Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks
mentioned herein may be trademarks of their respective companies.
Revision Date: June 11, 2024
Document Version: 1.4
Palo Alto Networks SD-WAN
Virtual Instant-On Network (vION)
Software Version: 6.1.2
FIPS 140-3 Non-Proprietary Security Policy
Documentation Version: 1.4
Last Update: June 11, 2024
2 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Table of Contents
1. General 3
2. Cryptographic Module Specification 3
3. Cryptographic Module Interfaces 8
4. Roles, Services, and Authentication 9
5. Software/Firmware Security 12
6. Operational Environment 12
7. Physical Security 12
8. Non-Invasive Security 12
9. Sensitive Security Parameters 13
10. Self-Tests 15
11. Life-Cycle Assurance 18
12. Mitigation of Other Attacks 19
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 3
This document can be reproduced and distributed only whole and intact, including this copyright notice
1. General
The table below provides the security levels of the various sections of FIPS 140-3 in relation to the Palo Alto Networks
SD-WAN Virtual Instant-On Network (vION), hereinafter referred to as the Module or vION module.
The Palo Alto Networks SD-WAN Virtual Instant-On Network (vION) enables the integration of a diverse set of wide area
network (WAN) connection types, improves application performance and visibility, enhances security and compliance, and
reduces the overall cost and complexity of a WAN. Built with the intent to reduce remote infrastructure, Palo Alto
Networks SD-WAN vION enables the cloud-delivered branch. The vION module software version is 6.1.2.
ISO/IEC 24759 Section 6.
[Number Below]
FIPS 140-3 Section Title Security Level
1 General 1
2 Cryptographic module specification 1
3 Cryptographic module interfaces 1
4 Roles, services, and authentication 1
5 Software/Firmware security 1
6 Operational environment 1
7 Physical security N/A
8 Non-invasive security N/A
9 Sensitive security parameter management 1
10 Self-tests 1
11 Life-cycle assurance 1
12 Mitigation of other attacks N/A
Table 1 - Security Levels
The module is designed to meet an overall security level 1.
2. Cryptographic Module Specification
The module is a multi-chip standalone software module running on a general-purpose computing platform. FIPS 140-3
conformance testing was performed at Security Level 1 with the configurations noted in the table 2 below.
# Operating System Hardware Platform Processor PAA/Acceleration
1 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 with PAA
2 KVM on Ubuntu 20.04 Supermicro SYS-2049-TR Intel Xeon Gold 6230 without PAA
Table 2 - Tested Operational Environments
# Operating System Hardware Platform
1 AWS Dependent on Provider
2 Azure Dependent on Provider
3 Google Cloud Dependent on Provider
4 OCI using KVM Dependent on Provider
5 VMware ESXi Dependent on Provider/GPC
6 ION 7108V GPC
7 ION 3108V GPC
4 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Table 3 - Vendor Affirmed Operational Environments
Note: The vION comes in either ION 3108V or ION 7108V, which is the same functionality just with differences such as
throughput.
The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated keys
when ported to an operational environment which is not listed on the validation certificate.
Modes of Operation
The module has one approved mode of operation and is always in approved mode of operation after initial operations are
performed (See Section 11). The module does not claim implementation of a degraded mode of operation. Section 4
provides details on the service indicator implemented by the module.
The tables below list all Approved or Vendor-affirmed security functions of the module, including specific key size(s) (in bits
unless noted otherwise) employed for Approved services, and implemented modes of operation. There are some algorithm
modes that were tested but not implemented by the module. Only the algorithms, modes, and key sizes that are
implemented by the module are shown in these tables.
CAVP
Cert
Algorithm and
Standard
Mode/Method Description/Key Size(s) /
Key Strength(s)
Use / Function
A3566 AES:
● FIPS 197
● SP 800-38D
ECB 128, 192, and 256 bits Data Encryption/Decryption
A3566 AES:
● FIPS 197
● SP 800-38A
CBC 128, 192, and 256 bits Data Encryption/Decryption
A3566 AES:
● FIPS 197
● SP 800-38A
CTR 128, 192, and 256 bits Data Encryption/Decryption
A3566 AES:
● FIPS 197
● SP 800-38D
GCM 128, 192, and 256 bits Data Encryption/Decryption
A3566 KDF SSH:
● SP 800-135rev1
(CVL)
KDF SSH N/A SP800-135rev1 compliant Key
Derivation
A3566 KDF TLS:
● SP 800-135rev1
(CVL)
KDF TLS N/A SP800-135rev1 compliant Key
Derivation
A3566 KDF IKEv2:
● SP 800-135rev1
(CVL)
KDF IKEv2 N/A SP800-135rev1 compliant Key
Derivation
A3566 KDF SNMP:
● SP 800-135rev1
(CVL)
KDF SNMP N/A SP800-135rev1 compliant Key
Derivation
A3566 DRBG:
● SP 800-90Arev1
CTR_DRBG (AES-256 bits)
Derivation Function
Enabled: Yes
N/A Deterministic Random Bit Generation
A3566 KAS-SSC
● SP 800-56Arev3
KAS-ECC-SSC
Ephemeral Unified
Curves: P-256, P-384, P-521;
key establishment methodology
provides between 128 and 256
bits of encryption strength
KAS-ECC Shared Secret Computation
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 5
This document can be reproduced and distributed only whole and intact, including this copyright notice
CAVP
Cert
Algorithm and
Standard
Mode/Method Description/Key Size(s) /
Key Strength(s)
Use / Function
A3566 KAS
● SP 800-56Arev3
KAS (ECC)
Scheme:
ephemeralUnified:
KAS Role: initiator,
responder
KAS (ECC):
Curves: P-256, P-384, P-521;
Key establishment methodology
provides between 128 and 256
bits of encryption strength
Key Agreement Scheme per SP800-
56Arev3 with key derivation function
(SP800-135rev1)
Note: The module’s KAS (ECC)
implementation is FIPS140-3 IG D.F
Scenario X1 (path 2) compliant
A3566 ECDSA
● FIPS 186-4
ECDSA KeyGen Curves: P-224, P-256, P-384, P-
521
ECDSA Key Generation
A3566 ECDSA
● FIPS 186-4
ECDSA SigGen Curves: P-224, P-256, P-384, P-
521
ECDSA Digital Signature Generation
A3566 ECDSA
● FIPS 186-4
ECDSA SigVer Curves: P-224, P-256, P-384, P-
521
ECDSA Digital Signature Verification
A3566 HMAC
● FIPS 198-1
HMAC-SHA-1 At least 160 bits Message Authentication
A3566 HMAC
● FIPS 198-1
HMAC-SHA2-224 At least 160 bits Message Authentication
A3566 HMAC
● FIPS 198-1
HMAC-SHA2-256 At least 160 bits Message Authentication
A3566 HMAC
● FIPS 198-1
HMAC-SHA2-384 At least 160 bits Message Authentication
A3566 HMAC
● FIPS 198-1
HMAC-SHA2-512 At least 160 bits Message Authentication
A3566 KTS
● SP800-38F
KTS (AES Cert. #A3566) 128, 192, and 256 bits
Key establishment methodology
provides between 128 and 256
bits of encryption strength
Key Transport using AES-GCM
A3566 KTS
● SP800-38F
KTS (AES Cert. #A3566
and HMAC Cert. #A3566)
128, 192, and 256 bits
Key establishment methodology
provides between 128 and 256
bits of encryption strength
Key Transport using AES and HMAC
A3566 RSA
● FIPS 186-4
RSA KeyGen
(PKCS#1 v1.5)
Modulus: 2048 and 3072 bits RSA Key Generation
A3566 RSA
● FIPS 186-4
RSA SigGen
(PKCS#1 v1.5)
Modulus: 2048 and 3072 bits RSA Digital Signature Generation
A3566 RSA
● FIPS 186-4
RSA SigVer
(PKCS#1 v1.5)
Modulus: 2048 and 3072 bits RSA Digital Signature Verification
A3566 SHS
● FIPS 180-4
SHA-1 N/A Hashing
Note: SHA-1 is not used for digital
signature generation
A3566 SHS
● FIPS 180-4
SHA2-224 N/A Hashing
A3566 SHS
● FIPS 180-4
SHA2-256 N/A Hashing
A3566 SHS
● FIPS 180-4
SHA2-384 N/A Hashing
A3566 SHS
● FIPS 180-4
SHA2-512 N/A Hashing
Vendor
Affirmed
CKG
(SP 800-133rev2)
Section 5 Cryptographic Key
Generation; SP 800-
133rev2 and IG D.H.
Key Generation
Note: The cryptographic module
performs Cryptographic Key
Generation (CKG) for asymmetric keys
as per section 5 in SP800-133rev2
(vendor affirmed). A seed (i.e., the
random value) used in asymmetric key
generation is a direct output from
SP800-90Arev1 DRBG (DRBG Cert.
#A3566)
6 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Table 4 - Approved Algorithms (Crypto Library - I)
CAVP
Cert
Algorithm and
Standard
Mode/Method Description/Key Size(s) /
Key Strength(s)
Use / Function
A3572 AES:
● FIPS 197
● SP 800-38A
CBC 128 or 256 bits Data Encryption/Decryption
A3572 AES:
● FIPS 197
● SP 800-38D
GCM 128 or 256 bits Data Encryption/Decryption
A3572 KDF TLS:
● SP 800-135rev1
(CVL)
KDF TLS N/A SP800-135rev1 compliant Key
Derivation
A3572 DRBG:
● SP 800-90Arev1
DRBG with HMAC-
SHA2-512
N/A Deterministic Random Bit Generation
A3572 KAS-SSC
● SP 800-56Arev3
KAS-ECC-SSC
Ephemeral Unified
KAS-ECC-SSC with P-256, P-384,
P-521;
Key establishment methodology
provides between 128 256 bits of
encryption strength
KAS-ECC Shared Secret Computation
A3572 KAS
● SP 800-56Arev3
KAS (ECC)
Scheme:
ephemeralUnified:
KAS Role: initiator,
responder
KAS (ECC):
Curves: P-256, P-384, P-521; Key
establishment methodology
provides between 128 and 256
bits of encryption strength
Key Agreement Scheme per SP800-
56Arev3 with key derivation function
(SP800-135rev1)
Note: The module’s KAS (ECC)
implementation is FIPS140-3 IG D.F
Scenario X1 (path 2) compliant
A3572 ECDSA
● FIPS 186-4
ECDSA KeyGen Curves: P-224, P-256, P-384, P-
521
ECDSA Key Generation
A3572 HMAC
● FIPS 198-1
HMAC-SHA2-256 At least 160 bits Message Authentication
A3572 HMAC
● FIPS 198-1
HMAC-SHA2-384 At least 160 bits Message Authentication
A3572 HMAC
● FIPS 198-1
HMAC-SHA2-512 At least 160 bits Message Authentication
A3572 KTS
● SP800-38F
KTS (AES Cert. #A3572) 128 or 256 bits Key Transport using AES-GCM;
Key establishment methodology
provides 128 or 256 bits of
encryption strength
A3572 KTS
● SP800-38F
KTS (AES Cert. #A3572
and HMAC Cert. #A3572)
128 or 256 bits
Key establishment methodology
provides 128 or 256 bits of
encryption strength
Key Transport using AES and HMAC;
A3572 RSA
● FIPS 186-4
RSA SigVer
(PKCS#1 v1.5)
Modulus: 2048 bits Digital Signature Verification
A3572 SHS
● FIPS 180-4
SHA2-224 N/A Hashing
A3572 SHS
● FIPS 180-4
SHA2-256 N/A Hashing
A3572 SHS
● FIPS 180-4
SHA2-384 N/A Hashing
A3572 SHS
● FIPS 180-4
SHA2-512 N/A Hashing
Vendor
Affirmed
CKG
(SP 800-133rev2)
Section 5.1, Section 5.2 Cryptographic Key
Generation; SP 800-
133rev2 and IG D.H.
Key Generation
Note: The cryptographic module
performs Cryptographic Key
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 7
This document can be reproduced and distributed only whole and intact, including this copyright notice
CAVP
Cert
Algorithm and
Standard
Mode/Method Description/Key Size(s) /
Key Strength(s)
Use / Function
Generation (CKG) for asymmetric
keys as per section 5 in SP800-
133rev2 (vendor affirmed). A seed
(i.e., the random value) used in
asymmetric key generation is a direct
output from SP800-90Arev1 DRBG
(DRBG Cert. #A3572)
Table 5 - Approved Algorithms (Crypto Library – II)
Notes:
● The module’s AES-GCM implementation conforms to FIPS 140-3 IG C.H scenario #1 following RFC 5288 for TLS.
The module is compatible with TLSv1.2 and provides support for the acceptable GCM cipher suites from SP 800-
52 Rev1, Section 3.3.1. The operations of one of the two parties involved in the TLS key establishment scheme
were performed entirely within the cryptographic boundary of the module being validated. The counter portion of
the IV is set by the module within its cryptographic boundary. When the IV exhausts the maximum number of
possible values for a given session key, the first party, client or server, to encounter this condition will trigger a
handshake to establish a new encryption key. In case the module’s power is lost and then restored, a new key for
use with the AES GCM encryption/decryption shall be established.
● No parts of the SSH, TLS, SNMP and IPSec/IKE protocols, other than the KDFs, have been tested by the CAVP
and CMVP.
As the module can only be operated in the Approved mode of operation with Approved algorithms noted in Tables 4 - 5
above, the following options defined in SP 800-140B are not applicable to this document:
● Non-Approved Algorithms Allowed in Approved Mode of Operation
● Non-Approved Algorithms Allowed in Approved Mode of Operation with No Security Claimed
● Non-Approved Algorithms Not Allowed in Approved Mode of Operation
Vendor Name Certificate Number
Palo Alto Networks E69
Table 6 - Entropy Certificates
Cryptographic Boundary
Figure 1 below depicts the cryptographic boundary (orange color area) and physical perimeter (light blue color area). The
cryptographic boundary includes all of the software components of the cryptographic libraries. The physical perimeter is
the Tested Operational Environment’s Physical Perimeter (TOEPP) on which the module runs.
8 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Figure 1 - Block Diagram
3. Cryptographic Module Interfaces
The module is a software only module that operates on a general purpose computing (GPC) platform. The physical ports
and logical interfaces are consistent with a GPC operating environment. The module supports the following FIPS 140-3
logical interfaces.
Physical Port Logical Interface Data that passes over port/interface
N/A Data Input Interface API input parameters for data
N/A Data Output Interface API output parameters for data
N/A Control Input Interface API function calls
N/A Control Output Interface N/A
N/A Status Output Interface Return values, and or log messages
Table 7 - Ports and Interfaces
4. Roles, Services, and Authentication
The module supports role-based authentication, and provides a Crypto Officer role. The Crypto Officer role has the ability
to perform all tasks and administrative actions.
Role Service Input Output
Crypto Officer Self-Test Command to trigger Self-Test Status of the self-tests results
Crypto Officer Zeroize Command to initiate the SSPs
zeroization
Status of the SSPs zeroization
Crypto Officer Show Version Command to show version Module’s name/ID and versions
Crypto Officer Show Status Command to show status Module’s status information
Crypto Officer Software Update Command to upload a new validated
software
Status of the updated software installation
Crypto Officer Configure Network Commands to configure the module Status of the completion of network related
configuration
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 9
This document can be reproduced and distributed only whole and intact, including this copyright notice
Crypto Officer Configure SSHv2
Function
Commands to configure SSHv2 Status of the completion of SSHv2
configuration
Crypto Officer Configure TLSv1.2
Function
Commands to configure TLSv1.2 Status of the completion of TLSv1.2
configuration
Crypto Officer Configure SNMPv3
Function
Commands to configure SNMPv3 Status of the completion of SNMPv3
configuration
Crypto Officer Configure IPsec/IKEv2
Function
Commands to configure
IPSec/IKEv2
Status of the completion of IPSec/IKEv2
configuration
Crypto Officer Run SSHv2 Function Initiate SSHv2 tunnel establishment
request
Status of SSHv2 tunnel establishment
Crypto Officer Run TLSv1.2 Function Initiate TLSv1.2 tunnel establishment
request
Status of TLSv1.2 tunnel establishment
Crypto Officer Run SNMPv3 Function Initiate SNMPv3 tunnel
establishment request
Status of SNMPv3 tunnel establishment
Crypto Officer Run IPSec/IKEv2
Function
Initiate of IPSec/IKEv2 tunnel
establishment
Status of IPSec/IKEv2 tunnel establishment
Table 8 – Roles, Services Commands, Input and Output
Service Description Approved Security
Functions
Keys and/or SSPs Roles Access rights
to Keys and /
or SSPs
Indicator
Self-Test Initiate and run the
pre-operational self-
tests
HMAC-SHA2-256 Software Integrity Test Key
(Non-SSP)
Crypto
Officer
N/A None
Zeroize Zeroize all
unprotected SSPs
stored in the
module
N/A All Crypto
Officer
Z None
Show Version Provides the
module’s name/ID
and versions
N/A N/A Crypto
Officer
N/A None
Show Status Provides the
module’s current
status and
information
N/A N/A Crypto
Officer
N/A None
Software Update The module’s
software is updated
to a new version
RSA Signature
Verification
Software Load Test Key (PSP) Crypto
Officer
E Software
update
completion
message
Configure
Network
Perform the
Module’s Network
Configuration
RSA Signature
Verification
TLS RSA Public Key Crypto
Officer
G/R/W/E Global
indicator and
Configuration
logs
Configure SSHv2
Function
Create a secure
SSHv2 channel
AES-CTR;
CKG;
CTR_DRBG;
ECDSA KeyGen;
ECDSA SigGen;
ECDSA SigVer;
HMAC-SHA-1;
HMAC-SHA2-256;
HMAC-SHA2-512;
KAS-SSC (ECC);
KAS (ECC);
KDF SSH;
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
SSH ECDHE Private Key
(CSP);
SSH ECDHE Public Key (PSP);
Peer SSH ECDHE Public Key
(PSP);
SSH ECDHE Shared Secret
(CSP);
SSH ECDSA Private Key
(CSP);
Crypto
Officer
G/R/W/E Global
indicator and
SSH
connection log
message
10 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Service Description Approved Security
Functions
Keys and/or SSPs Roles Access rights
to Keys and /
or SSPs
Indicator
SSH ECDSA Public Key (PSP);
SSH Session Encryption Key
(CSP);
SSH Session Authentication
Key (CSP);
Configure
TLSv1.2 Function
Create a secure
TLSv1.2 channel
AES-CBC;
AES-GCM;
CKG;
CTR_DRBG;
HMAC_DRBG;
HMAC-SHA2-256;
HMAC-SHA2-384;
KAS-SSC (ECC);
KAS (ECC);
KTS;
RSA KeyGen;
RSA SigGen;
RSA SigVer;
KDF TLS;
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
TLS RSA Private Key (CSP);
TLS RSA Public Key (PSP);
TLS ECDHE Private Key
(CSP);
TLS ECDHE Public Key (PSP);
Peer TLS ECDHE Public Key
(PSP);
TLS ECDHE Shared Secret
(CSP);
TLS Pre-Master Secret (CSP);
TLS Master Secret (CSP); TLS
Session Encryption Key (CSP);
TLS Session Authentication
Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
TLS success
log message
Configure
SNMPv3
Function
Create a secure
SNMPv3 channel
AES-CBC;
HMAC-SHA-1;
KDF SNMP;
SNMPv3 Authentication
Secret (CSP);
SNMPv3 Session Encryption
Key (CSP);
SNMPv3 Session
Authentication Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
SNMPv3
success log
message
Configure
IPsec/IKEv2
Function
Create IPSec/IKEv2
tunnel
AES-CBC;
CKG;
CTR_DRBG;
HMAC-SHA-1;
HMAC-SHA2-256;
HMAC-SHA2-384;
HMAC-SHA2-512;
KAS-SSC (ECC);
KAS (ECC);
RSA KeyGen;
RSA SigGen;
RSA SigVer;
KDF IKEV2
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
IPSec/IKE Pre-Shared Secret
(CSP);
IPSec/IKE RSA Private Key
(CSP);
IPSec/IKE RSA Public Key
(PSP);
IPSec/IKE ECDHE Private
Key (CSP);
IPSec/IKE ECDHE Public Key
(PSP);
IPSec/IKE ECDHE Shared
Secret (CSP);
IPSec/IKE Session Encryption
Key (CSP);
IPSec/IKE Session
Authentication Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
IPSec success
log message
Run SSHv2
Function
Negotiation and
encrypted data
transport via SSH
AES-CTR;
CKG;
CTR_DRBG;
ECDSA KeyGen;
ECDSA SigGen;
ECDSA SigVer;
HMAC-SHA-1;
HMAC-SHA2-256;
HMAC-SHA2-512;
KAS-SSC (ECC);
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
SSH ECDHE Private Key
(CSP);
SSH ECDHE Public Key (PSP);
Peer SSH ECDHE Public Key
(PSP);
Crypto
Officer
G/R/W/E Global
indicator and
SSH
connection log
message
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 11
This document can be reproduced and distributed only whole and intact, including this copyright notice
Service Description Approved Security
Functions
Keys and/or SSPs Roles Access rights
to Keys and /
or SSPs
Indicator
KAS (ECC);
KDF SSH
SSH ECDHE Shared Secret
(CSP);
SSH ECDSA Private Key
(CSP);
SSH ECDSA Public Key (PSP);
SSH Session Encryption Key
(CSP);
SSH Session Authentication
Key (CSP);
Run TLSv1.2
Function
Negotiation and
encrypted data
transport via TLS
AES-CBC;
AES-GCM;
CKG;
CTR_DRBG;
HMAC_DRBG;
HMAC-SHA2-256;
HMAC-SHA2-384;
KAS-SSC (ECC);
KAS (ECC);
KTS;
RSA KeyGen;
RSA SigGen;
RSA SigVer;
KDF TLS;
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
TLS RSA Private Key (CSP);
TLS RSA Public Key (PSP);
TLS ECDHE Private Key
(CSP);
TLS ECDHE Public Key (PSP);
Peer TLS ECDHE Public Key
(PSP);
TLS ECDHE Shared Secret
(CSP);
TLS Pre-Master Secret (CSP);
TLS Master Secret (CSP); TLS
Session Encryption Key (CSP);
TLS Session Authentication
Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
TLS success
log message
Run SNMPv3
Function
Negotiation and
encrypted data
transport via
SNMPv3
AES-CBC;
HMAC-SHA-1;
KDF SNMP;
SNMPv3 Authentication
Secret (CSP);
SNMPv3 Session Encryption
Key (CSP);
SNMPv3 Session
Authentication Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
SNMPv3
success log
message
Run IPSec/IKEv2
Function
Negotiation and
encrypted data
transport via IPSec
AES-CBC;
CKG;
CTR_DRBG;
HMAC-SHA-1;
HMAC-SHA2-256;
HMAC-SHA2-384;
HMAC-SHA2-512;
KAS-SSC (ECC);
KAS (ECC);
RSA KeyGen;
RSA SigGen;
RSA SigVer;
KDF IKEV2
DRBG Entropy Input (CSP);
DRBG Seed (CSP);
DRBG Internal State V Value
(CSP);
DRBG Key (CSP);
IPSec/IKE Pre-Shared Secret
(CSP);
IPSec/IKE RSA Private Key
(CSP);
IPSec/IKE RSA Public Key
(PSP);
IPSec/IKE ECDHE Private
Key (CSP);
IPSec/IKE ECDHE Public Key
(PSP);
IPSec/IKE ECDHE Shared
Secret (CSP);
IPSec/IKE Session Encryption
Key (CSP);
IPSec/IKE Session
Authentication Key (CSP);
Crypto
Officer
G/R/W/E Global
indicator and
IPSec/IKEv2
success log
message
Table 9 – Approved Services
G = Generate: The module generates or derives the SSP.
R = Read: The SSP is read from the module (e.g. the SSP is output).
12 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
W = Write: The SSP is updated, imported, or written to the module.
E = Execute: The module uses the SSP in performing a cryptographic operation.
Z = Zeroise: The module zeroizes the SSP.
Unauthenticated Services
Unauthenticated Users can run the self-test service by power-cycling the module by removing the power and re-applying.
5. Software/Firmware Security
Integrity Techniques
The module performs the Software Integrity test by using HMAC-SHA2-256 (HMAC Cert. #A3566) during the Pre-
Operational Self-Test. A Software Integrity Test Key (non-SSP) was preloaded to the module’s binary at the factory and
used for software integrity test only at the pre-operational self-test. At Module’s initialization, the integrity of the runtime
executable is verified using an HMAC-SHA2-256 digest which is compared to a value computed at build time. If at the
load time the MAC does not match the stored, known MAC value, the module would enter an Error state with all crypto
functionality inhibited.
The module also supports the software load test by using RSA 2048 bits with SHA2-256 (RSA Cert. #A3566) for the new
validated software to be uploaded into the module. A Software Load Test Key was preloaded to the module’s binary at the
factory and used for software load test. In order to load new software, the Crypto Officer must authenticate into the
module before loading any software. This ensures that unauthorized access and use of the module is not performed. The
module will load the new update upon reboot. The update attempt will be rejected if the verification fails
Integrity Test On-Demand
Integrity test is performed as part of the Pre-Operational Self-Tests. It is automatically executed at power-on. The
operator can power-cycle or reboot the module to initiate the software integrity test on-demand. This automatically
performs the integrity test of all software components included within the boundary of the module.
6. Operational Environment
The module is a modifiable operational environment as per FIPS 140-3 Level 1 specifications. The operating system is
restricted to a single operator mode of operation. The application that makes calls to the module is the single user of the
modules even when the application is serving multiple clients. See Table 2 for details regarding what platforms the module
was tested on.
The software module provides a Software Update service. The module’s validation to FIPS 140-3 is no longer valid once a
non-validated software is loaded.
7. Physical Security
As the module is a software only module, the physical security requirements are not applicable.
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 13
This document can be reproduced and distributed only whole and intact, including this copyright notice
8. Non-Invasive Security
No approved non-invasive attack mitigation test metrics are defined at this time.
9. Sensitive Security Parameters
Key/SSP
Name/Typ
e
Strength Security
Function and
Cert. Number
Generation Import/Export Establish-
ment
Storage Zeroization Use & Related
Keys
DRBG
Entropy Input
(CSP)
256 bits N/A Obtained from the Entropy
Source within TOEPP (GPS
INT Pathways)
Import to the
module via
Module’s API
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to seed the
DRBG
DRBG Seed
(CSP)
256 bits N/A Internally Derived from
entropy input string as
defined by SP800-90Arev1
DRBG
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Random number
generation
DRBG
Internal State
V value
(CSP)
256 bits N/A Internally Derived from
entropy input string as
defined by SP800-90Arev1
DRBG
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Random number
generation
DRBG Key
(CSP)
256 bits N/A Internally Derived from
entropy input string as
defined by SP800-90Arev1
DRBG
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Random number
generation
Software
Load Test
Key
(PSP)
112 bits
(Modulus:
2048 bits)
RSA Sig Ver
Cert. #A3566
Pre-loaded at the build time
(in the module’s binary)
Import: No
Export: No
N/A HDD (plaintext)
Embedded in the
module’s executable
binary.
Note: The module does
not provide persistent
keys/ SSPs storage
N/A
(Note: This key is
only used for
Software Load
Test and not
subject to the
zeroization
requirement)
Used for Software
Load Test
TLS RSA
Private Key
(CSP)
112-128
bits
(Modulus:
2048, 3072
bits)
CKG;
DRBG;
RSA KeyGen;
RSA SigGen;
Certs. #A3566
and #A3572
Internally generated
conformant to SP800-
133r2 (CKG) using FIPS
186-4 RSA key generation
method, and the random
value used in key
generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
N/A HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for TLS peer
authentication
TLS RSA
Public Key
(PSP)
112-128
bits
(Modulus:
2048, 3072
bits)
RSA KeyGen;
RSA SigVer;
Certs. #A3566
and #A3572
Internally derived per the
FIPS 186-4 RSA key
generation method
Import: No
Export: Yes, to
the TLS peer
N/A HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for TLS peer
authentication
TLS ECDHE
Private Key
(CSP)
128 – 256
bits
(Curves: P-
256,
P-384,
P-521)
CKG;
DRBG;
KAS-ECC-SSC;
Certs. #A3566
and #A3572
Internally generated
conformant to SP800-
133r2 (CKG) using SP800-
56Arev3 EC Diffie-Hellman
key generation method, and
the random value used in
key generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
N/A
DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
ECDHE Shared
Secret
TLS ECDHE
Public Key
(PSP)
128 – 256
bits
(Curves: P-
256,
P-384,
P-521)
KAS-ECC-SSC;
Certs. #A3566
and #A3572
Internally derived internally
per the EC Diffie-Hellman
key agreement
(SP800-56Arev3)
Import: No
Export: Yes, to
the TLS peer
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
ECDHE Shared
Secret
Peer TLS
ECDHE
Public Key
(PSP)
Curves: P-
256,
P-384,
P-521
N/A N/A Import: Enter
into the Module
via Module’s API
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
ECDHE Shared
Secret
14 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Key/SSP
Name/Typ
e
Strength Security
Function and
Cert. Number
Generation Import/Export Establish-
ment
Storage Zeroization Use & Related
Keys
TLS ECDHE
Shared Secret
(CSP)
128 – 256
bits
(Curves: P-
256,
P-384,
P-521)
KAS-ECC-SSC;
KAS (ECC);
Certs. #A3566
and #A3572
Internally derived
using
SP800-56A rev3
EC Diffie-Hellman shared
secret
computation
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
Session Encryption
Keys, TLS Session
Authentication
Keys
TLS Pre-
Master Secret
(CSP)
384 bits N/A Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(TLSv1.2)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
Master Secret
TLS Master
Secret
(CSP)
384 bits N/A Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(TLSv1.2)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive TLS
Encryption Keys,
TLS Authentication
Keys.
TLS Session
Encryption
Key
(CSP)
128 or 256
bits
AES-CBC;
AES-GCM;
KDF TLS
KTS;
Certs. #A3566
and #A3572
Internally derived via key
derivation function defined
in SP 800-135rev1 KDF
(TLSv1.2)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure TLS
session
confidentiality
TLS Session
Authenticatio
n Key
(CSP)
At least 112
bits
HMAC-SHA2-
256;
HMAC-SHA2-
384;
KDF TLS
KTS;
Certs. #A3566
and #A3572
Internally derived via key
derivation function defined
in SP800-135 rev1 KDF
TLS
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure the
TLS session
integrity
IPSec/IKE
Pre-Shared
Secret
(CSP)
2048 bits
characters
N/A N/A Import:
Encrypted by
using TLS/SSH
session key
Export: No
MD/EE HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for IPSec/IKE
peer authentication
IPSec/IKE
RSA Private
Key
(CSP)
112 or 128
bits
(Modulus:
2048, 3072
bits)
CKG;
DRBG;
RSA SigGen;
Cert# A3566
Internally generated
conformant to SP800-
133r2 (CKG) using FIPS
186-4 RSA key generation
method, and the random
value used in key
generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
N/A HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for IPSec/IKE
peer authentication
IPSec/IKE
RSA Public
Key
(PSP)
112 or 128
bits
(Modulus:
2048, 3072
bits)
RSA SigVer;
Cert. #A3566
Internally derived per the
FIPS 186-4 RSA key
generation method
Import: No
Export: to the
IKE Peer
application
N/A HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for IPSec/IKE
peer authentication
IPSec/IKE
ECDHE
Private Key
(CSP)
128 or 192
bits
(Curves: P-
256 or
P-384)
CKG;
DRBG;
KAS-ECC-SSC;
Cert. #A3566
Internally generated
conformant to SP800-
133r2 (CKG) using SP800-
56Arev3 EC Diffie-Hellman
key generation method, and
the random value used in
key generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive
IPSec/IKE ECDHE
Shared Secret
IPSec/IKE
ECDHE
Public Key
(PSP)
128 or 192
bits
(Curves: P-
256 or
P-384)
KAS-ECC-SSC;
Cert. #A3566
Internally derived internally
per the EC Diffie-Hellman
key agreement
(SP800-56Arev3)
Import: No
Export: to the
IKE Peer
application
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive
IPSec/IKE ECDHE
Shared Secret
IPSec/IKE
ECDHE
Shared Secret
(CSP)
128 or 192
bits
(Curves: P-
256 or
P-384)
KAS-ECC-SSC;
Cert. #A3566
Internally derived
using
SP800-56A rev3
EC Diffie-Hellman shared
secret computation
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive
IPSec/IKE Session
Encryption Keys,
IPSec/IKE
Authentication
Keys
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 15
This document can be reproduced and distributed only whole and intact, including this copyright notice
Key/SSP
Name/Typ
e
Strength Security
Function and
Cert. Number
Generation Import/Export Establish-
ment
Storage Zeroization Use & Related
Keys
IPSec/IKE
Session
Encryption
Key
(CSP)
128-256
bits
AES-CBC;
KDF IKEv2;
Cert. #A3566
Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(IKEv2)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure
IPSec/IKEv2
session
confidentiality
IPSec/IKE
Session
Authenticatio
n Key
(CSP)
At least 112
bits
HMAC-SHA-1;
HMAC-SHA2-
256;
HMAC-SHA2-
384;
HMAC-SHA2-
512;
KDF IKEv2;
Cert. #A3566
Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(IKEv2)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure
IPSec/IKEv2
session integrity
SNMPv3
Authenticatio
n Secret
(CSP)
8 characters
minimum
N/A N/A Import:
Encrypted by
using TLS/SSH
session key
Export: No
MD/EE HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for SNMPv3
User authentication
SNMPv3
Session
Encryption
Key
(CSP)
128 bits AES-CFB;
KDF SNMP;
Cert. #A3566
Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(SNMPv3)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure
SNMPv3 session
confidentiality
SNMPv3
Session
Authenticatio
n Key
(CSP)
At least 112
bits
HMAC-SHA-1;
KDF SNMP;
Cert. #A3566
Internally derived via key
derivation function defined
in SP800-135rev1 KDF
(SNMPv3)
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to secure
SNMPv3 session
integrity
SSH ECDHE
Private Key
(CSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
CKG;
DRBG;
KAS-ECC-SSC;
Cert. #A3566
Internally generated
conformant to SP800-
133r2 (CKG) using SP800-
56Arev3 EC Diffie-Hellman
key generation method, and
the random value used in
key generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive the
SSH ECDHE Shared
Secret
SSH ECDHE
Public Key
(PSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
KAS-ECC-SSC;
Cert. #A3566
Internally derived internally
per the EC Diffie-Hellman
key agreement
(SP800-56Arev3)
Import: No
Export: Yes, to
the SSH peer
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive the
SSH ECDHE Shared
Secret
Peer SSH
ECDHE
Public Key
(PSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
KAS-ECC-SSC;
KAS-ECC;
Cert.#A3566
N/A Import: Enter
into the Module
via the Module’s
API
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive SSH
ECDHE Shared
Secret
SSH ECDHE
Shared Secret
(CSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
KAS-ECC-SSC;
KAS-ECC;
Cert. #A3566
Internally derived
using
SP800-56A rev3
EC Diffie-Hellman shared
secret computation
Import: No
Export: No
N/A DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used to derive SSH
Session Encryption
Keys, SSH Session
Authentication
Keys
SSH ECDSA
Private Key
(CSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
CKG;
DRBG;
ECDSA KeyGen;
ECDSA SigGen;
Cert. #A3566
Internally generated
conformant to SP800-
133r2 (CKG) using FIPS
186-4 ECDSA Key
Generation method, and
the random value used in
key generation is generated
using SP800-90Arev1
DRBG
Import: No
Export: No
SSP
generation
HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by SSP
(CSP/PSP)
Zeroization
Command
Used for SSH
session
authentication
SSH ECDSA
Public Key
(PSP)
128-256
bits
(Curves: P-
256,
P-384, or P-
521)
ECDSA KeyGen;
ECDSA SigVer;
Cert. #A3566
Internally derived per the
FIPS 186-4 ECDSA Keypair
generation method
Import: No
Export: Yes, to
the SSH peer
N/A HDD (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized by
SSP/CSP/PSP
Zeroization
Command
Used for SSH
session
authentication
SSH Session
Encryption
Key
(CSP)
128 - 256
bits
AES-CTR;
KDF SSH;
KTS;
Cert. #A3566
Internally derived via key
derivation function defined
in SP 800-135rev1 KDF
(SSHv2)
Import: No
Export: No
Key
derivation
DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used for SSH
session
confidentiality
protection
16 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Key/SSP
Name/Typ
e
Strength Security
Function and
Cert. Number
Generation Import/Export Establish-
ment
Storage Zeroization Use & Related
Keys
SSH Session
Authenticatio
n Key
(CSP)
At least 112
bits
KDF SSH;
KTS;
HMAC-SHA-1;
HMAC-SHA2-
256;
HMAC-SHA2-
512;
Cert. #A3566
Internally derived via key
derivation function defined
in SP 800-135rev1 KDF
(SSHv2)
Import: No
Export: No
Key
derivation
DRAM (plaintext)
Note: The module does
not provide persistent
keys/ SSPs storage
Zeroized when
the tested
platform is
powered down
Used for SSH
session integrity
protection
Table 10 - SSPs
Entropy Source(s) Minimum Number of Bits of Entropy Details
Palo Alto Networks DRNG Entropy Source 0.6 bits entropy per sample with
sample bit: 1 bit
Please refer to ESV Cert. #E69
Table 11 - Non-Deterministic Random Number Generation Specification
10. Self-Tests
The module performs the following self-tests, including the pre-operational self-tests and Conditional self-tests.
Pre-Operational Self-Tests
Algorithm Self-Test Details
SHS KAT using SHA2-256
HMAC KAT using HMAC- SHA2-256
Software integrity Using HMAC-SHA2-256
Table 12 - Pre-Operational Self-Tests
The module performs the following Cryptographic Algorithm Self-Tests (CASTs). These CASTs can be initiated by
rebooting the module. All CASTs run without operator intervention automatically on reboot.
Conditional Self-Tests
Cryptographic Algorithm Self-Tests (CASTs)
Algorithm Self-Test Details
AES AES-ECB 256 bits Encryption KAT
AES AES-ECB 256 bits Decryption KAT
AES AES-CBC 256 bits Encryption KAT
AES AES-CBC 256 bits Decryption KAT
AES AES-GCM 256 bits Encryption KAT
AES AES-GCM 256 bits Decryption KAT
DRBG CTR_DRBG
KAT: Instantiate
KAT: Generate
KAT: Reseed
Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are
performed)
ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Generation)
ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Verification)
HMAC KAT using HMAC-SHA-1
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 17
This document can be reproduced and distributed only whole and intact, including this copyright notice
Algorithm Self-Test Details
HMAC KAT using HMAC-SHA2-224
HMAC KAT using HMAC-SHA2-256
HMAC KAT using HMAC-SHA2-384
HMAC KAT using HMAC-SHA2-512
KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value
KDF IKEv2 KAT for IKEv2 KDF
KDF SNMP KAT for SNMPv3 KDF
KDF SSH KAT for SSHv2 KDF
KDF TLS KAT for TLSv1.2 KDF
RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation)
RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification)
SHS KAT using SHA-1
Table 13 – CASTs (Crypto Library I)
Algorithm Self-Test Details
AES AES-CBC 256 bits Encryption KAT
AES AES-CBC 256 bits Decryption KAT
AES AES-GCM 256 bits Encryption KAT
AES AES-GCM 256 bits Encryption KAT
ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Generation)
ECDSA KAT using P-224 with SHA2-256 (ECDSA Signature Verification)
DRBG HMAC_DRBG
KAT: Instantiate
KAT: Generate
KAT: Reseed
Note: DRBG Health Tests as specified in SP800-90Arev1 DRBG Section 11.3 are performed)
HMAC KAT using SHA2-256
HMAC KAT using SHA2-384
HMAC KAT using SHA2-512
KAS-ECC-SSC KAT for KAS-ECC-SSC (Shared Secret Computation) primitive Z value
KDF TLS KAT for TLSv1.2 KDF
RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Generation)
RSA KAT using 2048 bits modulus with SHA2-256 (RSA Signature Verification)
Table 14 –CASTs (Crypto Library II)
Algorithm Self-Test Details
SP 800-90B Health Tests The module’s entropy source implements Start-up and Continuous health tests defined in
SP800-90B, section 4.2. The entropy source utilizes Developer-Defined Alternatives to
the Continuous Health Tests which is defined in SP 800-90B section 4.5.
Table 15 - Entropy Source Health Tests
Conditional Pair-Wise Consistency Tests
Conditional Self-Tests Algorithm Self-Test Details
RSA RSA Pairwise consistency test (PCT)
ECDSA ECDSA PCT
KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT
18 Palo Alto Networks SD-WAN Virtual Instant-On
Network (vION)
© 2024 Palo Alto Networks, Inc.
This document can be reproduced and distributed only whole and intact, including this copyright notice
Table 16 - Conditional Pair-Wise Consistency Tests (Crypto Library I)
Algorithm Self-Test Details
RSA RSA Pairwise consistency test (PCT)
ECDSA ECDSA PCT
SP800-56Ar3 KAS-ECC-SSC SP800-56Ar3 KAS-ECC-SSC PCT
Table 17 - Conditional Pair-Wise Consistency Tests (Crypto Library II)
Conditional Software Load Test
Conditional Self-Tests Algorithm Self-Test Details
Software Load Test RSA 2048 with SHA2-256 Signature Verification
Table 18 - Conditional Software Load Test
Periodic/On-Demand Self-Test
The module performs on-demand self-tests initiated by the operator, by power cycling or rebooting the tested platform.
The full suite of self-tests is then executed. The same procedure may be employed by the operator to perform periodic
self-tests.
It is recommended that the Crypto Officer perform periodic testing of the module’s on-demand self-tests every 60 days to
ensure all components are functioning correctly.
Error Handling
If any of the above-mentioned self-tests fail, the module reports the cause of the error and enters an error state (there is
only one error state). In the Error State, no cryptographic services are provided, and data output is prohibited. The only
method to recover from the error state is to reboot the module and perform the self-tests, including the pre-operational
software integrity test and the conditional CASTs. The module will only enter into the operational state after successfully
passing the pre-operational software integrity test and the conditional CASTs. The table below shows the different causes
that lead to the Error State and the status indicators reported.
Cause of Error Error State Indicator
Failed Pre-Operational Software Integrity Test Integrity check failed at <location>
Failed Conditional CAST <Crypto Library>: FIPS Self-test failed for <algorithm> Entering
error state
Failed Conditional PCT Key verification failed
Failed Software Load Test Verification Failure
SP 800-90B Entropy Source
Start-up/Continuous health tests
No random numbers are generated and key generation is
halted
Table 19 - Error State Indicators
11. Life-Cycle Assurance
The module is designed to handle the various stages of a module’s life-cycle. The sections below highlight the details for
each stage.
Secure Delivery Procedures
Software is available on Palo Alto Networks’ support site, which uses TLS 1.2 during the download process. The support
site also provides a SHA2-256 checksum that Crypto Officers can use to verify the integrity of the module once it has been
transferred/downloaded.
© 2024 Palo Alto Networks, Inc. Palo Alto Networks SD-WAN Virtual Instant-On Network
(vION) 19
This document can be reproduced and distributed only whole and intact, including this copyright notice
Secure Operation
The module meets all the Level 1 requirements for FIPS 140-3. Follow the secure operations provided below to place the
module in the Approved mode.
The software version is 6.1.2, which is the only allowable software image for this current approved mode of operation.
The module is initiated into the Approved mode of operation via the following procedure:
1. Install the vION on the platform
2. Using the Controller, navigate to the device that is to be initiated
3. Select “FIPS”
a. Click “proceed” to begin initialization procedure
4. The module will begin initialization that includes the following:
a. Zeroization of any sensitive information or data
b. Power cycle of the device followed by running all self-tests
5. Once initialization is complete, the module provides the following status output:
a. Device Mode: “fips”
b. Self-tests: “Power-up self test successful”
Once the module has completed initialization into the Approved mode of operation, any non-Approved
configurations/algorithms are rejected automatically by the module and an error message is output.
End of Life / Sanitization
End of life dates for software and hardware modules are announced publicly via Palo Alto Networks’ services website.
Crypto Officers should follow the procedure below for the secure destruction of their module:
Note: This process will cause the module to no longer function after it has wiped all configurations and keys.
1. Access the module as Crypto Officer
2. Execute command: “disable system”
a. Confirm command
3. Module will begin zeroization process and wipe all security parameters and configurations
12. Mitigation of Other Attacks
This module is not designed to mitigate against any other attacks outside of the FIPS 140-3 scope.