFs implemented are those described in SP 800-135rev1. (IKEv1, IKEv2, TLS v1.2 RFC7627, and TLS v1.3). All implemented KDFs have been CAVP tested under Cert. #A6598. No parts of the protocols, other than the approved cryptographic algorithms and the KDFs, have been tested by the CAVP and CMVP. D.H Requirements for Vendor Affirmation to SP 800-133r2 The relevant sections of SP 800-133r2 are Section
  2. Self-Initiated Cryptographic Output The module implements a self-initiated cryptographic output capability for IPSec VPN. As part of enabling the service, the Crypto Officer shall configure the IPSec VPN client policy and enable it. Following this, the Crypto Officer shall turn on the "Enable Keep Alive" switch under the "Advanced" tab in the VPN Policy settings. Public Material – May be reproduced only in its original entirety (without revision).
Page 18
  1. Cryptographic Module Interfaces The module’s ports and associated FIPS 140-3 defined logical interface categories are listed in the tables in this section: Physical Port Logical Interface3 Data that passes over port/interface MGMT Port Data Input, Unit administration data Data Output, Status Output and Control Input Status LEDs Status Output Status Serial Console Port Status Output and Unit administration data Control Input Ethernet Ports Data Input, Network connection data Data Output, Status Output and Control Input (via the external GUI Administration interface) Safe Mode Control Input Used to manually reset (bootloader)/Reset the appliance Button Power Interface N/A N/A Table 7 – Ports and Interfaces
  2. Roles, Services, and Authentication Assumption of Roles The cryptographic module provides the roles of Crypto Officer and User. The cryptographic module does not provide a Maintenance role. The built-in “Administrator” is a member of “SonicWALL Administrators” group on the module, and the name used to login may be configured by the Cryptographic Officer role; the default username for the “Administrator” is “admin”. The User role is authenticated using the credentials of a member of the “Limited Administrators” group. The configuration settings required to enable the Approved mode of operation is specified in Section
  3. The built-in administrator for which the default username is “admin” which is a member of “SonicWALL Administrators” group has full control privilege to query status and configure all firewall configurations including configure other user privilege. Other members of “SonicWALL Administrators” group have the same full control privilege as built-in administrator (part of “SonicWALL Administrators” group). There is another group called “Limited Administrators”. Members of “Limited Administrators” group can query Control Output Interface is omitted as it is Not Applicable. Public Material – May be reproduced only in its original entirety (without revision).
Page 19

status and non-critical configuration. An operator is granted privilege by the membership of a particular group after login. Role Service Input Output CO (referred to as Show Status Command Command Response “SonicWALL Show Non-critical Command Command Response Administrators” group) Configuration Monitor Network Command Command Response Status Log On Username and Successful completion Password or public key of service Log Off Command Command Response Clear Log Command Command Response Export Log Command Command Response Import/Export Commands and Public Public Key Certificates Key Filter Log Command Command Response Setup DHCP Server Command Command Response Generate Log Reports Command Command Response Configure VPN Settings Commands, Preshared Command Response Key IPsec VPN SSPs and Encrypted SSPs and Encrypted Data Data TLS SSPs and Encrypted SSPs and Encrypted Data Data Set Content Filter Command Command Response Configure DNS Settings Command Command Response Configure Access Command Command Response Zeroize Command Status Output indicating the completion of service. Perform Self-tests on- Command Output display on each demand algorithm running selftest and pass or fail Self-Initiate SSPs and Encrypted SSPs and Encrypted Cryptographic Output Data Data User (referred to as Show Status Command Command Response “Limited Show Non-critical Command Command Response Administrators” group) Configuration Monitor Network Command Command Response Status Log On Username and Successful completion Password or public key of service Log Off Command Command Response Export Log Command Command Response Filter Log Command Command Response Generate Log Reports Command Command Response Public Material

Page 20

Role Service Input Output TLS SSPs and Encrypted SSPs and Encrypted Data Data Configure DNS Settings Command Command Response Unauthenticated Module Reset Command Command Response No Auth Function Command Command Response Show Status N/A N/A (LED/Console) Perform Self-tests on- Power Cycle Output display on each demand algorithm running selftest and pass or fail Table 8 – Roles, Service Commands, Input and Output The Module supports concurrent operators. Separation of roles is enforced by requiring operators to authenticate using either a username and password, or digital signature verification. The User role requires the use of a username and password or possession of the private key of a user entity belonging to the “Limited Administrators” group. The Crypto Officer role requires a username and password for authentication. Multiple users may be logged in simultaneously, but only a single user-session can have full configuration privileges at any time, based upon the prioritized preemption model described below:

  1. The Admin user (SonicWALL Administrators) has the highest priority and can preempt any users.
  2. The additional operators who are members of the “SonicWALL Administrators” group can preempt any users except for the Admin user.
  3. An operator that is a member of the “Limited Administrators” group can only preempt other members of the “Limited Administrators” group. Session preemption may be handled in one of two ways, configurable from the System > Administration page, under the “On admin preemption” setting: 1. “Drop to non-config mode” – the preempting operator will have three choices: a. “Continue” – this action will drop the existing administrative session to a “non-config mode” and will impart full administrative privileges to the preempting user. b. “Non-Config Mode” – this action will keep the existing administrative session intact and will login the preempting user in a “non-config mode”. c. “Cancel” – this action will cancel the login and will keep the existing administrative session intact. 2. “Log-out” – the preempting user will have three choices: a. “Continue” – this action will log out the existing administrative session and will impart full administrative privileges to the preempting user. b. “Non-Config Mode” – this action will keep the existing administrative session intact and will login the preempting user in a “non-config mode”. c. “Cancel” – this action will cancel the login and will keep the existing administrative session intact. “Non-config mode” administrative sessions will have no privileges to cryptographic functions making them functionally equivalent to User role sessions. The ability to enter “Non-config mode” may be disabled altogether from the System > Administration page, under the “On admin preemption” setting by selecting “Log out” as the desired action. Public Material – May be reproduced only in its original entirety (without revision).
Page 21

Authentication Methods The cryptographic module provides authentication relying upon username/passwords or an RSA 2048-bit (at a minimum) digital signature verification. Role Authentication Method Authentication Strength CO and User password Username and Password The probability is 1 in 96^8, which is less than one in (Identity-based) (Passwords shall be at least 1,000,000 that a random eight (8) characters long, and attempt will succeed, or a false the password character set is acceptance will occur for each ASCII characters 32-127, which attempt (This is also valid for is 96 ASCII characters, hence, RADIUS shared secret keys). the probability is 1 in 96^8) After three (3) successive unsuccessful password verification tries, the cryptographic module pauses for one second before additional password entry attempts can be reinitiated This makes the probability approximately 180/96^8 = 2.5E14, which is less than one in 100,000 that a random attempt will succeed, or a false acceptance will occur in a oneminute period User RSA 2048-bit (minimum) Digital Signature The probability that a random digital signature attempt will succeed, or a false (Identity-based) (A 2048-bit RSA digital signature acceptance will occur is has a strength of 112-bits; 1/2^112, which is less than 1 in hence the probability is 1,000,000. Due to processing 1/2^112) and network limitations, the module can verify at most 300 signatures in a one-minute period. Thus, the probability that a random attempt will succeed, or a false acceptance will occur in a one-minute period is 300/2^112 = 5.8E-32, which is less than 1 in 100,000 Unauthenticated N/A N/A Table 9

Page 22

Services Crypto Officer Services The Crypto Officer role is authenticated using the credentials of the “Administrator” user, which is the member of “SonicWALL Administrators” group (also referred to as “Admin”), or the credentials of other members (users) of the “SonicWALL Administrators” group. The use of “SonicWALL Administrators” provides identification of specific users (i.e., by username) upon whom is imparted full administrative privileges. The Cryptographic Officer role can show all status and configure cryptographic algorithms, cryptographic keys, certificates, and servers used for VPN tunnels. The Crypto Officer sets the rules by which the module encrypts, and decrypts data passed through the VPN tunnels. The authentication mechanisms are discussed in Table 9. The modes of access shown in the table is defined as:

Page 23

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs N/A Approved N/A N/A Crypto Officer, Mode User Checkbox Monitor Monitor the Checked Network network in Status status WebUI, Show Status = “FIPS” Crypto Officer Logs the CO N/A Password Crypto Officer E Approved Log On into the Mode module Checkbox Checked in WebUI User Log On Logs the User RSA Authentication User E Approved into the Public Key Mode module Checkbox Checked in WebUI, Show Status = “FIPS” Crypto Officer Logs the CO N/A N/A Crypto Officer E Approved Log Off off the Mode module Checkbox Checked in WebUI, Show Status = “FIPS” User Log Off Logs the User N/A N/A User E Approved off the Mode module Checkbox Checked in WebUI, Show Status = “FIPS” Public Material

Page 24

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs Clear Log Clears session N/A N/A Crypto Officer N/A Approved log Mode Checkbox Checked in WebUI, Show Status = “FIPS” Export Log Export N/A N/A Crypto Officer, N/A Approved session log User Mode Checkbox Checked in WebUI, Show Status = “FIPS” Import/Export Session key RSA, Root CA Public Crypto Officer E, R Approved Certificates management ECDSA Key Mode Checkbox Checked in WebUI, Show Status = “FIPS” Filter Log Session log N/A N/A Crypto Officer, N/A Approved management User Mode Checkbox Checked in WebUI, Show Status = “FIPS” Setup DHCP Setup and N/A N/A Crypto Officer N/A Approved Server5 configure a Mode DHCP Server Checkbox Checked Public Material

Page 25

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs in WebUI, Show Status = “FIPS” Generate Log Generate Log N/A N/A Crypto Officer, N/A Approved Reports Reports User Mode Checkbox Checked in WebUI, Show Status = “FIPS” Configure System Shared Preshared Crypto Officer G, W Approved VPN Settings configuration, Secret, Key, IKE Mode network RSA or Private Key, Checkbox configuration, ECDSA Root CA Public Checked Security Key, IKE Public in services Key WebUI, including Show initiating Status = encryption, “FIPS” key management, and VPN tunnels IPsec VPN Network Shared IKE Shared Crypto Officer, G, W, Approved traffic over Secret, Secret, User E Mode an IPsec VPN AES, SKEYID, Checkbox HMAC, SKEYID_d, Checked RSA or SKEYID_a, in ECDSA, SKEYID_e, WebUI, KAS-FFC- Preshared Show SSC, KAS- Key, IKE Status = ECC-SSC, Session “FIPS” DRBG Encryption Key, IKE Session Authentication Key, IKE Private Key, Public Material

Page 26

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs IPsec Session Encryption Key, Ipsec Session Authentication Key, DH/ECDH Private Key, DRBG V and C values, DRBG seed, Entropy Input, RADIUS Shared Secret, Storage Key TLS TLS used for DRBG, TLS Master Crypto Officer, G, W, Approved the https RSA or Secret, TLS User E Mode configuration ECDSA, Premaster Checkbox tool or AES, Secret, TLS Checked network HMAC, Extended in traffic over a KAS-FFC- Master Secret WebUI, TLS VPN SSC, KAS- (TLS 1.2), TLS Show ECC-SSC Private Key, Status = TLS Session “FIPS” Key, TLS Integrity Key, ECDH Private Key, DRBG V and C values, DRBG seed, Entropy Input, TLS Public Key, ECDH Public Key Set Content Network N/A N/A Crypto Officer N/A Approved Filter configuration Mode settings Checkbox Checked in WebUI, Show Status = “FIPS” Public Material

Page 27

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs Configure Configure N/A N/A Crypto Officer, N/A Approved DNS Settings DNS Settings User Mode Checkbox Checked in WebUI, Show Status = “FIPS” Configure Configure Password Password Crypto Officer W Approved Access User and Mode Crypto Checkbox Officer access Checked in WebUI, Show Status = “FIPS” Zeroize Zeroize SSPs N/A All SSPs Crypto Officer Z Approved Mode Checkbox Checked in WebUI, Show Status = “FIPS” Perform Self Perform Self N/A N/A Crypto Officer, N/A Approved tests on- tests on- Unauthenticated Mode demand demand (power-cycle) Checkbox Checked in WebUI, Show Status = “FIPS” Self-Initiated This service is Shared IKE Shared Crypto Officer G, E Approved Cryptographic enabled for Secret, Secret, Mode Output IPSec VPN. As HMAC, SKEYID, Checkbox part of AES, RSA SKEYID_d, Checked enabling this or ECDSA, SKEYID_a, in Public Material

Page 28

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs service, the KAS-FFC- SKEYID_e, WebUI, CO must SSC, KAS- Preshared Show configure and ECC-SSC, Key, IKE Status = enable the DRBG Session “FIPS” IPSec VPN Encryption client policy, Key, IKE and then turn Session on the Authentication "Enable Keep Key, IKE Alive" switch Private Key, under the IPsec Session "Advanced" Encryption tab in the Key, Ipsec VPN Policy Session settings. Authentication Key, DH/ECDH Private Key, DRBG V and C values, DRBG seed, Entropy Input, Root CA Public Key, IKE Public Key, Peer IKE Public Key, DH/ECDH Public Key Module Reset Firmware N/A N/A Unauthenticated Z Approved removal with Mode configuration Checkbox returned to Checked factory state in WebUI, Show Status = “FIPS” Public Material

Page 29

Service4 Description Approved Keys and/or Roles Access Indicator Security SSPs rights Functions to Keys and/or SSPs No Auth Power Cycle, N/A N/A Unauthenticated N/A Approved Function Cable Plugin, Mode View LEDs Checkbox Checked in WebUI, Show Status = “FIPS” Table 10

Page 30

Algorithms Service Description Role Indicator Accessed WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Crypto Officer Log Logs the CO off the Crypto Officer Unchecked in Off module WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Clear Log Clears session log Crypto Officer Unchecked in WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Export Log Export session Log Crypto Officer, User Unchecked in WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Import/Export Session key RSA or DSA Crypto Officer Unchecked in Certificates management WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Session log Filter Log Crypto Officer, User Unchecked in management WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Setup and configure Setup DHCP Server Crypto Officer Unchecked in a DHCP Server WebUI, Show Status = “NO FIPS” Public Material

Page 31

Algorithms Service Description Role Indicator Accessed Approved Mode Checkbox Generate Log Generate Log Crypto Officer Unchecked in Reports Reports WebUI, Show Status = “NO FIPS” System configuration, network Approved Mode configuration, Checkbox Configure VPN Security services RSA or ECDSA Crypto Officer Unchecked in Settings including initiating WebUI, Show Status encryption, key = “NO FIPS” management, and VPN tunnels. Approved Mode AES, HMAC, RSA or Checkbox Network traffic over ECDSA, KAS-FFCIPsec VPN Crypto Officer Unchecked in an IPsec VPN SSC, KAS-ECC-SSC, WebUI, Show Status DRBG = “NO FIPS” TLS used for the Approved Mode DRBG, RSA or https configuration Checkbox ECDSA, AES, HMAC, TLS tool or network Crypto Officer, User Unchecked in KAS-FFC-SSC, KAStraffic over a TLS WebUI, Show Status ECC-SSC VPN = “NO FIPS” Approved Mode Network Checkbox Set Content Filter configuration Crypto Officer Unchecked in settings WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Configure DNS Configure DNS Crypto Officer, User Unchecked in Settings Settings WebUI, Show Status = “NO FIPS” Public Material

Page 32

Algorithms Service Description Role Indicator Accessed Approved Mode Checkbox Configure User and Configure Access Crypto Officer Unchecked in CO access WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Zeroize Zeroize SSPs Crypto Officer Unchecked in WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Perform Self tests Perform Self tests Crypto Officer, Unchecked in on-demand on-demand Unauthenticated WebUI, Show Status = “NO FIPS” This service is enabled for IPSec VPN. As part of enabling this service, the CO Approved Mode must configure and HMAC, AES, RSA or Self-Initiated Checkbox enable the IPSec ECDSA, KAS-FFCCryptographic Crypto Officer Unchecked in VPN client policy, SSC, KAS-ECC-SSC, Output WebUI, Show Status and then turn on DRBG = “NO FIPS” the Enable Keep Alive switch under the Advanced tab in the VPN Policy settings Approved Mode Checkbox Logs the User into User Log On RSA User Unchecked in the module WebUI, Show Status = “NO FIPS” Public Material

Page 33

Algorithms Service Description Role Indicator Accessed Approved Mode Checkbox Logs the User off User Log Off User Unchecked in the module WebUI, Show Status = “NO FIPS” Approved Mode Firmware removal Checkbox with configuration Module Reset Unauthenticated Unchecked in returned to factory WebUI, Show Status state = “NO FIPS” Approved Mode Checkbox Power Cycle, Cable No Auth Function Unauthenticated Unchecked in Plugin, View LEDs WebUI, Show Status = “NO FIPS” Approved Mode Checkbox Upgrade Module Firmware Update Crypto Officer Unchecked in Firmware WebUI, Show Status = “NO FIPS” SSH-KDF, SHA2-256, Approved Mode SHA2-512, Checkbox SSH SSH Service Hash_DRBG, KAS- Crypto Officer Unchecked in ECC-SSC, AES-GCM, WebUI, Show Status RSA SigGen = “NO FIPS” Approved Mode Checkbox SNMP SNMP Service SNMP-KDF Crypto Officer Unchecked in WebUI, Show Status = “NO FIPS” Table 11

Page 34

5. Software/Firmware Security The module is a hardware module with firmware (SonicOS/X 7.0.1) running on it. The Module uses SHA2-

256 (Cert. #A6598) performed over all module firmware as the integrity technique/EDC. The operator can

initiate the integrity test on demand by power cycling the module. The temporary values generated during the integrity test are cleared automatically by the module from the memory after the test is completed. The module does not support the external loading of firmware in the Approved mode of operation.

  1. Operational Environment The module operates in a non-modifiable operational environment per FIPS 140-3 specifications, as the module does not support external firmware loading.
  2. Physical Security The chassis of the multi-chip standalone cryptographic modules are opaque within the visible spectrum, and direct observation of the modules' internal components is not possible. The chassis are sealed with either 1 or 2 tamper-evident seals (depending on model), applied during manufacturing. The physical security of the module is intact if there is no evidence of tampering with the tamper-evident seal(s). Physical Security Mechanism Recommended Frequency of Inspection Guidance Details Inspection Tamper-evident seals Periodic inspection of tamper- If evidence of tamper is found, evident seals once every 6 months the Cryptographic Officer is requested to follow their internal IT policies, which may include contacting SonicWALL for replacing the unit Table 12 – Physical Security Inspection Guidelines Table 13 below lists the number of tamper-evident seals applied per model: # Model Number of tamper-evident seals(s)/module

1 NSa 4700 341-000041-51 (1pcs) and 341-000029-51 (1pcs)

2 NSa 5700 341-000041-51 (1pcs) and 341-000029-51 (1pcs)

3 NSa 6700 341-000041-51 (1pcs) and 341-000029-51 (1pcs)

4 NSsp 10700 341-000041-51 (1pcs) and 341-000029-51 (2pcs)

5 NSsp 11700 341-000041-51 (1pcs) and 341-000029-51 (2pcs)

6 NSsp 13700 341-000041-51 (1pcs) and 341-000029-51 (2pcs)

Table 13

Page 35

The locations of the tamper-evident seals (highlighted by red rectangles) are indicated in Figure 10 (below): Figure 10. Tamper-evident seal placements for NSa 4700/5700/6700 and NSsp 10700/11700/13700 Public Material

Page 36

8. Non-Invasive Security Not Applicable. The module does not implement non-invasive security measures. Public Material

Page 37

9. Sensitive Security Parameter Management All SSPs used by the Module are described in this section. Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number IKE Shared String: 32 - Shared Generated Internally Neither Established as a Temporarily Zeroize Shared secret Secret 256 bytes Secret Input nor part of IKE in Service, used during A6598 Output exchange RAM Power Cycle IKE Phase 1 process (Plaintext) or IKE session termination SKEYID 256, 384 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Secret value 512-bits HMAC Input nor part of IKE in Service, used to derive A6598 Output exchange RAM Power Cycle other IKE process (Plaintext) or IKE secrets session termination SKEYID_d 256, 384 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Secret value 512-bits HMAC Input nor part of IKE in Service, used to derive A6598 Output exchange RAM Power Cycle keys for process (Plaintext) or IKE security session associations termination SKEYID_a 256, 384 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Secret value 512-bits HMAC Input nor part of IKE in Service, used to derive A6598 Output exchange RAM Power Cycle keys to process (Plaintext) or IKE authenticate session IKE messages termination SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 38

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number SKEYID_e 256, 384 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Secret value 512-bits HMAC Input nor part of IKE in Service, used to derive A6598 Output exchange RAM Power Cycle keys to encrypt process (Plaintext) or IKE IKE messages session termination Preshared Key A minimum IKE KDF Not Applicable Input Not Applicable Flash Zeroize Used to of A6598 electronically (Encrypted Service authenticate

8 characters by AES CBC the module to

256-bit) a peer during IKE IKE Session 128, 192 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Used to Encryption Key 256-bit AES (CBC) during SSP Input nor part of IKE in Service, establish A6598 establishment Output exchange RAM Power Cycle phase 2 tunnel process (SP800- (Plaintext) or IKE 56a rev3 and session SP800-135 KDF) termination IKE Session 256, 384 or IKE KDF Generated Internally Neither Established as a Temporarily Zeroize Used to Authentication 512-bits HMAC during SSP Input nor part of IKE in Service, establish phase Key A6598 establishment Output exchange RAM Power Cycle 2 tunnel process (SP800- (Plaintext) or IKE 56a rev3 and session SP800-135 KDF) termination IKE Private Key 2048-bit RSA Generated as per Neither Not Applicable Flash Zeroize Used as a part or or SP800-90A DRBG and Input nor (Plaintext) Service of IKE process P-256, P-384 ECDSA FIPS 186-5 compliant Output or P-521 CKG RSA or ECDSA key A6598 generation SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 39

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number IPsec Session 128, 192 or AES (CBC) Generated Internally Neither Established as a Temporarily Zeroize Used to Encryption Key 256-bit A6598 during SSP Input nor part of IKE in Service, encrypt data establishment Output - exchange RAM Power Cycle process (SP800- (Plaintext) or 56a rev3 and IPsec session SP800-135 KDF) termination IPsec Session 256, 384 or HMAC Generated Internally Neither Established as a Temporarily Zeroize Used for data Authentication 512-bits A6598 during SSP Input nor part of IKE in Service, authentication Key establishment Output exchange RAM Power Cycle for IPsec traffic process (SP800- (Plaintext) or 56a rev3 and IPsec session SP800-135 KDF) termination TLS Master 384-bits TLS Generated Internally Neither Established as a Temporarily Zeroize Used for the Secret A6598 during TLS handshake Input nor part of TLS in Service, generation of process Output handshake RAM Power Cycle TLS Session process (Plaintext) or the TLS Keys and TLS session Integrity Key termination TLS Extended 384-bits TLS 1.2 Generated Internally Neither Established as a Temporarily Zeroize Binds the Master Secret A6598 during TLS handshake Input nor part of TLS in Service, master secret process Output handshake RAM Power Cycle to the full process (Plaintext) or the TLS handshake session context termination TLS Premaster 384-bits TLS Generated Internally Neither Established as a Temporarily Zeroize Used for the Secret A6598 during TLS handshake Input nor part of TLS in Service, generation of process Output handshake RAM Power Cycle Master Secret process (Plaintext) or the TLS SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 40

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number session termination TLS Session TLS 1.2: TLS 1.2: Generated Internally Neither Established as a Temporarily Zeroize Used to Key 128 or 256- AES CBC during SSP Input nor part of TLS in Service, protect TLS 1.2 bit and establishment Output exchange RAM Power Cycle connection

128 or 256- AES GCM process (SP800- (Plaintext) or the TLS

bit 56a rev3 and session Used to TLS 1.3: SP800-135 termination protect TLS 1.3 TLS 1.3: AES-GCM KDF/TLS 1.3 KDF) connection

128 or 256-

bit A6598 TLS Integrity TLS 1.2: TLS 1.2/ TLS Generated Internally Neither Established as a Temporarily Zeroize Used to check Key 160/256/384 1.3 during SSP Input nor part of TLS in Service, the integrity of -bit HMAC establishment Output exchange RAM Power Cycle TLS 1.2 A6598 process (SP800- (Plaintext) or the TLS connection TLS 1.3: 56a rev3 and session 256/384-bit SP800-135 termination Used to check KDF/TLS 1.3 KDF) the integrity of TLS 1.3 connection TLS Private Key 2048-bit RSA Generated as per Neither Input Not Applicable Flash Zeroize Used in the TLS or or SP800-90A DRBG and nor Output (Plaintext) Service 1.2/TLS 1.3 P-256, P-384 ECDSA FIPS 186-5 compliant signature or P-521 CKG RSA or ECDSA key algorithm A6598 generation Diffie- IKE: Diffie- KAS-SSC Generated as per Neither Not Applicable Temporarily Zeroize Used within Hellman/EC Hellman CKG SP800-90A DRBG and Input nor in Service, IKE key Private Key A6598 FIPS 186-4 compliant Output RAM Power agreement SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 41

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number Diffie-Hellman (N = 224, DSA or 186-5 (Plaintext) Cycle or the Private Key 256) or EC compliant ECDSA key TLS/IKE DH P-256/P- generation session Used within 384/P-521 termination TLS key agreement TLS: EC DH P256/P384/P-521 DRBG Internal 256-bits Hash_DRBG Generated Internally Neither Not Applicable Temporarily Zeroize The values of V State A6598 Input nor in Service or and C are the Output RAM Power “secret values” (Plaintext) Cycle of the internal state DRBG Seed 256-bits Hash_DRBG Intel® Digital Random Neither Not Applicable Temporarily Zeroize Used to seed A6598 Number Generator Input nor in Service or the Approved SP800-90B Output RAM Power DRBG (Plaintext) Cycle Entropy Input 256-bits Hash_DRBG Intel® Digital Random Neither Not Applicable Temporarily Zeroize Entropy (min) security A6598 Number Generator Input nor in Service or input used to strength SP800-90B Output RAM Power instantiate the (Plaintext) Cycle DRBG RADIUS SharedA minimum Shared Not Applicable Input Not Applicable Flash Zeroize Used for Secret of 8 Secret electronically (Encrypted Service authenticating characters A6598 and output by AES CBC the RADIUS for RADIUS via IPsec 256-bit) server to the authenticati module and on vice versa via IPSec SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 42

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number Passwords A minimum Not Not Applicable Entered Not Applicable Flash Zeroize Authentication (hashed) of 8 ASCII Applicable electronically (Encrypted Service data characters. by AES CBC 256-bit) Storage Key 256-bit Key AES CBC Generated as per Neither Input Not Applicable Flash Zeroize For encrypting CKG SP800-90A DRBG nor Output (Plaintext) Service RADIUS Shared A6598 Secret, Passwords and Preshared Key Public Keys Root CA Public 2048-bit RSA Not Applicable Input Not Applicable Flash Zeroize Used for Key or or electronically (Plaintext) Service verifying a P-256, P- ECDSA via IPsec. Not chain of trust

384 or P- A6598 output for receiving

521 certificates

Peer IKE Public 2048-bit RSA Not Applicable Input During IKE RAM Zeroize Used for Key or or electronically negotiation (Plaintext) Service, verifying P-256, P- ECDSA Not output Power Cycle digital

384 or P- or IKE signatures

521 A6598 session from a peer

termination device IKE Public Key 2048-bit RSA Generated as per Not Input. During IKE Flash Zeroize Used for or or SP800-90A DRBG and Output negotiation (Plaintext) Service verifying P-256, P- ECDSA FIPS 186-5 compliant electronically digital

384 or P- A6598 RSA or ECDSA key during IKE signatures

521 generation negotiation from a peer

device SonicWall, Inc. © 2025 Version 0.1 Public Material

Page 43

Key/SSP Strength Security Generation Import/ Establishment Storage Zeroisation Use & related Name/Type Function Export keys and Cert. Number Diffie- IKE: Diffie- KAS-SSC Generated as per Not Input. During IKE Temporarily Zeroize Used within Hellman/EC Hellman A6598 SP800-90A DRBG and Electronic negotiation in Service, IKE key Diffie-Hellman Public Key (N FIPS 186-4 compliant output RAM Power agreement Public Key = 224, 256) DSA or 186-5 compliant during IKE (Plaintext) Cycle or the or EC DH P- ECDSA key generation negotiation TLS/IKE 256/P- session 384/P-521 termination Used within TLS: EC DH TLS key P-256/P- agreement 384/P-521 Authentication 2048-bit RSA Not Applicable Input Not Applicable Temporarily Zeroize Used to Public Key A6598 electronically in Service authenticate over CLI. No RAM the User output (Plaintext) TLS Public Key 2048-bit RSA Generated as per Electronically During TLS Flash Zeroize Used in the TLS or or SP800-90A DRBG and Output Handshake (Plaintext) Service handshake P-256, P- ECDSA FIPS 186-5 compliant during TLS

384 or P- A6598 RSA or ECDSA key handshake
521 generation

Table 14

Page 44

Entropy sources Minimum number of bits of Details entropy Intel® Digital Random Number 0.6 The module supports the Intel® Generator SP800-90B Digital Random Number Generator SP800-90B as the ESV Certificate: E164 module’s noise source, outputting full entropy. (The entropy source supports a vetted conditioning component consistent with NIST SP 80090B, Section 3.1.5.1.1.) The noise source is the root of security for the entropy source and for the DRBG as a whole The noise source (internal to the Intel CPUs) is a circuit that employs a feedback-stabilized metastable latch to generate entropic binary data by measuring the resolution state of the latch after exiting metastability. The feedback is used to keep the metastable latch balanced so that thermal noise will drive the resolution process Table 15

Page 45

10. Self-Tests The module performs self-tests to ensure the proper operation of the module. Per FIPS 140-3 these are categorized as either pre-operational self-tests or conditional self-tests. The pre-operational self-tests are performed and shall pass successfully prior to the module providing any data output via the data output interface. CASTs are performed on the condition that the pre-operational self-test complete successfully. Other conditional self-tests are performed when an applicable security function or process is invoked. If the module fails a self-test, the module enters the error state and outputs the error message. The module does not perform any cryptographic operations, and data output is inhibited while in the error state. Self–tests (CASTs) are available on demand by power cycling the module. Pre-Operational Self-Tests

Page 46

Conditional Pairwise Consistency Tests • ECDSA Pairwise Consistency Test • DSA Pairwise Consistency Test • RSA Pairwise Consistency Test If any of the tests described above fail, the cryptographic module enters the error state. No security services are provided in the error state. No cryptographic output is started until all tests are successfully completed. This effectively inhibits the data output interface. When all tests are completed successfully, the Test LED is turned off.

  1. Life-Cycle Assurance Crypto Officer Guidance The following steps shall be performed by the Crypto Officer (CO) to configure the required roles and place the module in the Approved mode of operation:
  2. Apply power to the module. On a GPC, connect to the module’s console using the serial port. The network interface drivers/login prompt will only be available once all power-up self-tests have completed successfully.
  3. Login using the vendor provided default login and password. The default password and login shall be changed/updated.
  4. Configure management IP address and Gateway.
  5. Over the web interface, proceed to system settings and update the settings to be consistent with Section 2 of this document with the assistance of compliance checking procedure and then enabling Approved mode using the checkbox. The FIPS checkbox does not place the module in Approved mode until the settings in the Modes of Operation Section are met. Then click OK. The system automatically restarts.
  6. Observe that the module self-tests execute automatically before a log in is possible. Observe that the “FIPS enabled checkbox” is checked/enabled to indicate that the module is in the Approved mode of operation. This can be verified in the system/settings page. In addition, on the dashboard, the operator can verify the version of the module.
  7. Proceed to create the roles specified in Section 4 of this document. Passwords and Digital signatures required for authentication to each role should be configured or installed as appropriate. *Note 1: When the "Approved mode" checkbox is selected, the module executes a compliance checking procedure, examining all settings related to the security rules described previously in this document. The operator is responsible for updating these settings appropriately during setup and will be prompted by the compliance tool if a setting has been modified, taking the module out of compliance. The "Approved mode" checkbox and corresponding system flag ("fips") which can be queried over the console will not be Public Material – May be reproduced only in its original entirety (without revision).
Page 47

set unless all settings are compliant. The "Approved mode" checkbox and “fips” system flag are indicators that the module is running in the Approved mode of operation. *Note 2: The keys and SSPs generated in the cryptographic module during Approved mode of operation shall not be used when the module transitions to non-Approved mode and vice versa. While the module transitions from Approved to non-Approved mode or from non-Approved to Approved mode, all SSPs shall be zeroized by the Crypto Officer using the “Zeroize” service. If transitioning from the non-Approved to Approved mode, the CO shall zeroize all plaintext keys and SSPs by issuing “Zeroize” service and then the CO shall follow the CO Guidance (above) in this section to place the module in Approved mode of operation. Configuration Management SonicWall uses Perforce software for the management of source code artifacts and for hardware and documentation version control. KlocWork is used for static code analysis. The module is developed using high level programming languages C++ and C. Assembly code is only used for select performance enhancements. The module is securely delivered from Sonicwall to customers via the mechanism specified by the customer. FedEx, UPS, or any other freight forwarder of their choice can be utilized. Tracking numbers are used to track and confirm delivery to the authorized operator. The Crypto Officer should check the package for any irregular tears or openings. If the Crypto Officer suspects tampering has occurred, they should immediately contact Sonicwall, Inc. The end of life for the module meets the FIPS 140-3 requirements. The sanitization requirements are met by zeroising the module. Public Material

Page 48

12. Mitigation of Other Attacks The SonicWall NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, and NSsp 13700 are capable of mitigating other attacks using the following features (dependent on licensing). Capture ATP The Capture ATP Service revolutionizes advanced threat detection and sandboxing with a cloud-based, multi-engine solution for stopping unknown and zero-day attacks at the gateway. Capture ATP blocks zero-day attacks before they enter your network. It lets you establish advanced protection against the changing threat landscape and analyze a broad range of file types. Gateway Anti-Virus ICSA-certified Gateway Anti-Virus protection combines network-based anti-malware with a dynamically updated cloud database of tens of millions of malware signatures. Dynamic spyware protection blocks the installation of malicious spyware and disrupts existing spyware communications. IPS Cutting-edge IPS technology protects against worms, trojans, software vulnerabilities and other intrusions by scanning all network traffic for malicious or anomalous patterns, thereby increasing network reliability and performance. Comprehensive Anti-Spam Service SonicWall Comprehensive Anti-Spam Service offers small-to medium sized businesses >99% effectiveness against spam, dropping >80% of spam at the gateway, while utilizing advanced anti-spam techniques like Adversarial Bayesian™ and machine-learning filtering. DNS Filtering DNS filtering blocks malicious websites or applications at the DNS layer to filter out harmful or inappropriate content without enabling TLS decryption and adversely affecting performance. Network Access Control Network access control integration provides network access control for SonicWall customers by integrating with Aruba ClearPass, giving you comprehensive and precise profiling, authentication, and authorization for systems and devices trying to access your IT resources. SonicOS provides a RESTful API that will support Aruba ClearPass as NAC to integrate with SonicWall NGFW. This architecture will turn static security into contextual security to provide more flexible and advanced security protection. Content Filtering Service Content Filtering Services (CFS) lets you enforce Internet use policies and control internal access to inappropriate, unproductive and potentially illegal web content with comprehensive content filtering. Reputation-based CFS 5.0 provides a reputation score that forecasts the security risk of a URL across 93 web categories. Public Material

Page 49

Other The modules also include basic DNS security, deep packet inspection for SSL, and a botnet service. Public Material

Page 50

References and Definitions The following standards are referred to in this Security Policy. Abbreviation Full Specification Name [FIPS140-3] Security Requirements for Cryptographic Modules, March 22, 2019 [IG] Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program [108] NIST Special Publication 800-108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised), October 2009 [131Arev2] Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, March 2019 [132] NIST Special Publication 800-132, Recommendation for Password-Based Key Derivation, Part 1: Storage Applications, December 2010 [133rev2] NIST Special Publication 800-133rev2, Recommendation for Cryptographic Key Generation, June 2020 [135rev1] National Institute of Standards and Technology, Recommendation for Existing Application-Specific Key Derivation Functions, Special Publication 800-135rev1, December 2011. [186-4] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-4, July, 2013. [186-5] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-5, February 2023 [186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, January 2000. [197] National Institute of Standards and Technology, Advanced Encryption Standard (AES), Federal Information Processing Standards Publication 197, November 26, 2001 [198] National Institute of Standards and Technology, The Keyed-Hash Message Authentication Code (HMAC), Federal Information Processing Standards Publication 198-1, July, 2008 [180-4] National Institute of Standards and Technology, Secure Hash Standard, Federal Information Processing Standards Publication 180-4, August, 2015 [202] FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION, SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, FIPS PUB 202, August 2015 [38A] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation, Methods and Techniques, Special Publication 800-38A, December 2001 Public Material

Page 51

Abbreviation Full Specification Name [38B] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication 800-38B, May 2005 (Updated 10/6/2016) [38C] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality, Special Publication 800-38C, May 2004 (Updated 7/20/2007) [38D] National Institute of Standards and Technology, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, Special Publication 80038D, November 2007 [56Arev3] NIST Special Publication 800-56A (rev3), Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, April 2018 [56Br2] NIST Special Publication 800-56B Revision 1, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography, March 2019 [67rev2] National Institute of Standards and Technology, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher, Special Publication 800-67, November 2017 [90Arev1] National Institute of Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, Special Publication 800-90A, June 2015. [90B] Recommendation for the Entropy Sources Used for Random Bit Generation, January 2018 Table 16

Page 52

Acronym Definition SSP Sensitive Security Parameter TACACS+ Terminal Access Controller Access-Control System Plus Triple-DES Triple Data Encryption Standard VPN Virtual Private Network Table 17