This page was not yet optimized for use on mobile devices.

Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200

Certificate #4719

Webpage information ?

Status	active
Validation dates	11.07.2024
Sunset date	10-07-2026
Standard	FIPS 140-3
Security level	2
Type	Hardware
Embodiment	Multi-Chip Stand Alone
Caveat	Interim Validation. The tamper evident seals installed as indicated in the Security Policy
Exceptions	Operational environment: N/A Non-invasive security: N/A Mitigation of other attacks: N/A Documentation requirements: N/A Cryptographic module security policy: N/A
Description	The Palo Alto Networks SD-WAN Instant-On Network (ION) Devices (ION 1200, ION 1200-S, ION 3200, ION 5200 and ION 9200) enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of your WAN.
Version (Hardware)	[ION 1200, ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW, ION 1200-S, ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW, ION 3200] with FIPS Kit P/N 920-000363, and [ION 5200 and ION 9200] with FIPS Kit P/N 920-000333
Version (Firmware)	6.1.2
Vendor	Palo Alto Networks, Inc.
References	This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Certificate

Webpage

Security policy ?

Security target PDF TXT

Symmetric Algorithms

AES-256, AES, AES-, CAST, HMAC

Asymmetric Algorithms

RSA 2048, ECDHE, ECDH, ECDSA, ECC, Diffie-Hellman

Hash functions

SHA-1

Schemes

MAC, Key Agreement

Protocols

SSH, TLSv1.2, TLS 1.2, TLS, IKEv2

Randomness

DRBG

Elliptic Curves

P-256, P-384, P-521, P-224, curve P-256

Block cipher modes

ECB, CBC, CTR, GCM

Trusted Execution Environments

PSP

Security level

Level 1, level 2, Level 2

Certification process

out of scope, of the TELs as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The ION 1200 requires 3 tamper evident labels while the ION 1200-C-NA/ION

Standards

FIPS 140-3, FIPS 197, FIPS140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, SP 800-38D, SP 800-38A, SP 800-140B, SP 800-90B, PKCS#1, RFC 5288, ISO/IEC 24759

File metadata

Author	Richard Wang
Creation date	D:20240617182816-04'00'
Modification date	D:20240617182816-04'00'
Pages	32
Creator	Microsoft® Word 2016
Producer	Microsoft® Word 2016

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

12.08.2024 The certificate data changed.
Certificate changed

The web extraction data was updated.
- The certificate_pdf_url property was set to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/July 2024_010824_1146.pdf.
15.07.2024 The certificate was first processed.

New certificate

A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4719,
  "dgst": "7a36b30f042b6325",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "KDF IKEv2A3563",
        "SHA2-384A3565",
        "Counter DRBGA3563",
        "HMAC-SHA2-512A3565",
        "HMAC-SHA2-224A3563",
        "SHA2-256C170",
        "SHA2-224A3564",
        "KDF SNMPA3563",
        "AES-GCMA3564",
        "AES-CTRA3563",
        "KAS-ECC-SSC Sp800-56Ar3A3564",
        "RSA KeyGen (FIPS186-4)A3563",
        "AES-CBCA3565",
        "HMAC-SHA2-256A3565",
        "ECDSA SigVer (FIPS186-4)A3563",
        "RSA SigVer (FIPS186-4)C170",
        "ECDSA SigGen (FIPS186-4)A3563",
        "KDF TLSA3564",
        "ECDSA KeyGen (FIPS186-4)A3564",
        "KDF SSHA3563",
        "HMAC-SHA-1A3563",
        "RSA SigGen (FIPS186-4)A3563",
        "HMAC-SHA2-384A3565",
        "AES-ECBA3563",
        "SHA2-512A3565",
        "HMAC DRBGA3564",
        "SHA-1C170"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "6.1.2"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 20
          },
          "ECDH": {
            "ECDH": 2,
            "ECDHE": 39
          },
          "ECDSA": {
            "ECDSA": 45
          }
        },
        "FF": {
          "DH": {
            "Diffie-Hellman": 7
          }
        },
        "RSA": {
          "RSA 2048": 3
        }
      },
      "certification_process": {
        "OutOfScope": {
          "of the TELs as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The ION 1200 requires 3 tamper evident labels while the ION 1200-C-NA/ION": 1,
          "out of scope": 1
        }
      },
      "cipher_mode": {
        "CBC": {
          "CBC": 3
        },
        "CTR": {
          "CTR": 1
        },
        "ECB": {
          "ECB": 1
        },
        "GCM": {
          "GCM": 6
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKEv2": 9
        },
        "SSH": {
          "SSH": 43
        },
        "TLS": {
          "TLS": {
            "TLS": 55,
            "TLS 1.2": 1,
            "TLSv1.2": 33
          }
        }
      },
      "crypto_scheme": {
        "KA": {
          "Key Agreement": 2
        },
        "MAC": {
          "MAC": 2
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-224": 18,
          "P-256": 21,
          "P-384": 40,
          "P-521": 36,
          "curve P-256": 1
        }
      },
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#1": 1
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES-256": 2,
          "AES-CBC 128": 2,
          "AES-CBC 256": 4,
          "AES-GCM 256": 4,
          "HMAC-SHA-1": 22,
          "PKCS#1": 10,
          "RSA 2048": 3,
          "SHA-1": 7,
          "SHA2-256": 21,
          "SHA2-384": 5,
          "SHA2-512": 7
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 1,
          "Level 2": 3,
          "level 2": 1
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 7
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 50
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 15,
          "FIPS 180-4": 12,
          "FIPS 186-4": 16,
          "FIPS 197": 7,
          "FIPS 198-1": 11,
          "FIPS140-3": 2
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-140B": 1,
          "SP 800-38A": 4,
          "SP 800-38D": 3,
          "SP 800-90B": 3
        },
        "PKCS": {
          "PKCS#1": 5
        },
        "RFC": {
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 15,
            "AES-": 2,
            "AES-256": 2
          },
          "CAST": {
            "CAST": 1
          }
        },
        "constructions": {
          "MAC": {
            "HMAC": 28
          }
        }
      },
      "tee_name": {
        "AMD": {
          "PSP": 25
        }
      },
      "tls_cipher_suite": {},
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "Richard Wang",
      "/CreationDate": "D:20240617182816-04\u002700\u0027",
      "/Creator": "Microsoft\u00ae Word 2016",
      "/ModDate": "D:20240617182816-04\u002700\u0027",
      "/Producer": "Microsoft\u00ae Word 2016",
      "pdf_file_size_bytes": 1993601,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "about:blank",
          "http://www.paloaltonetworks.com/"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 32
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "58d8700de54f144cf1496d921202936d433ed20e0fb00d556ba63f5030941c73",
    "policy_txt_hash": "ba2f8a8ef0e4dc6afb8821d40638c6be4b692748f8c2271f889d0f06baed4584"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "Interim Validation. The tamper evident seals installed as indicated in the Security Policy",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/July 2024_010824_1146.pdf",
    "date_sunset": "2026-07-10",
    "description": "The Palo Alto Networks SD-WAN Instant-On Network (ION) Devices (ION 1200, ION 1200-S, ION 3200, ION 5200 and ION 9200) enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of your WAN.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Operational environment: N/A",
      "Non-invasive security: N/A",
      "Mitigation of other attacks: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": "6.1.2",
    "historical_reason": null,
    "hw_versions": "[ION 1200, ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW, ION 1200-S, ION 1200-S-C-NA, ION 1200-S-C-ROW, ION 1200-S-C-5G-WW, ION 3200] with FIPS Kit P/N 920-000363, and [ION 5200 and ION 9200] with FIPS Kit P/N 920-000333",
    "level": 2,
    "mentioned_certs": {},
    "module_name": "Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200, ION 1200-S, ION 3200, ION 5200, and ION 9200",
    "module_type": "Hardware",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": null,
    "tested_conf": null,
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-07-11",
        "lab": "GOSSAMER SECURITY SOLUTIONS INC",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}