Panorama 10.2 M-200, M-300, M-600 and M-700

Certificate #4777

Webpage information ?

Status active
Validation dates 23.08.2024
Sunset date 22-08-2026
Standard FIPS 140-3
Security level 2
Type Hardware
Embodiment Multi-Chip Stand Alone
Caveat Interim Validation. When operated in approved mode and when installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and physical kit installed as indicated in the Security Policy
Exceptions
  • Roles, services, and authentication: Level 3
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Life-cycle assurance: Level 3
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Description Panorama M-Series management appliances provide centralized management and visibility of Palo Alto Networks next generation firewalls. From a central location, you can gain insight into applications, users, and content traversing the firewalls. The knowledge of what is on the network, in conjunction with safe application enablement policies, maximizes protection and control while minimizing administrative effort. Your security team can centrally perform analysis, reporting, and forensics with the aggregated data over time, or on data stored on the local firewall.
Version (Hardware) 910-000175 with FIPS Kit 920-000209, 910-000176 with FIPS Kit 920-000208, 910-000270 with FIPS Kit 920-000318, 910-000271 with FIPS Kit 920-000319
Version (Firmware) 10.2.3-h1
Vendor Palo Alto Networks, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES, CAST, DES, HMAC, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, CMAC
Asymmetric Algorithms
RSA 2048, RSA 3072, RSA 4096, ECDH, ECDSA, DH, Diffie-Hellman
Hash functions
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA2
Schemes
Key Exchange
Protocols
SSH, TLS, TLS1.2, TLS v1.2, TLSv1.2, TLS 1.2, IKEv2
Randomness
DRBG, RNG
Elliptic Curves
P-256, P-384, P-521
Block cipher modes
ECB, CBC, CTR, GCM, CCM
TLS cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security level
level 2, Level 2, Level 1
Certification process
out of scope, in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization The following procedure will zeroize the module and must be

Standards
FIPS 140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, FIPS 186-2, SP 800-90B, SP 800-38A, SP 800-38D, SP 800-38F, SP 800-52, SP 800-63B, SP 800-140F, SP 800-56A, PKCS#1, RFC 3526, RFC 5288, RFC 5246, ISO/IEC 24759

File metadata

Title Panorama HW 10.2 Security Policy-Interim-24.08.01.docx
Pages 46
Producer Skia/PDF m128 Google Docs Renderer

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

  • 09.09.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4777,
  "dgst": "0f9305fb9daaca6e",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "ECDSA SigVer (FIPS186-4)A2906",
        "ECDSA SigGen (FIPS186-4)A2906",
        "Conditioning Component AES-CBC-MAC SP800-90BA2518",
        "AES-GCMA2906",
        "HMAC-SHA2-256A2906",
        "SHA2-512A2906",
        "HMAC-SHA2-512A2906",
        "AES-CTRA2906",
        "Counter DRBGA2906",
        "HMAC-SHA2-384A2906",
        "RSA SigVer (FIPS186-4)A2906",
        "HMAC-SHA-1A2906",
        "KDF SNMPA2906",
        "Safe Primes Key GenerationA2906",
        "Safe Primes Key VerificationA2906",
        "SHA2-256A2906",
        "RSA SigGen (FIPS186-4)A2906",
        "SHA-1A2906",
        "ECDSA KeyVer (FIPS186-4)A2906",
        "KAS-ECC-SSC Sp800-56Ar3A2906",
        "ECDSA KeyGen (FIPS186-4)A2906",
        "RSA KeyGen (FIPS186-4)A2906",
        "KDF TLSA2906",
        "AES-CBCA2906",
        "KAS-FFC-SSC Sp800-56Ar3A2906",
        "HMAC-SHA2-224A2906",
        "KDF SSHA2906",
        "SHA2-224A2906",
        "SHA2-384A2906",
        "AES-CFB128A2906"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "10.2",
        "10.2.3"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECDH": {
            "ECDH": 1
          },
          "ECDSA": {
            "ECDSA": 57
          }
        },
        "FF": {
          "DH": {
            "DH": 1,
            "Diffie-Hellman": 2
          }
        },
        "RSA": {
          "RSA 2048": 10,
          "RSA 3072": 2,
          "RSA 4096": 2
        }
      },
      "certification_process": {
        "OutOfScope": {
          "in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization The following procedure will zeroize the module and must be": 1,
          "out of scope": 1
        }
      },
      "cipher_mode": {
        "CBC": {
          "CBC": 3
        },
        "CCM": {
          "CCM": 2
        },
        "CTR": {
          "CTR": 4
        },
        "ECB": {
          "ECB": 2
        },
        "GCM": {
          "GCM": 11
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKEv2": 1
        },
        "SSH": {
          "SSH": 65
        },
        "TLS": {
          "TLS": {
            "TLS": 84,
            "TLS 1.2": 1,
            "TLS v1.2": 1,
            "TLS1.2": 1,
            "TLSv1.2": 1
          }
        }
      },
      "crypto_scheme": {
        "KEX": {
          "Key Exchange": 6
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-256": 40,
          "P-384": 30,
          "P-521": 30
        }
      },
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#11": 2,
          "#12": 2,
          "#13": 2,
          "#14": 2,
          "#15": 2,
          "#18": 2,
          "#19": 2
        }
      },
      "fips_certlike": {
        "Certlike": {
          "# A2906": 3,
          "AES (128": 1,
          "AES 256": 3,
          "HMAC-SHA-1": 24,
          "HMAC-SHA-256": 10,
          "HMAC-SHA-384": 2,
          "HMAC-SHA-512": 2,
          "PKCS#1": 4,
          "RSA 2048": 10,
          "RSA 3072": 2,
          "RSA 4096": 2,
          "SHA-1": 5,
          "SHA-256": 9,
          "SHA-384": 2,
          "SHA-512": 3,
          "SHA2": 4,
          "SHA2-224": 3,
          "SHA2-256": 7,
          "SHA2-384": 4,
          "SHA2-512": 4
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 1,
          "Level 2": 3,
          "level 2": 1
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 5
          },
          "SHA2": {
            "SHA-224": 1,
            "SHA-256": 10,
            "SHA-384": 3,
            "SHA-512": 4,
            "SHA2": 4
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 50
        },
        "RNG": {
          "RNG": 1
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 10,
          "FIPS 180-4": 5,
          "FIPS 186-2": 1,
          "FIPS 186-4": 60,
          "FIPS 198-1": 6
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-140F": 1,
          "SP 800-38A": 4,
          "SP 800-38D": 2,
          "SP 800-38F": 4,
          "SP 800-52": 1,
          "SP 800-56A": 10,
          "SP 800-63B": 1,
          "SP 800-90B": 10
        },
        "PKCS": {
          "PKCS#1": 2
        },
        "RFC": {
          "RFC 3526": 2,
          "RFC 5246": 1,
          "RFC 5288": 2
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 15
          },
          "CAST": {
            "CAST": 2
          }
        },
        "DES": {
          "DES": {
            "DES": 1
          }
        },
        "constructions": {
          "MAC": {
            "CMAC": 1,
            "HMAC": 18,
            "HMAC-SHA-256": 5,
            "HMAC-SHA-384": 1,
            "HMAC-SHA-512": 1
          }
        }
      },
      "tee_name": {},
      "tls_cipher_suite": {
        "TLS": {
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 1,
          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 1
        }
      },
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Producer": "Skia/PDF m128 Google Docs Renderer",
      "/Title": "Panorama HW 10.2 Security Policy-Interim-24.08.01.docx",
      "pdf_file_size_bytes": 4500798,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "http://www.paloaltonetworks.com",
          "https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin.html"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 46
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "fd20dd919a8109140b09689629d045a79c23d68a8314614785cc81a3a3ae6a4e",
    "policy_txt_hash": "ea5ddbff73773ea337a2e488e09d6b0b4cce8dd379da20bcf54d5bc9759b4b69"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "Interim Validation. When operated in approved mode and when installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and physical kit installed as indicated in the Security Policy",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August 2024_010924_0336.pdf",
    "date_sunset": "2026-08-22",
    "description": "Panorama M-Series management appliances provide centralized management and visibility of Palo Alto Networks next generation firewalls. From a central location, you can gain insight into applications, users, and content traversing the firewalls. The knowledge of what is on the network, in conjunction with safe application enablement policies, maximizes protection and control while minimizing administrative effort. Your security team can centrally perform analysis, reporting, and forensics with the aggregated data over time, or on data stored on the local firewall.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Roles, services, and authentication: Level 3",
      "Operational environment: N/A",
      "Non-invasive security: N/A",
      "Life-cycle assurance: Level 3",
      "Mitigation of other attacks: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": "10.2.3-h1",
    "historical_reason": null,
    "hw_versions": "910-000175 with FIPS Kit 920-000209, 910-000176 with FIPS Kit 920-000208, 910-000270 with FIPS Kit 920-000318, 910-000271 with FIPS Kit 920-000319",
    "level": 2,
    "mentioned_certs": {},
    "module_name": "Panorama 10.2 M-200, M-300, M-600 and M-700",
    "module_type": "Hardware",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": null,
    "tested_conf": null,
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-08-23",
        "lab": "LEIDOS CSTL",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}