Palo Alto Networks SD-WAN ION Core Crypto Module

Certificate #4715

Webpage information ?

Status active
Validation dates 08.07.2024
Sunset date 07-07-2026
Standard FIPS 140-3
Security level 1
Type Software
Embodiment Multi-Chip Stand Alone
Caveat Interim Validation. When installed, initialized and configured as specified in section "Secure Operation" of the Security Policy and operated in approved mode
Exceptions
  • Physical security: N/A
  • Non-invasive security: N/A
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Description The Palo Alto Networks SD-WAN ION Core Crypto Module is utilized in hardware and software ION form factors. These enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of your WAN.
Tested configurations
  • ION 6.1 running on ION 1200 with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200 with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-C-5G-WW with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-C-5G-WW with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-C-NA with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-C-NA with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-C-ROW with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-C-ROW with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-S with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-S with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-S-C-5G-WW with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-S-C-5G-WW with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-S-C-NA with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-S-C-NA with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 1200-S-C-ROW with Intel Atom C3436L with PAA
  • ION 6.1 running on ION 1200-S-C-ROW with Intel Atom C3436L without PAA
  • ION 6.1 running on ION 3200 with Intel Atom C3558R with PAA
  • ION 6.1 running on ION 3200 with Intel Atom C3558R without PAA
  • ION 6.1 running on ION 5200 with Intel Atom C5325 with PAA
  • ION 6.1 running on ION 5200 with Intel Atom C5325 without PAA
  • ION 6.1 running on ION 9200 with Intel Atom P5362 with PAA
  • ION 6.1 running on ION 9200 with Intel Atom P5362 without PAA
Vendor Palo Alto Networks, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES-256, AES, CAST, HMAC
Asymmetric Algorithms
ECDHE, ECDSA, ECC, Diffie-Hellman
Hash functions
SHA-1
Schemes
MAC, Key Agreement
Protocols
SSH, TLS 1.2, TLS v1.2, TLS, TLSv1.2, IKEv2, IKE
Randomness
DRBG
Elliptic Curves
P-256, P-384, P-521, P-224
Block cipher modes
ECB, CBC, CTR, GCM

Trusted Execution Environments
PSP

Security level
Level 1

Standards
FIPS 140-3, FIPS 197, FIPS140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, SP 800-38D, SP 800-38A, SP 800-140B, SP 800-90B, PKCS#1, RFC 5288, ISO/IEC 24759

File metadata

Author Richard Wang
Creation date D:20240613150721-04'00'
Modification date D:20240613150721-04'00'
Pages 19
Creator Microsoft® Word 2016
Producer Microsoft® Word 2016

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

  • 12.08.2024 The certificate data changed.
    Certificate changed

    The web extraction data was updated.

    • The certificate_pdf_url property was set to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/July 2024_010824_1146.pdf.
  • 15.07.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4715,
  "dgst": "e2aab8e08a6b9259",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "KDF IKEv2A3563",
        "HMAC-SHA2-384A3564",
        "Counter DRBGA3563",
        "SHA2-256A3564",
        "HMAC-SHA2-512A3564",
        "HMAC-SHA2-224A3563",
        "SHA2-384A3564",
        "KDF SNMPA3563",
        "AES-GCMA3564",
        "SHA2-512A3564",
        "AES-CTRA3563",
        "KAS-ECC-SSC Sp800-56Ar3A3564",
        "RSA SigVer (FIPS186-4)A3572",
        "RSA KeyGen (FIPS186-4)A3563",
        "ECDSA SigVer (FIPS186-4)A3563",
        "AES-CBCA3566",
        "HMAC-SHA2-256A3566",
        "SHA-1A3566",
        "ECDSA SigGen (FIPS186-4)A3563",
        "KDF TLSA3564",
        "ECDSA KeyGen (FIPS186-4)A3564",
        "KDF SSHA3563",
        "HMAC-SHA-1A3563",
        "RSA SigGen (FIPS186-4)A3563",
        "AES-ECBA3563",
        "HMAC DRBGA3564",
        "SHA2-224A3563"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "-"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 25
          },
          "ECDH": {
            "ECDHE": 41
          },
          "ECDSA": {
            "ECDSA": 40
          }
        },
        "FF": {
          "DH": {
            "Diffie-Hellman": 8
          }
        }
      },
      "certification_process": {},
      "cipher_mode": {
        "CBC": {
          "CBC": 2
        },
        "CTR": {
          "CTR": 1
        },
        "ECB": {
          "ECB": 1
        },
        "GCM": {
          "GCM": 4
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKE": 2,
          "IKEv2": 9
        },
        "SSH": {
          "SSH": 43
        },
        "TLS": {
          "TLS": {
            "TLS": 58,
            "TLS 1.2": 1,
            "TLS v1.2": 1,
            "TLSv1.2": 14
          }
        }
      },
      "crypto_scheme": {
        "KA": {
          "Key Agreement": 2
        },
        "MAC": {
          "MAC": 2
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-224": 16,
          "P-256": 16,
          "P-384": 40,
          "P-521": 34
        }
      },
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#1": 1
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES-256": 1,
          "AES-CBC 256": 4,
          "AES-GCM 256": 4,
          "HMAC-SHA-1": 22,
          "PAA 10": 1,
          "PAA 11": 1,
          "PAA 12": 1,
          "PAA 13": 1,
          "PAA 15": 1,
          "PAA 16": 1,
          "PAA 17": 1,
          "PAA 18": 1,
          "PAA 19": 1,
          "PAA 2": 1,
          "PAA 20": 1,
          "PAA 21": 1,
          "PAA 22": 1,
          "PAA 3": 1,
          "PAA 4": 1,
          "PAA 5": 1,
          "PAA 6": 1,
          "PAA 7": 1,
          "PAA 8": 1,
          "PAA 9": 1,
          "PKCS#1": 8,
          "SHA-1": 3,
          "SHA2-224": 1,
          "SHA2-256": 13,
          "SHA2-384": 3,
          "SHA2-512": 5
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 4
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 3
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 56
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 9,
          "FIPS 180-4": 8,
          "FIPS 186-4": 14,
          "FIPS 197": 6,
          "FIPS 198-1": 8,
          "FIPS140-3": 2
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-140B": 1,
          "SP 800-38A": 3,
          "SP 800-38D": 3,
          "SP 800-90B": 3
        },
        "PKCS": {
          "PKCS#1": 4
        },
        "RFC": {
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 17,
            "AES-256": 1
          },
          "CAST": {
            "CAST": 1
          }
        },
        "constructions": {
          "MAC": {
            "HMAC": 22
          }
        }
      },
      "tee_name": {
        "AMD": {
          "PSP": 24
        }
      },
      "tls_cipher_suite": {},
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "Richard Wang",
      "/CreationDate": "D:20240613150721-04\u002700\u0027",
      "/Creator": "Microsoft\u00ae Word 2016",
      "/ModDate": "D:20240613150721-04\u002700\u0027",
      "/Producer": "Microsoft\u00ae Word 2016",
      "pdf_file_size_bytes": 1032087,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "about:blank",
          "http://www.paloaltonetworks.com/"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 19
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "78d3b4bb8389bb7318c6cc75f79bc717d006518c6309177a5c4d41f0760d2bcc",
    "policy_txt_hash": "79e2115199f9af47260cc8b5bfc255b893db415e27d0ed50b0bf13cd46e025cc"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "Interim Validation. When installed, initialized and configured as specified in section \"Secure Operation\" of the Security Policy and operated in approved mode",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/July 2024_010824_1146.pdf",
    "date_sunset": "2026-07-07",
    "description": "The Palo Alto Networks SD-WAN ION Core Crypto Module is utilized in hardware and software ION form factors. These enable the integration of a diverse set of wide area network (WAN) connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of your WAN.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Physical security: N/A",
      "Non-invasive security: N/A",
      "Mitigation of other attacks: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": null,
    "historical_reason": null,
    "hw_versions": null,
    "level": 1,
    "mentioned_certs": {},
    "module_name": "Palo Alto Networks SD-WAN ION Core Crypto Module",
    "module_type": "Software",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": "1.0",
    "tested_conf": [
      "ION 6.1 running on ION 1200 with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200 with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-C-5G-WW with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-C-5G-WW with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-C-NA with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-C-NA with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-C-ROW with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-C-ROW with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-S with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-S with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-S-C-5G-WW with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-S-C-5G-WW with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-S-C-NA with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-S-C-NA with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 1200-S-C-ROW with Intel Atom C3436L with PAA",
      "ION 6.1 running on ION 1200-S-C-ROW with Intel Atom C3436L without PAA",
      "ION 6.1 running on ION 3200 with Intel Atom C3558R with PAA",
      "ION 6.1 running on ION 3200 with Intel Atom C3558R without PAA",
      "ION 6.1 running on ION 5200 with Intel Atom C5325 with PAA",
      "ION 6.1 running on ION 5200 with Intel Atom C5325 without PAA",
      "ION 6.1 running on ION 9200 with Intel Atom P5362 with PAA",
      "ION 6.1 running on ION 9200 with Intel Atom P5362 without PAA"
    ],
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-07-08",
        "lab": "GOSSAMER SECURITY SOLUTIONS INC",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}