PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls

Certificate #3133

Webpage information

Status historical
Historical reason SP 800-56Arev3 transition
Validation dates 21.02.2018 , 18.05.2018 , 31.10.2018 , 21.02.2020
Standard FIPS 140-2
Security level 2
Type Hardware
Embodiment Multi-Chip Stand Alone
Caveat When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy.
Exceptions
  • Roles, Services, and Authentication: Level 3
  • Design Assurance: Level 3
  • Mitigation of Other Attacks: N/A
Description The Palo Alto Networks PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security polices - safely enabling organizations to adopt new applications.
Version (Hardware) PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [10] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [10]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8] and 920-000119 Rev. A [9]; Network Processing Cards [10]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A
Version (Firmware) 8.0.3, 8.0.6, 8.0.9, 8.0.12 or 8.0.13
Vendor Palo Alto Networks
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.
Certificate
Webpage

Security policy

Security target PDF TXT

Symmetric Algorithms
AES, CAST, RC4, DES, Blowfish, Camellia, SEED, HMAC
Asymmetric Algorithms
RSA 2048, RSA 3072, ECDHE, ECDH, ECDSA, ECC, DH, DHE, DSA
Hash functions
MD5, RIPEMD
Schemes
Key Exchange
Protocols
SSHv2, SSH, SSL, TLS, TLSv1.0, IKE, IKEv2, IKEv1, IPsec, VPN
Randomness
DRBG, RNG
Block cipher modes
ECB, CBC, CTR, CFB, OFB, GCM, CCM
TLS cipher suites
TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security level
Level 2

Standards
FIPS 197, FIPS 198, PKCS #1, RFC 5288, RFC 5282

File metadata

Title Microsoft Word - 201 - PAN-OS HW 1SUB_8.0.13 (18.10.01).docx
Author lgarcia
Creation date D:20181026142941-07'00'
Modification date D:20181026142941-07'00'
Pages 101
Creator PScript5.dll Version 5.2.2
Producer Acrobat Distiller 17.0 (Windows)

References

Outgoing
  • 2464 - historical - SUSE Linux Enterprise Server 12 libgcrypt Cryptographic Module

Heuristics

No heuristics are available for this certificate.

References

Updates

  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate data changed.
  • The certificate was first processed.

Raw data 

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 3133,
  "dgst": "c0480cd61fb7be83",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "KTS#2990",
        "CVL#1212",
        "ECDSA#1103",
        "AES#4532",
        "CVL#1213",
        "CVL#1211",
        "RSA#2467",
        "HMAC#2990",
        "DRBG#1489",
        "DSA#1207",
        "KTS#4532",
        "SHS#3713",
        "KAS#1212",
        "KAS#1211"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "8.0.13",
        "8.0.12",
        "8.0.3",
        "8.0.9",
        "8.0.6"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": {
        "_type": "Set",
        "elements": [
          "2464"
        ]
      },
      "indirectly_referenced_by": null,
      "indirectly_referencing": {
        "_type": "Set",
        "elements": [
          "2464"
        ]
      }
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": [
        "2464"
      ]
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 1
          },
          "ECDH": {
            "ECDH": 1,
            "ECDHE": 6
          },
          "ECDSA": {
            "ECDSA": 16
          }
        },
        "FF": {
          "DH": {
            "DH": 8,
            "DHE": 6
          },
          "DSA": {
            "DSA": 1
          }
        },
        "RSA": {
          "RSA 2048": 8,
          "RSA 3072": 1
        }
      },
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 6
        },
        "CCM": {
          "CCM": 3
        },
        "CFB": {
          "CFB": 3
        },
        "CTR": {
          "CTR": 3
        },
        "ECB": {
          "ECB": 1
        },
        "GCM": {
          "GCM": 12
        },
        "OFB": {
          "OFB": 1
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKE": 3,
          "IKEv1": 2,
          "IKEv2": 2
        },
        "IPsec": {
          "IPsec": 1
        },
        "SSH": {
          "SSH": 17,
          "SSHv2": 2
        },
        "TLS": {
          "SSL": {
            "SSL": 2
          },
          "TLS": {
            "TLS": 21,
            "TLSv1.0": 1
          }
        },
        "VPN": {
          "VPN": 32
        }
      },
      "crypto_scheme": {
        "KEX": {
          "Key Exchange": 2
        }
      },
      "device_model": {},
      "ecc_curve": {},
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#1": 1,
          "#1211": 3,
          "#1212": 2,
          "#2464": 1
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES (128": 2,
          "AES 4532": 1,
          "CVL #1211": 1,
          "CVL 1211": 2,
          "CVL 1212": 1,
          "CVL 1213": 1,
          "Cert. # AES": 1,
          "DRBG 2": 1,
          "HMAC 2990": 2,
          "PKCS #1": 2,
          "RSA 2048": 8,
          "RSA 3072": 1
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 2": 2
        }
      },
      "hash_function": {
        "MD": {
          "MD5": {
            "MD5": 2
          }
        },
        "RIPEMD": {
          "RIPEMD": 1
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 9
        },
        "RNG": {
          "RNG": 2
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 197": 1,
          "FIPS 198": 1
        },
        "PKCS": {
          "PKCS #1": 1
        },
        "RFC": {
          "RFC 5282": 1,
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 14
          },
          "CAST": {
            "CAST": 1
          },
          "RC": {
            "RC4": 1
          }
        },
        "DES": {
          "DES": {
            "DES": 1
          }
        },
        "constructions": {
          "MAC": {
            "HMAC": 10
          }
        },
        "miscellaneous": {
          "Blowfish": {
            "Blowfish": 1
          },
          "Camellia": {
            "Camellia": 1
          },
          "SEED": {
            "SEED": 1
          }
        }
      },
      "tee_name": {},
      "tls_cipher_suite": {
        "TLS": {
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 1,
          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 1,
          "TLS_RSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_RSA_WITH_AES_256_GCM_SHA384": 1
        }
      },
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "lgarcia",
      "/CreationDate": "D:20181026142941-07\u002700\u0027",
      "/Creator": "PScript5.dll Version 5.2.2",
      "/ModDate": "D:20181026142941-07\u002700\u0027",
      "/Producer": "Acrobat Distiller 17.0 (Windows)",
      "/Title": "Microsoft Word - 201 - PAN-OS HW 1SUB_8.0.13 (18.10.01).docx",
      "pdf_file_size_bytes": 5555092,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": []
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 101
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_json_hash": null,
    "policy_pdf_hash": "30b55705429e7ce81edd009204eba5ef95254b7aa21db0955cee236a8c7a22e9",
    "policy_txt_hash": "274d016c8ede8368ed788fe886e5c69acf2701cc450a78cf15c62979d2f0b055"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy.",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/FIPSConsolidatedCertFeb2018.pdf",
    "date_sunset": null,
    "description": "The Palo Alto Networks PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security polices - safely enabling organizations to adopt new applications.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Roles, Services, and Authentication: Level 3",
      "Design Assurance: Level 3",
      "Mitigation of Other Attacks: N/A"
    ],
    "fw_versions": "8.0.3, 8.0.6, 8.0.9, 8.0.12 or 8.0.13",
    "historical_reason": "SP 800-56Arev3 transition",
    "hw_versions": "PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [10] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [10]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8] and 920-000119 Rev. A [9]; Network Processing Cards [10]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A",
    "level": 2,
    "mentioned_certs": {},
    "module_name": "PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls",
    "module_type": "Hardware",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-2",
    "status": "historical",
    "sw_versions": null,
    "tested_conf": null,
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2018-02-21",
        "lab": "UL Verification Services, Inc.",
        "validation_type": "Initial"
      },
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2018-05-18",
        "lab": "UL Verification Services, Inc.",
        "validation_type": "Update"
      },
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2018-10-31",
        "lab": "UL Verification Services, Inc.",
        "validation_type": "Update"
      },
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2020-02-21",
        "lab": "UL Verification Services, Inc.",
        "validation_type": "Update"
      }
    ],
    "vendor": "Palo Alto Networks",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}