PAN-OS 10.2 running on PA-220, PA-220R, PA-400 Series, PA-800 Series, PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-5450, and PA-7000 Series NGFWs

Certificate #4760

Webpage information ?

Status active
Validation dates 14.08.2024
Sunset date 13-08-2026
Standard FIPS 140-3
Security level 2
Type Hardware
Embodiment Multi-Chip Stand Alone
Caveat Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy
Exceptions
  • Roles, services, and authentication: Level 3
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Life-cycle assurance: Level 3
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Description Palo Alto Networks offers a full line of next-generation security appliances that range from the PA-220, designed for enterprise remote offices, to the PA-7080, which is a modular chassis designed for high-speed datacenters. The platform architecture is based on our single-pass engine, PAN-OS, for networking, security, threat prevention, and management functionality that is consistent across all platforms. The devices differ only in capacities, performance, and physical configuration.
Version (Hardware) 910-000102 with Physical Kit 920-000112, 910-000122 with Physical Kit 920-000119, 910-000128 with Physical Kit 920-000084, 910-000147 with Physical Kit 920-000226, 910-000223 with Physical Kit 920-000309, [910-000119 and 910-000120] with Physical Kit 920-000185, [910-000125, 910-000131, 910-000132, and 910-000157] with Physical Kit 920-000186, [910-000162, 910-000163, and 910-000164] with Physical Kit 920-000212, [910-000212, 910-000230, 910-000231, and 910-000232] with Physical Kit 920-000454, [910-000241, 910-000242, 910-000243, and 910-000244] with Physical Kit 920-000333, and , [910-000252, 910-000253, and 910-000254] with Physical Kit 920-000320
Version (Firmware) 10.2.8-h4
Vendor Palo Alto Networks, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES, CAST, HMAC, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, CMAC
Asymmetric Algorithms
RSA 2048, RSA 3072, RSA 4096, ECDHE, ECDH, ECDSA, Diffie-Hellman, DHE, DH
Hash functions
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA2
Schemes
Key Exchange
Protocols
SSH, SSL, TLS, TLS1.2, TLS v1.2, TLSv1.2, TLS 1.2, TLSv1.0, TLSv1.3, IKEv2, IKE, IPsec, VPN
Randomness
DRBG, RNG
Elliptic Curves
P-256, P-384, P-521
Block cipher modes
ECB, CBC, CTR, CFB, GCM, CCM
TLS cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Security level
Level 2, Level 1

Standards
FIPS 140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, FIPS 186-2, SP 800-90B, SP 800-38A, SP 800-38C, SP 800-38D, SP 800-38F, SP 800-52, SP 800-140E, SP 800-63B, SP 800-56A, PKCS#1, RFC 3526, RFC 5288, RFC 5282, ISO/IEC 24759

File metadata

Modification date D:20240809124927--04'00
Pages 67
Producer Skia/PDF m129 Google Docs Renderer

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

  • 09.09.2024 The certificate data changed.
    Certificate changed

    The web extraction data was updated.

    • The certificate_pdf_url property was set to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August 2024_010924_0336.pdf.
  • 19.08.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4760,
  "dgst": "ce741a4b1dccaa73",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "ECDSA SigVer (FIPS186-4)A2906",
        "KDF IKEv2A2906",
        "ECDSA SigGen (FIPS186-4)A2906",
        "AES-GCMA2906",
        "HMAC-SHA2-256A2906",
        "SHA2-512A2906",
        "HMAC-SHA2-512A2906",
        "AES-CTRA2906",
        "Counter DRBGA2906",
        "HMAC-SHA2-384A2906",
        "RSA SigVer (FIPS186-4)A2906",
        "HMAC-SHA-1A2906",
        "KDF SNMPA2906",
        "Safe Primes Key GenerationA2906",
        "Safe Primes Key VerificationA2906",
        "SHA2-256A2906",
        "RSA SigGen (FIPS186-4)A2906",
        "Conditioning Component AES-CBC-MAC SP800-90BA2541",
        "SHA-1A2906",
        "ECDSA KeyVer (FIPS186-4)A2906",
        "KAS-ECC-SSC Sp800-56Ar3A2906",
        "ECDSA KeyGen (FIPS186-4)A2906",
        "KDF TLSA2906",
        "RSA KeyGen (FIPS186-4)A2906",
        "AES-CBCA2906",
        "KAS-FFC-SSC Sp800-56Ar3A2906",
        "HMAC-SHA2-224A2906",
        "KDF SSHA2906",
        "SHA2-224A2906",
        "SHA2-384A2906",
        "AES-CCMA2906",
        "AES-CFB128A2906"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "10.2",
        "10.2.8"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECDH": {
            "ECDH": 6,
            "ECDHE": 6
          },
          "ECDSA": {
            "ECDSA": 63
          }
        },
        "FF": {
          "DH": {
            "DH": 2,
            "DHE": 10,
            "Diffie-Hellman": 8
          }
        },
        "RSA": {
          "RSA 2048": 12,
          "RSA 3072": 3,
          "RSA 4096": 3
        }
      },
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 5
        },
        "CCM": {
          "CCM": 4
        },
        "CFB": {
          "CFB": 1
        },
        "CTR": {
          "CTR": 5
        },
        "ECB": {
          "ECB": 2
        },
        "GCM": {
          "GCM": 14
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKE": 2,
          "IKEv2": 12
        },
        "IPsec": {
          "IPsec": 4
        },
        "SSH": {
          "SSH": 60
        },
        "TLS": {
          "SSL": {
            "SSL": 2
          },
          "TLS": {
            "TLS": 84,
            "TLS 1.2": 2,
            "TLS v1.2": 1,
            "TLS1.2": 1,
            "TLSv1.0": 1,
            "TLSv1.2": 1,
            "TLSv1.3": 1
          }
        },
        "VPN": {
          "VPN": 60
        }
      },
      "crypto_scheme": {
        "KEX": {
          "Key Exchange": 9
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-256": 48,
          "P-384": 38,
          "P-521": 38
        }
      },
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#16": 1
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES (128": 2,
          "AES 128": 1,
          "AES 256": 3,
          "AES-GCM 128": 1,
          "HMAC 128": 2,
          "HMAC-SHA-1": 30,
          "HMAC-SHA-1, 160": 2,
          "HMAC-SHA-256": 10,
          "HMAC-SHA-384": 2,
          "HMAC-SHA-512": 2,
          "HMAC\u2013SHA-1/224": 1,
          "PKCS#1": 4,
          "RSA 2048": 12,
          "RSA 3072": 3,
          "RSA 4096": 3,
          "SHA-1": 5,
          "SHA-256": 11,
          "SHA-384": 2,
          "SHA-512": 4,
          "SHA2": 4,
          "SHA2-224": 3,
          "SHA2-256": 8,
          "SHA2-384": 5,
          "SHA2-512": 5
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 1,
          "Level 2": 3
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 5
          },
          "SHA2": {
            "SHA-224": 1,
            "SHA-256": 12,
            "SHA-384": 3,
            "SHA-512": 5,
            "SHA2": 4
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 47
        },
        "RNG": {
          "RNG": 1
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 9,
          "FIPS 180-4": 5,
          "FIPS 186-2": 1,
          "FIPS 186-4": 70,
          "FIPS 198-1": 6
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-140E": 1,
          "SP 800-38A": 4,
          "SP 800-38C": 2,
          "SP 800-38D": 2,
          "SP 800-38F": 6,
          "SP 800-52": 1,
          "SP 800-56A": 14,
          "SP 800-63B": 1,
          "SP 800-90B": 10
        },
        "PKCS": {
          "PKCS#1": 2
        },
        "RFC": {
          "RFC 3526": 2,
          "RFC 5282": 1,
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 19
          },
          "CAST": {
            "CAST": 1
          }
        },
        "constructions": {
          "MAC": {
            "CMAC": 1,
            "HMAC": 20,
            "HMAC-SHA-256": 5,
            "HMAC-SHA-384": 1,
            "HMAC-SHA-512": 1
          }
        }
      },
      "tee_name": {},
      "tls_cipher_suite": {
        "TLS": {
          "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 1,
          "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 1,
          "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 1
        }
      },
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/ModDate": "D:20240809124927--04\u002700",
      "/Producer": "Skia/PDF m129 Google Docs Renderer",
      "/Title": "",
      "pdf_file_size_bytes": 22399698,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "http://www.paloaltonetworks.com"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 67
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "1e7c3fc037cc9e2abe6eb8189ddeedd9adacb9e6256f2110db10d44170b5c7ba",
    "policy_txt_hash": "373dda31727576d15929ec82ab774bd7db77e29fe0364b50ae6fd1eee9262b0f"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "Interim Validation. When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/August 2024_010924_0336.pdf",
    "date_sunset": "2026-08-13",
    "description": "Palo Alto Networks offers a full line of next-generation security appliances that range from the PA-220, designed for enterprise remote offices, to the PA-7080, which is a modular chassis designed for high-speed datacenters. The platform architecture is based on our single-pass engine, PAN-OS, for networking, security, threat prevention, and management functionality that is consistent across all platforms. The devices differ only in capacities, performance, and physical configuration.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Roles, services, and authentication: Level 3",
      "Operational environment: N/A",
      "Non-invasive security: N/A",
      "Life-cycle assurance: Level 3",
      "Mitigation of other attacks: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": "10.2.8-h4",
    "historical_reason": null,
    "hw_versions": "910-000102 with Physical Kit 920-000112, 910-000122 with Physical Kit 920-000119, 910-000128 with Physical Kit 920-000084, 910-000147 with Physical Kit 920-000226, 910-000223 with Physical Kit 920-000309, [910-000119 and 910-000120] with Physical Kit 920-000185, [910-000125, 910-000131, 910-000132, and 910-000157] with Physical Kit 920-000186, [910-000162, 910-000163, and 910-000164] with Physical Kit 920-000212, [910-000212, 910-000230, 910-000231, and 910-000232] with Physical Kit 920-000454, [910-000241, 910-000242, 910-000243, and 910-000244] with Physical Kit 920-000333, and , [910-000252, 910-000253, and 910-000254] with Physical Kit 920-000320",
    "level": 2,
    "mentioned_certs": {},
    "module_name": "PAN-OS 10.2 running on PA-220, PA-220R, PA-400 Series, PA-800 Series, PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-5450, and PA-7000 Series NGFWs",
    "module_type": "Hardware",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": null,
    "tested_conf": null,
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-08-14",
        "lab": "LEIDOS CSTL",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}