Prisma SD-WAN Controller's Cryptographic Module

Certificate #4668

Webpage information ?

Status active
Validation dates 05.12.2023
Sunset date 21-09-2026
Standard FIPS 140-2
Security level 1
Type Software
Embodiment Multi-Chip Stand Alone
Caveat When operated in FIPS mode. When operated per the Security Policy. No assurance of minimum security of keys and bit strings that are externally loaded, or of keys and CSPs established with externally loaded bit strings
Exceptions
  • Physical Security: N/A
  • Mitigation of Other Attacks: N/A
Description The Palo Alto Networks Controller allows operators the ability to manage ION devices to administer security policy rules and provides various application and network analytics.
Tested configurations
  • JDK 11.0.10 on Ubuntu 14.04 running on Dell Power Edge R740 with Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz with PAA
  • JDK 11.0.10 on Ubuntu 14.04 running on Dell Power Edge R740 with Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz without PAA (single-user mode)
Vendor Palo Alto Networks, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES, AES-, TDEA, HMAC, HMAC-SHA-256, HMAC-SHA-512, HMAC-SHA-224, HMAC-SHA-384, CMAC
Asymmetric Algorithms
ECDSA, ECC, Diffie-Hellman, DH, DSA
Hash functions
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
Schemes
Key Exchange
Protocols
TLS, TLS 1.2, VPN
Randomness
DRBG
Elliptic Curves
P-256, P-384, P-521, P-224, K-233, sect163k1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp256k1
Block cipher modes
ECB, CBC, CTR, GCM, CCM

Trusted Execution Environments
SSC

Security level
Level 1

Standards
FIPS 140-2, FIPS 186-4, FIPS 197, FIPS 198-1, FIPS 180-4, FIPS 202, SP 800-38D, SP 800-52, SP 800-38B, SP 800-38C, SP 800-56A, SP 800-90A, PKCS1, PKCS#1, PKCS#5, PKCS#12, RFC 5288

File metadata

Title Microsoft Word - FIPS_Security_Policy_PAN_Prisma_11_20_2023.docx
Author Admin
Creation date D:20231120213053-08'00'
Modification date D:20231120213053-08'00'
Pages 13
Creator PScript5.dll Version 5.2.2
Producer GPL Ghostscript 8.64

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

  • 08.01.2024 The certificate data changed.
    Certificate changed

    The web extraction data was updated.

    • The certificate_pdf_url property was set to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/December 2023_020124_0656.pdf.
  • 02.01.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4668,
  "dgst": "28aba8137d93763f",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "KAS#A2476",
        "RSA#A2476",
        "HMAC#A2476",
        "KTS#A2496",
        "KBKDF#A2496",
        "KAS-SSC#A2496",
        "DRBG#A2496",
        "CVL#A2476",
        "KTS#A2476",
        "KAS#A2496",
        "ECDSA#A2476",
        "CVL#A2496",
        "DRBG#A2476",
        "RSA#A2496",
        "AES#A2476",
        "AES#A2496",
        "ECDSA#A2496",
        "HMAC#A2496",
        "KAS-SSC#A2476",
        "SHS#A2496",
        "SHS#A2476"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "-"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 6
          },
          "ECDSA": {
            "ECDSA": 13
          }
        },
        "FF": {
          "DH": {
            "DH": 1,
            "Diffie-Hellman": 2
          },
          "DSA": {
            "DSA": 1
          }
        }
      },
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 4
        },
        "CCM": {
          "CCM": 1
        },
        "CTR": {
          "CTR": 2
        },
        "ECB": {
          "ECB": 2
        },
        "GCM": {
          "GCM": 4
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "TLS": {
          "TLS": {
            "TLS": 39,
            "TLS 1.2": 1
          }
        },
        "VPN": {
          "VPN": 4
        }
      },
      "crypto_scheme": {
        "KEX": {
          "Key Exchange": 2
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "K-233": 1,
          "P-224": 10,
          "P-256": 6,
          "P-384": 14,
          "P-521": 6,
          "secp160k1": 1,
          "secp160r1": 1,
          "secp160r2": 1,
          "secp192k1": 1,
          "secp192r1": 1,
          "secp224k1": 1,
          "secp256k1": 1,
          "sect163k1": 1,
          "sect163r2": 1,
          "sect193r1": 1,
          "sect193r2": 1,
          "sect233k1": 1,
          "sect233r1": 1,
          "sect239k1": 1,
          "sect283k1": 1,
          "sect283r1": 1,
          "sect409k1": 1,
          "sect409r1": 1,
          "sect571k1": 1,
          "sect571r1": 1
        }
      },
      "eval_facility": {},
      "fips_cert_id": {},
      "fips_certlike": {
        "Certlike": {
          "HMAC-SHA-1": 6,
          "HMAC-SHA-224": 2,
          "HMAC-SHA-256": 4,
          "HMAC-SHA-384": 4,
          "HMAC-SHA-512": 2,
          "PKCS#1": 2,
          "PKCS#12": 2,
          "PKCS#5": 2,
          "PKCS1": 8,
          "SHA- 224": 1,
          "SHA- 384": 2,
          "SHA- 512": 1,
          "SHA-1": 4,
          "SHA-224": 5,
          "SHA-256": 11,
          "SHA-384": 7,
          "SHA-512": 7
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 1
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 4
          },
          "SHA2": {
            "SHA-224": 5,
            "SHA-256": 11,
            "SHA-384": 7,
            "SHA-512": 7
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 17
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-2": 3,
          "FIPS 180-4": 3,
          "FIPS 186-4": 4,
          "FIPS 197": 3,
          "FIPS 198-1": 3,
          "FIPS 202": 1
        },
        "NIST": {
          "SP 800-38B": 1,
          "SP 800-38C": 1,
          "SP 800-38D": 3,
          "SP 800-52": 2,
          "SP 800-56A": 1,
          "SP 800-90A": 1
        },
        "PKCS": {
          "PKCS#1": 1,
          "PKCS#12": 1,
          "PKCS#5": 1,
          "PKCS1": 4
        },
        "RFC": {
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 5,
            "AES-": 1
          }
        },
        "DES": {
          "3DES": {
            "TDEA": 1
          }
        },
        "constructions": {
          "MAC": {
            "CMAC": 1,
            "HMAC": 7,
            "HMAC-SHA-224": 2,
            "HMAC-SHA-256": 2,
            "HMAC-SHA-384": 2,
            "HMAC-SHA-512": 2
          }
        }
      },
      "tee_name": {
        "IBM": {
          "SSC": 2
        }
      },
      "tls_cipher_suite": {},
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "Admin",
      "/CreationDate": "D:20231120213053-08\u002700\u0027",
      "/Creator": "PScript5.dll Version 5.2.2",
      "/ModDate": "D:20231120213053-08\u002700\u0027",
      "/Producer": "GPL Ghostscript 8.64",
      "/Title": "Microsoft Word - FIPS_Security_Policy_PAN_Prisma_11_20_2023.docx",
      "pdf_file_size_bytes": 160961,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": []
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 13
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "8c2912cbd37525909e42bc8988da611c34cf7701c1c7885dbfb81725ec3943c2",
    "policy_txt_hash": "ae9c3c866c9e751348b48235bce027d623ed3359644367c3fc563b7291f7596f"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "When operated in FIPS mode. When operated per the Security Policy. No assurance of minimum security of keys and bit strings that are externally loaded, or of keys and CSPs established with externally loaded bit strings",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/December 2023_020124_0656.pdf",
    "date_sunset": "2026-09-21",
    "description": "The Palo Alto Networks Controller allows operators the ability to manage ION devices to administer security policy rules and provides various application and network analytics.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Physical Security: N/A",
      "Mitigation of Other Attacks: N/A"
    ],
    "fw_versions": null,
    "historical_reason": null,
    "hw_versions": null,
    "level": 1,
    "mentioned_certs": {},
    "module_name": "Prisma SD-WAN Controller\u0027s Cryptographic Module",
    "module_type": "Software",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-2",
    "status": "active",
    "sw_versions": "1.0",
    "tested_conf": [
      "JDK 11.0.10 on Ubuntu 14.04 running on Dell Power Edge R740 with Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz with PAA",
      "JDK 11.0.10 on Ubuntu 14.04 running on Dell Power Edge R740 with Intel(R) Xeon(R) Platinum 8260 CPU @ 2.40GHz without PAA (single-user mode)"
    ],
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2023-12-05",
        "lab": "ADVANCED DATA SECURITY LLC",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}