National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
for
Palo Alto Networks Panorama v10.1
Report Number: CCEVS-VR-VID11285-2022
Dated: August 4, 2022
Version: 1.0
National Institute of Standards and Technology Department of Defense
Information Technology Laboratory ATTN: NIAP, Suite 6982
100 Bureau Drive 9800 Savage Road
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6982
®
TM
Page 1 of 21
Acknowledgements
Validation Team
Jenn Dotson
Sheldon Durrant
Linda Morrison
Common Criteria Testing Laboratory
Leidos Inc.
Columbia, MD
Page 2 of 21
Table of Contents
1 Executive Summary.............................................................................................................3
2 Identification........................................................................................................................5
3 Assumptions & Clarification of Scope ................................................................................6
4 Architectural Information ....................................................................................................7
4.1 TOE Architecture.................................................................................................................7
4.2 Physical Boundaries.............................................................................................................8
5 Security Policy...................................................................................................................10
5.1 Security Audit....................................................................................................................10
5.2 Cryptographic Support.......................................................................................................10
5.3 Identification and Authentication ......................................................................................10
5.4 Security Management ........................................................................................................11
5.5 Protection of the TSF.........................................................................................................11
5.6 TOE Access .......................................................................................................................11
5.7 Trusted Path/Channels .......................................................................................................11
6 Documentation...................................................................................................................12
7 Evaluated Configuration ....................................................................................................13
7.1 Excluded Functionality......................................................................................................13
8 Independent Testing...........................................................................................................14
8.1 Test Configuration .............................................................................................................14
8.2 Vulnerability Analysis .......................................................................................................15
9 Results of the Evaluation ...................................................................................................16
10 Validator Comments/Recommendations ...........................................................................17
11 Annexes..............................................................................................................................18
12 Security Target...................................................................................................................19
13 Abbreviations and Acronyms ............................................................................................20
14 Bibliography ......................................................................................................................21
List of Tables
Table 1: Evaluation Details............................................................................................................. 5
Table 2: TOE Security Assurance Requirements ......................................................................... 16
Page 3 of 21
1 Executive Summary
This report is intended to assist the end-user of this product and any security certification agent for
that end-user in determining the suitability of this Information Technology (IT) product in their
environment. End-users should review the Security Target (ST), which is where specific security
claims are made, in conjunction with this Validation Report (VR), which describes how those
security claims were evaluated and tested and any restrictions on the evaluated configuration.
Prospective users should carefully read the Assumptions and Clarification of Scope in Section 3
and the Validator Comments in Section 10, where any restrictions on the evaluated configuration
are highlighted.
This report documents the National Information Assurance Partnership (NIAP) assessment of the
evaluation of the Palo Alto Networks M-200, M-500, and M-600 Hardware, and Virtual
Appliances all running Panorama 10.1 (the Target of Evaluation, or TOE). It presents the
evaluation results, their justifications, and the conformance results. This VR is not an endorsement
of the TOE by any agency of the U.S. Government and no warranty of the TOE is either expressed
or implied. This VR applies only to the specific version and configuration of the product as
evaluated and as documented in the ST.
The evaluation of the Palo Alto Networks M-200, M-500, and M-600 Hardware, and Virtual
Appliances all running Panorama 10.1 (Panorama) was performed by Leidos Common Criteria
Testing Laboratory (CCTL) in Columbia, Maryland, USA, and was completed in August 2022.
The evaluation was conducted in accordance with the requirements of the Common Criteria and
Common Methodology for IT Security Evaluation (CEM), version 3.1, release 5 ([1], [2], [3], [4])
and activities specified in the following document:
• Evaluation Activities for Network Device cPP, Version 2.2, December 2019 [6]
The evaluation was consistent with NIAP Common Criteria Evaluation and Validation Scheme
(CCEVS) policies and practices as described on their web site (www.niap-ccevs.org).
The product comprises network appliances and virtual appliances on specified hardware used to
facilitate threat protection, shield computing infrastructure from network vulnerabilities, block
exploits, and defend against known and zero-day attacks. The focus of the evaluation was on the
product’s conformance to the security functionality specified in the following document:
• collaborative Protection Profile for Network Devices, Version 2.2e, 23 March 2020 [5]
The security functions specified in this Protection Profile include protection of communications
between the TOE and external IT entities, identification and authentication of administrators,
auditing of security-relevant events, and ability to verify the source and integrity of updates to the
TOE.
The Leidos evaluation team determined that the TOE is conformant to the claimed Protection
Profile and, when installed, configured, and operated as specified in the evaluated guidance
documentation, satisfies all the security functional requirements stated in the Security Target [7].
The information in this VR is largely derived from the Security Target [7], Assurance Activities
Report (AAR) ([12]) and the associated test report produced by the Leidos evaluation team ([11]).
The validation team reviewed the evaluation outputs produced by the evaluation team, in particular
the AAR and associated test report. The validation team found that the evaluation showed that the
Page 4 of 21
TOE satisfies all the security functional and assurance requirements stated in the ST. The
evaluation also showed that the TOE is conformant to the claimed Protection Profile and that the
evaluation activities specified in [6] had been performed appropriately. Therefore, the validation
team concludes that the testing laboratory’s findings are accurate, the conclusions justified, and
the conformance results are correct. The conclusions of the testing laboratory in the Evaluation
Technical Report are consistent with the evidence produced.
Page 5 of 21
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and
Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations.
Under this program, commercial testing laboratories called Common Criteria Testing Laboratories
(CCTLs) use the Common Criteria and Common Methodology for IT Security Evaluation (CEM)
to conduct security evaluations, in accordance with National Voluntary Laboratory Assessment
Program (NVLAP) accreditation.
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and
consistency across evaluations. Developers of IT products desiring a security evaluation contract
with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the
evaluation, the product is added to NIAP’s Product Compliant List (PCL).
The following table provides information needed to completely identify the product and its
evaluation.
Table 1: Evaluation Details
Item Identifier
Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation
Scheme
Evaluated Product: Palo Alto Networks M-200, M-500, and M-600 Hardware, and
Virtual Appliances all running Panorama 10.1
Sponsor & Developer: Palo Alto Networks, Inc.
3000 Tannery Way
Santa Clara, CA 95054
CCTL: Leidos
Common Criteria Testing Laboratory
6841 Benjamin Franklin Drive
Columbia, MD 21046
Completion Date: August 4, 2022
CC: Common Criteria for Information Technology Security Evaluation,
Version 3.1, Release 5, April 2017
CEM: Common Methodology for Information Technology Security
Evaluation: Version 3.1, Release 5, April 2017
Protection Profiles: collaborative Protection Profile for Network Devices, Version
2.2e, 23 March 2020
Evaluation Personnel: Anthony Apted, Justin Fisher, Kofi Owusu, Pascal Patin
Validation Personnel: Jenn Dotson, Sheldon Durrant, Linda Morrison
Page 6 of 21
3 Assumptions & Clarification of Scope
Assumptions
The Security Problem Definition, including the assumptions, may be found in the following
documents:
• collaborative Protection Profile for Network Devices, version 2.2e, 23 March 2020
That information has not been reproduced here and the NDcPP22e should be consulted if there is
interest in that material.
The scope of this evaluation was limited to the functionality and assurances covered in the
NDcPP22e as described for this TOE in the Security Target. Other functionality included in the
product was not assessed as part of this evaluation. All other functionality provided by the devices
needs to be assessed separately, and no further conclusions can be drawn about their effectiveness.
Clarification of scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarification. This text covers some of the more important limitations and clarifications of this
evaluation. Note that:
• As with any evaluation, this evaluation only shows that the evaluated configuration meets
the security claims made with a certain level of assurance (the assurance activities specified
in the collaborative Protection Profile for Network Devices and performed by the
evaluation team).
• This evaluation covers only the specific device models and software as identified in this
document, and not any earlier or later versions released or in process.
• Apart from the Admin Guides, additional customer documentation for the specific Network
Device models was not included in the scope of the evaluation and therefore should not be
relied upon when configuring or operating the device as evaluated.
• This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that
were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines
an “obvious” vulnerability as one that is easily exploited with a minimum of understanding
of the TOE, technical sophistication and resources.
• The functionality evaluated is scoped exclusively to the security functional requirements
specified in the NDcPP22e and applicable Technical Decisions. Any additional security
related functional capabilities of the TOE were not covered by this evaluation.
Page 7 of 21
4 Architectural Information
Note: The following architectural description is based on the description presented in the Security
Target.
The Target of Evaluation (TOE) is one or more Palo Alto Networks management appliance(s) that
include Panorama M-200, M-500 and M-600 appliances and virtual appliances all running version
10.1. Panorama is available as a virtual or physical appliance, each of which supports licenses for
managing up to 25, 100, or 1,000 firewalls. The TOE type is a network device as specified in the
NDcPP.
In a deployment architecture, the Panorama security management appliance provides the capability
to remotely manage multiple firewall appliances that control network traffic flow and WildFire
appliances that analyze suspicious files traversing the network. However, since the firewall and
Wildfire appliances are in the operational environment, these capabilities (i.e., stateful inspection
filtering, IPsec VPN gateway, IPS/IDS threat prevention) are not evaluated (out of scope). Only
the secure communication channels from Panorama to firewalls and Wildfires are claimed.
The administrators can deploy Panorama in the following system modes:
• Panorama - The appliance functions as a management server to manage firewalls and
Dedicated Log Collectors. The appliance also supports a local Log Collector to aggregate
firewall logs. This mode is the default mode.
• Management-Only - The appliance is a dedicated management appliance for your firewalls
and Dedicated Log Collectors. The appliance has no firewall log collection capabilities.
• Log Collector - The appliance functions as a Dedicated Log Collector. In this deployment,
the appliance has no web interface for administrative access, only a command line interface
or CLI. When in Log Collector mode, Panorama is intended to be managed by another
manager in Panorama or Management-Only mode (NOTE: this function is not evaluated).
However, it provides a CLI with all of the administrative functions necessary to configure
and manage the device.
Regardless of which system mode is deployed, the TOE must also be configured to run in the
Common Criteria mode of operation described below. In addition, the TOE satisfies all mandatory
SFRs regardless of system modes though some selection-based requirements such as HTTPS may
not be relevant (for example, Log Collector mode does not support web interface).
Common Criteria Mode of Operation
The TOE is compliant with the capabilities outlined in this Security Target only when operated
in Common Criteria mode (now referred to as FIPS-CC mode). FIPS-CC mode is a special
operational mode in which the FIPS requirements for startup and conditional self-tests as well as
algorithm selection are enforced. In this mode, only CC Approved cryptographic algorithms and
key sizes are available. All tested models were placed into the evaluated configuration by the lab,
including the enabling of FIPS-CC mode.
4.1 TOE Architecture
The TOE high-level architecture is divided into four main subsystems: system software (SS);
database (DB); hardware (HW) and the hardened Linux-Derived operating system (OS). The
Page 8 of 21
system software provides system management functionality including proprietary software,
management interfaces (CLI and GUI), cryptographic support (Palo Alto Networks Crypto
Module), logging service (syslog-ng and auditd), web service (nginx), and authentication service.
The database provides a data repository for audit logs, user account data, system data,
configuration data, system log (i.e., syslog), and configuration logs. The operating system provides
a customized Linux kernel to enforce domain separation, memory management, disk access, file
I/O, network stacks (IPv4/IPv6), and communications with the underlying hardware components
including the network interface cards (NICs), memory, CPUs, and hard disks. Only services and
libraries required by the system software and DB are enabled in the OS. The virtual appliances
will include the hypervisor as well (not shown in figure 1).
The following diagram depicts both the hardware and software architecture of the TOE.
TOE
Figure 1: TOE Architecture
4.2 Physical Boundaries
The TOE consists of the following components:
• Hardware appliance-includes the physical port connections on the outside of the appliance
cabinet and a time clock that provides the time stamp used for the audit records.
• Virtual appliances installed on specified hardware - the VM-Series supports the exact
security functionalities available in the physical form factor appliances, allowing an
administrator to safely enable physical or virtual appliances that enable applications
DB
Linux-Derived Operating System
…
System Software
DB
auditd
syslog-ng
HW CPU Memory HDD/SS
D
Net
I/O
DB
Crypto Module
NGINX
Page 9 of 21
flowing into, and across your virtual computing environments. The VM software and the
appliances are both included in the TOE. The time clock, as well as CPU, ports, etc., are
provided by VM environment (hypervisor) hosting the VMs. VMs are deployed in the
system using Intel CPUs.
• Panorama OS software v10.1 – the software/firmware component that runs the appliance.
For VMs, Panorama OS is software and for hardware appliances, Panorama OS is
firmware. Panorama OS is built on top of a Linux kernel and runs along with NGINX (the
web server that Palo Alto Networks uses), syslog-ng, sshd, Palo Alto Networks Crypto
Module, and various vendor-developed applications that implement its capabilities.
The physical boundary of the TOE comprises the whole appliance (M-200, M-500, and M-600);
and the virtual appliances on specified hypervisor and hardware. The models only differ in their
performance capability (e.g., processor speed, memory, and disk space), but they all provide the
same security functionality.
Page 10 of 21
5 Security Policy
The TOE enforces the following security policies as described in the ST.
5.1 Security Audit
The TOE is designed to be able to generate logs for security relevant events including the events
specified in [NDcPP]. By default, the TOE stores the logs locally so they can be accessed by an
administrator. The TOE can also be configured to send the logs securely to a designated external
log server.
5.2 Cryptographic Support
The TOE implements NIST-validated cryptographic algorithms that provide key management,
random bit generation (RBG), encryption/decryption, digital signature generation and verification,
cryptographic hashing, and keyed-hash message authentication features in support of higher-level
cryptographic protocols, including SSH and TLS. Note that to be in the evaluated configuration,
the TOE must be configured in FIPS-CC mode, which ensures the TOE’s configuration is
consistent with the FIPS standard and [NDcPP]. All physical and virtual appliance included in the
TOE (Palo Alto Networks Crypto Module) are CAVP-validated and details are provided in the
TOE Security Summary (TSS):
• The M-Series appliance are covered by CAVP certificates (#A2137).
o AES - [FCS_COP.1/DataEncryption]
o RSA, ECDSA, DSA - [FCS_COP.1/SigGen and FCS_CKM.1]
o SHS - [FCS_COP.1/Hash]
o HMAC - [FCS_COP/1/KeyedHash]
o DRBG - [FCS_RBG_EXT.1]
o KAS - [FCS_CKM.2]
• The Panorama virtual appliances are covered by CAVP certificates (#A2244).
o AES - [FCS_COP.1/DataEncryption]
o RSA, ECDSA, DSA - [FCS_COP.1/SigGen and FCS_CKM.1]
o SHS - [FCS_COP.1/Hash]
o HMAC - [FCS_COP/1/KeyedHash]
o DRBG - [FCS_RBG_EXT.1]
o KAS - [FCS_CKM.2]
5.3 Identification and Authentication
The TOE requires all users accessing the TOE user interfaces to be successfully identified and
authenticated before they can access any security management functions available in the TOE. The
Page 11 of 21
TOE offers network accessible (HTTPS, SSH) and direct connections to the GUI and SSH for
interactive administrator sessions and HTTPS for XML and REST APIs.
The TOE supports the local (i.e., on device) definition and authentication of administrators with
username, password, and role (set of privileges), which it uses to authenticate the human user and
to associate that user with an authorized role. In addition, the TOE can authenticate users using
X509 certificates and can be configured to lock a user out after a configurable number of
unsuccessful authentication attempts.
5.4 Security Management
The TOE provides a GUI, CLI, or API (XML and REST) to access the security management
functions. Security management commands are limited to administrators and are available only
after they have provided acceptable user identification and authentication data to the TOE. The
TOE provides access to the GUI/CLI locally via direct RJ-45 Ethernet cable connection and
remotely using an HTTPS/TLS or SSHv2 client.
The TOE provides a number of management functions and restricts them to users with the
appropriate privileges. The management functions include the capability to configure the audit
function, configure the idle timeout, and review the audit trail. The TOE provides pre-defined
Security Administrator, Audit Administrator, and Cryptographic Administrator roles. These
administrator roles are all considered Security Administrator as defined in the claimed PP for the
purposes of this ST.
5.5 Protection of the TSF
The TOE implements a number of features designed to protect itself to ensure the reliability and
integrity of its security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they
are not accessible even by an administrator. It also provides its own timing mechanism to ensure
that reliable time information is available (e.g., for log accountability).
The TOE includes functions to perform self-tests so that it can detect when it is failing. It also
includes mechanism to verify TOE updates to prevent malicious or other unexpected changes in
the TOE.
5.6 TOE Access
The TOE provides the capabilities for both TOE- and user-initiated locking of interactive sessions
and for TOE termination of an interactive session after a period of inactivity. The TOE will display
an advisory and consent warning message regarding unauthorized use of the TOE before
establishing a user session.
5.7 Trusted Path/Channels
The TOE protects interactive communication with remote administrators using SSH or HTTP over
TLS (HTTPS). SSH and TLS ensure both integrity and disclosure protection.
The TOE protects communication with the syslog server, Palo Alto Networks firewalls, and
Wildfire Appliances using TLS connections.
Page 12 of 21
6 Documentation
Palo Alto offers guidance documents describing the installation process for the TOE as well as
guidance for subsequent administration and use of the applicable security features. The guidance
documentation examined during the evaluation and delivered with each TOE model is as follows:
• Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) for
Panorama 10.1, July 22, 2022
• Panorama Administrator’s Guide Version 10.1, Last Revised: See Link Below
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/panorama/-
1/panorama-admin/panorama-admin.pdf
• VM-Series 10.1 Deployment Guide, Last Revised: See Link Below
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/vm-series/10-
1/vm-series-deployment/vm-series-deployment.pdf
• PAN-OS® and Panorama 10.1 API Guide, Last Revised: See Link Below
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-1/pan-
os-panorama-api/pan-os-panorama-api.pdf
This is also provided for initial setup purposes. To use the product in the evaluated configuration,
the product must be configured as specified in these guides.
Any additional customer documentation provided with the product, or that which may be available
online was not included in the scope of the evaluation and therefore should not be relied upon to
configure or operate the device as evaluated. Consumers are encouraged to download this CC
configuration guide (CCECG above) from the NIAP website.
Page 13 of 21
7 Evaluated Configuration
The TOE is the Palo Alto Networks Panorama, Version 10.1, as configured in accordance with the
guidance documentation listed in Section 6 of this Validation Report. The specific appliance
models include:
• M-200
• M-500
• M-600
• Panorama Virtual Appliance
If used, the Virtual Appliance must be the only guest running in the virtualized environment, in accordance
with the requirements of the NDcPP.
The TOE includes a “FIPS-CC” mode of operation. This mode must be enabled for the TOE to meet the
claimed requirements.
7.1 Excluded Functionality
All product functionality that is not claimed by the Security Target as part of achieving exact conformance
to the NDcPP is excluded from the evaluation scope. The product also has the following exclusions:
• Telnet and HTTP Management Protocols: Telnet and HTTP are disabled by default and
cannot be enabled in the evaluated configuration. Telnet and HTTP are insecure
protocols which allow for plaintext passwords to be transmitted. Use SSH and HTTPS
only as the management protocols to manage the TOE.
• External Authentication Servers: The NDcPP does not require external authentication
servers.
• Shell and Console Access: The shell and console access is only allowed for pre-
operational installation, configuration, and post-operational maintenance and trouble
shooting.
• API request over HTTP: By default, the TOE support API requests over HTTPS only.
API request over HTTP is disabled and cannot be enabled in the evaluated
configuration.
• Stateful inspection filtering, VPN gateway, IPS/IDS threat prevention, URL filtering
(PAN-DB), Log forwarding, and Malware sandboxing: These features are provided by
Palo Alto Networks firewalls and Wildfire appliances and are not included in this
evaluation. Only the secure TLS connections between the firewalls and Wildfire to the
TOE were evaluated.
• Centralized Device Management: These features (e.g., Policy Template and Push,
Device Group) were not evaluated. Only the secure TLS connections between the
firewalls and Wildfire to the TOE were evaluated.
• Any features not associated with SFRs in claimed NDcPP: NDcPP forbids adding
additional requirements to the Security Target (ST). If additional functionalities are
mentioned in the ST, it is for completeness only.
Page 14 of 21
8 Independent Testing
This section describes the testing efforts of the evaluation team. It is derived from information
contained in the following proprietary documents:
• Palo Alto Panorama Common Criteria Test Report and Procedures for Network Device
collaborative PP Version 2.2 e[11]
A non-proprietary version of the tests performed and samples of the evidence that was generated
is summarized in the following document:
• Assurance Activities Report for Palo Alto Panorama [12]
The purpose of the testing activity was to confirm the TOE behaves in accordance with the TOE
security functional requirements as specified in the ST for a product that claims conformance to
collaborative Protection Profile for Network Devices [5].
The evaluation team devised a Test Plan based on the Testing Assurance Activities specified in
collaborative Protection Profile for Network Devices [5]. The Test Plan described how each test activity
was to be instantiated within the TOE test environment. The evaluation team executed the tests specified
in the Test Plan and documented the results in the team test report listed above.
Independent testing took place at Leidos CCTL facilities in Columbia, Maryland.
The evaluators received the TOE in the form that normal customers would receive it, installed and
configured the TOE in accordance with the provided guidance, and exercised the Team Test Plan on
equipment configured in the testing laboratory.
Given the complete set of test results from the test procedures exercised by the evaluators, the testing
requirements for collaborative Protection Profile for Network Devices [5] were fulfilled.
8.1 Test Configuration
The evaluated version of the TOE consists of Palo Alto Panorama version 10.1 running on any of
the following physical and virtual appliances:
• M-200
• M-500
• M-600
• Panorama Virtual Appliance
The TOE must be configured in accordance with the Panorama Administrator’s Guide [8], VM-
Series Deployment Guide [9], and Palo Alto Networks Common Criteria Evaluated Configuration
Guide (CCECG) for Panorama v10.1 [10].
Per Policy Letter #22, user installation of vendor-delivered bug fixes and security patches is
encouraged between completion of the evaluation and the Assurance Maintenance Date; with such
updates properly installed, the product is still considered by NIAP to be in its evaluated
configuration.
Page 15 of 21
8.2 Vulnerability Analysis
The evaluation team applied each AVA CEM work unit. The evaluation team searched the
National Vulnerability Database (http://web.nvd.nist.gov/view/vuln/search) and several other
public vulnerability repositories. Searches were performed on 6/14/2022 and again on 6/30/2022
and 7/27/2022.
The keyword searches included the following terms:
• “Intel Xeon E5-2620”
• “Intel Xeon E5-2637”
• “Intel Xeon E5-2680”
• “Intel Xeon Gold 6248”
• “Cascade Lake”
• “Ivy Bridge”
• “Broadwell”
• “PAN-OS 10.1”
• “Palo Alto Panorama”
• “Palo Alto Networks Panorama”
• “M-200 Series”
• “M-500 Series”
• “M-600 Series”
The conclusion drawn from the vulnerability analysis is that no residual vulnerabilities exist that
are exploitable by attackers with Basic Attack Potential as defined by the Certification Body in
accordance with the guidance in the CEM.
Additionally, the evaluators performed fuzz testing of the TOE as specified in Section A.1.4 of
Evaluation Activities for Network Device cPP, Version 2.2, December 2019. The evaluators
observed the TOE did not react adversely to the packets directed at the TOE or respond to the
packets. This testing did not discover any vulnerabilities in the TOE.
Page 16 of 21
9 Results of the Evaluation
The evaluation was conducted based upon the assurance activities specified in the following documents, in
conjunction with Version 3.1, Revision 5 of the CC and CEM:
• Evaluation Activities for Network Device cPP, Version 2.2, December 2019 [6]
A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding
evaluator action elements. The evaluation team assigned a Pass, Fail, or Inconclusive verdict to each work
unit of each assurance component. For Fail or Inconclusive work unit verdicts, the evaluation team advised
the developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the
evaluation team assigned an overall Pass verdict to the assurance component only when all of the work
units for that component had been assigned a Pass verdict.
The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates
that the evaluation team performed the assurance activities in the claimed PPs, and correctly verified that
the product meets the claims in the ST.
The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled
by the Leidos CCTL. The security assurance requirements are listed in the following table.
Table 2: TOE Security Assurance Requirements
Assurance Component ID Assurance Component Name
ADV_FSP.1 Basic functional specification
AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC_CMC.1 Labeling of the TOE
ALC_CMS.1 TOE CM coverage
ATE_IND.1 Independent testing – conformance
AVA_VAN.1 Vulnerability survey
Page 17 of 21
10 Validator Comments/Recommendations
The validation team notes that the evaluated configuration is dependent upon the TOE being configured
per the evaluated configuration instructions in the Palo Alto Networks Common Criteria Evaluated
Configuration Guide (CCECG) for Panorama 10.1, July 22, 2022. No versions of the TOE and software,
either earlier or later were evaluated.
Please note that the functionality evaluated is scoped exclusively to the security functional requirements
specified in the Security Target. Other functionality included in the product was not assessed as part of
this evaluation. All other functionality provided by devices in the operational environment, need to be
assessed separately and no further conclusions can be drawn about their effectiveness.
Page 18 of 21
11 Annexes
Not applicable
Page 19 of 21
12 Security Target
The ST for this product’s evaluation is Palo Alto Networks Panorama 10.1 Security Target, Version 1.0,
June 27, 2022 [7].
Page 20 of 21
13 Abbreviations and Acronyms
This section identifies abbreviations and acronyms used in this document.
AAR Assurance Activities Report
CC Common Criteria for Information Technology Security Evaluation
CCEVS Common Criteria Evaluation and Validation Scheme
CCTL Common Criteria Testing Laboratory
CEM Common Evaluation Methodology for Information Technology Security
CM Configuration Management
ETR Evaluation Technical Report
IT Information Technology
NIAP National Information Assurance Partnership
NIST National Institute of Standards and Technology
NSA National Security Agency
NVLAP National Voluntary Laboratory Assessment Program
PCL Product Compliant List
PP Protection Profile
ST Security Target
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Function
VR Validation Report
Page 21 of 21
14 Bibliography
The Validation Team used the following documents to produce this Validation Report:
[1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version
3.1, Revision 5, April 2017.
[2] Common Criteria for Information Technology Security Evaluation Part 2: Security Functional
Requirements, Version 3.1, Revision 5, April 2017
[3] Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance
Components, Version 3.1, Revision 5, April 2017
[4] Common Methodology for Information Technology Security Evaluation, Evaluation
Methodology, Version 3.1, Revision 5, April 2017
[5] collaborative Protection Profile for Network Devices, Version 2.2e, 23 March 2020
[6] Evaluation Activities for Network Device cPP, Version 2.2, December 2019
[7] Palo Alto Networks Panorama 10.1 Security Target, Version 1.0, June 27, 2022
[8] Panorama Administrator’s Guide Version 10.1, February 22, 2022
[9] VM-Series Deployment Guide, Version 10.1, December 17, 2021
[10] Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) for Panorama
10.1, July 22, 2022
[11] Palo Alto Panorama Common Criteria Test Report and Procedures for Network Device
collaborative PP Version 2.2e, document Version 1.1, July 27, 2022
[12] Assurance Activities Report for Palo Alto Networks Panorama 10.1, Version 1.1, July 27, 2022
[13] PAN-OS and Panorama API Usage Guide, Version 10.1, March 15, 2022