This page was not yet optimized for use on mobile devices.
PAN-OS 10.1 Next-Generation Hardware Firewalls
Certificate #4841
Webpage information ?
Security policy ?
Symmetric Algorithms
AES, CAST, HMAC, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512, CMACAsymmetric Algorithms
RSA 2048, RSA 3072, RSA 4096, ECDHE, ECDH, ECDSA, DHE, Diffie-Hellman, DHHash functions
SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA2, MD5Schemes
Key ExchangeProtocols
SSH, SSHv2, SSL, TLS, TLS1.2, TLS v1.2, TLSv1.1, TLSv1.0, TLS 1.2, TLSv1.3, IKEv2, IKE, IPsec, VPNRandomness
DRBG, RNGElliptic Curves
P-256, P-384, P-521Block cipher modes
ECB, CBC, CTR, CFB, GCM, CCMTLS cipher suites
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Security level
Level 2, Level 1Certification process
out of scope, in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization The following procedure will zeroize the module: ● Access theStandards
FIPS 140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, FIPS 186-2, SP 800-90B, SP 800-38A, SP 800-38C, SP 800-38D, SP 800-38F, SP 800-52, SP 800-140E, SP 800-63B, SP 800-56A, PKCS#1, RFC 3526, RFC 5288, RFC 5246, RFC 5282, ISO/IEC 24759File metadata
| Modification date | D:20250210115551--05'00 |
|---|---|
| Pages | 68 |
| Producer | Skia/PDF m134 Google Docs Renderer |
References
OutgoingHeuristics ?
No heuristics are available for this certificate.
References ?
Updates ?
-
04.04.2025 The certificate data changed.
Certificate changed
The web extraction data was updated.
- The validation_history property was updated, with the
[[1, {'_type': 'sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry', 'date': '2025-03-13', 'validation_type': 'Update', 'lab': 'LEIDOS CSTL'}]]values inserted. - The caveat property was set to
When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy.
The PDF extraction data was updated.
- The keywords property was updated, with the
{'crypto_protocol': {'__update__': {'SSH': {'__insert__': {'SSHv2': 2}, '__update__': {'SSH': 63}}, 'IKE': {'__update__': {'IKE': 2}}}}, 'randomness': {'__update__': {'PRNG': {'__update__': {'DRBG': 47}}}}}data. - The policy_metadata property was updated, with the
{'pdf_file_size_bytes': 13908417, 'pdf_number_of_pages': 68, '/ModDate': "D:20250210115551--05'00", '/Producer': 'Skia/PDF m134 Google Docs Renderer'}data.
The state was updated.
- The policy_pdf_hash property was set to
8cdb49cd61d63a30d3eb4347eadcb34c1f7c32bbb21c872e6d2034ec536f5633. - The policy_txt_hash property was set to
68ed09fe8c08342c7190a10bca4477d28b9f1d2f895e48ac8a2983f5459b6878.
- The validation_history property was updated, with the
-
24.02.2025 The certificate data changed.
Certificate changed
The web extraction data was updated.
- The exceptions property was updated.
-
21.10.2024 The certificate was first processed.
New certificate
A new FIPS 140 certificate with the product name PAN-OS 10.1 Next-Generation Hardware Firewalls was processed.
Raw data
{
"_type": "sec_certs.sample.fips.FIPSCertificate",
"cert_id": 4841,
"dgst": "818a291377e2e0e3",
"heuristics": {
"_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
"algorithms": {
"_type": "Set",
"elements": [
"AES-CBCA2137",
"HMAC-SHA2-512A2137",
"HMAC-SHA-1A2137",
"AES-GCMA2137",
"AES-CTRA2137",
"SHA-1A2137",
"SHA2-256A2137",
"ECDSA KeyGen (FIPS186-4)A2137",
"KDF IKEv2A2137",
"ECDSA KeyVer (FIPS186-4)A2137",
"HMAC-SHA2-384A2137",
"HMAC-SHA2-256A2137",
"KDF SSHA2137",
"Conditioning Component AES-CBC-MAC SP800-90BA2165",
"SHA2-512A2137",
"AES-CFB128A2137",
"AES-CCMA2137",
"ECDSA SigVer (FIPS186-4)A2137",
"ECDSA SigGen (FIPS186-4)A2137",
"KDF SNMPA2137",
"RSA SigGen (FIPS186-4)A2137",
"RSA SigVer (FIPS186-4)A2137",
"Safe Primes Key VerificationA2137",
"KDF TLSA2137",
"HMAC-SHA2-224A2137",
"KAS-FFC-SSC Sp800-56Ar3A2137",
"Counter DRBGA2137",
"SHA2-384A2137",
"RSA KeyGen (FIPS186-4)A2137",
"Safe Primes Key GenerationA2137",
"KAS-ECC-SSC Sp800-56Ar3A2137",
"SHA2-224A2137"
]
},
"cpe_matches": null,
"direct_transitive_cves": null,
"extracted_versions": {
"_type": "Set",
"elements": [
"10.1.5",
"10.1"
]
},
"indirect_transitive_cves": null,
"module_processed_references": {
"_type": "sec_certs.sample.certificate.References",
"directly_referenced_by": null,
"directly_referencing": null,
"indirectly_referenced_by": null,
"indirectly_referencing": null
},
"module_prunned_references": {
"_type": "Set",
"elements": []
},
"policy_processed_references": {
"_type": "sec_certs.sample.certificate.References",
"directly_referenced_by": null,
"directly_referencing": {
"_type": "Set",
"elements": [
"129",
"128"
]
},
"indirectly_referenced_by": null,
"indirectly_referencing": {
"_type": "Set",
"elements": [
"129",
"128"
]
}
},
"policy_prunned_references": {
"_type": "Set",
"elements": [
"129",
"128"
]
},
"related_cves": null,
"verified_cpe_matches": null
},
"pdf_data": {
"_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
"keywords": {
"asymmetric_crypto": {
"ECC": {
"ECDH": {
"ECDH": 6,
"ECDHE": 7
},
"ECDSA": {
"ECDSA": 66
}
},
"FF": {
"DH": {
"DH": 2,
"DHE": 7,
"Diffie-Hellman": 8
}
},
"RSA": {
"RSA 2048": 12,
"RSA 3072": 3,
"RSA 4096": 3
}
},
"certification_process": {
"OutOfScope": {
"in Section 11 will result in the module operating in a non-compliant state, which is considered out of scope of this validation. Zeroization The following procedure will zeroize the module: \u25cf Access the": 1,
"out of scope": 1
}
},
"cipher_mode": {
"CBC": {
"CBC": 5
},
"CCM": {
"CCM": 4
},
"CFB": {
"CFB": 1
},
"CTR": {
"CTR": 7
},
"ECB": {
"ECB": 2
},
"GCM": {
"GCM": 14
}
},
"cplc_data": {},
"crypto_engine": {},
"crypto_library": {},
"crypto_protocol": {
"IKE": {
"IKE": 2,
"IKEv2": 14
},
"IPsec": {
"IPsec": 4
},
"SSH": {
"SSH": 63,
"SSHv2": 2
},
"TLS": {
"SSL": {
"SSL": 2
},
"TLS": {
"TLS": 93,
"TLS 1.2": 2,
"TLS v1.2": 1,
"TLS1.2": 1,
"TLSv1.0": 2,
"TLSv1.1": 2,
"TLSv1.3": 1
}
},
"VPN": {
"VPN": 59
}
},
"crypto_scheme": {
"KEX": {
"Key Exchange": 9
}
},
"device_model": {},
"ecc_curve": {
"NIST": {
"P-256": 48,
"P-384": 38,
"P-521": 34
}
},
"eval_facility": {},
"fips_cert_id": {
"Cert": {
"#128": 2,
"#129": 2,
"#16": 1
}
},
"fips_certlike": {
"Certlike": {
"AES (128": 2,
"AES 128/192/256": 1,
"AES 256": 3,
"HMAC-SHA- 1": 10,
"HMAC-SHA-1": 34,
"HMAC-SHA-1, 160": 2,
"HMAC-SHA-256": 10,
"HMAC-SHA-384": 2,
"HMAC-SHA-512": 2,
"HMAC-SHA2": 16,
"HMAC\u2013SHA-1/224": 1,
"PKCS#1": 4,
"RSA 2048": 12,
"RSA 3072": 3,
"RSA 4096": 3,
"SHA-1": 6,
"SHA-256": 12,
"SHA-384": 2,
"SHA-512": 4,
"SHA2": 4,
"SHA2-224": 3,
"SHA2-256": 8,
"SHA2-384": 5,
"SHA2-512": 5
}
},
"fips_security_level": {
"Level": {
"Level 1": 1,
"Level 2": 3
}
},
"hash_function": {
"MD": {
"MD5": {
"MD5": 11
}
},
"SHA": {
"SHA1": {
"SHA-1": 6
},
"SHA2": {
"SHA-224": 1,
"SHA-256": 13,
"SHA-384": 3,
"SHA-512": 5,
"SHA2": 4
}
}
},
"ic_data_group": {},
"javacard_api_const": {},
"javacard_packages": {},
"javacard_version": {},
"os_name": {},
"pq_crypto": {},
"randomness": {
"PRNG": {
"DRBG": 47
},
"RNG": {
"RNG": 2
}
},
"side_channel_analysis": {},
"standard_id": {
"FIPS": {
"FIPS 140-3": 9,
"FIPS 180-4": 5,
"FIPS 186-2": 1,
"FIPS 186-4": 75,
"FIPS 198-1": 6
},
"ISO": {
"ISO/IEC 24759": 2
},
"NIST": {
"SP 800-140E": 1,
"SP 800-38A": 4,
"SP 800-38C": 2,
"SP 800-38D": 2,
"SP 800-38F": 6,
"SP 800-52": 1,
"SP 800-56A": 17,
"SP 800-63B": 1,
"SP 800-90B": 11
},
"PKCS": {
"PKCS#1": 2
},
"RFC": {
"RFC 3526": 2,
"RFC 5246": 1,
"RFC 5282": 1,
"RFC 5288": 1
}
},
"symmetric_crypto": {
"AES_competition": {
"AES": {
"AES": 20
},
"CAST": {
"CAST": 1
}
},
"constructions": {
"MAC": {
"CMAC": 1,
"HMAC": 20,
"HMAC-SHA-256": 5,
"HMAC-SHA-384": 1,
"HMAC-SHA-512": 1
}
}
},
"tee_name": {},
"tls_cipher_suite": {
"TLS": {
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": 1,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": 1,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": 1,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": 1
}
},
"vendor": {},
"vulnerability": {}
},
"policy_metadata": {
"/ModDate": "D:20250210115551--05\u002700",
"/Producer": "Skia/PDF m134 Google Docs Renderer",
"/Title": "",
"pdf_file_size_bytes": 13908417,
"pdf_hyperlinks": {
"_type": "Set",
"elements": [
"https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/pan-os/10-1/pan-os-admin/pan-os-admin.pdf",
"http://www.paloaltonetworks.com"
]
},
"pdf_is_encrypted": false,
"pdf_number_of_pages": 68
}
},
"state": {
"_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
"module_download_ok": true,
"module_extract_ok": true,
"policy_convert_garbage": false,
"policy_convert_ok": true,
"policy_download_ok": true,
"policy_extract_ok": true,
"policy_pdf_hash": "8cdb49cd61d63a30d3eb4347eadcb34c1f7c32bbb21c872e6d2034ec536f5633",
"policy_txt_hash": "68ed09fe8c08342c7190a10bca4477d28b9f1d2f895e48ac8a2983f5459b6878"
},
"web_data": {
"_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
"caveat": "When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy. The module generates SSPs (e.g., keys) whose strengths are modified by available entropy",
"certificate_pdf_url": null,
"date_sunset": "2029-10-15",
"description": "Palo Alto Networks offers a full line of next-generation security appliances that range from the PA-220, designed for enterprise remote offices, to the PA-7080, which is a modular chassis designed for high-speed datacenters. The platform architecture is based on our single-pass engine, PAN-OS, for networking, security, threat prevention, and management functionality that is consistent across all platforms. The devices differ only in capacities, performance, and physical configuration.",
"embodiment": "Multi-Chip Stand Alone",
"exceptions": [
"Roles, services, and authentication: Level 3",
"Operational environment: N/A",
"Non-invasive security: N/A",
"Life-cycle assurance: Level 3",
"Mitigation of other attacks: N/A"
],
"fw_versions": "10.1.5",
"historical_reason": null,
"hw_versions": "910-000128 with Physical Kit 920-000084, 910-000147 with Physical Kit 920-000226, [910-000231, 910-000212, 910-000232, and 910-000230] with Physical Kit 920-000454, [910-000120 and 910-000119] with Physical Kit 920-000185, [910-000162, 910-000163, and 910-000164] with Physical Kit 920-000212, [910-000132, 910-000131, 910-000125, 910-000157, 910-000257, and 910-000357] with Physical Kit 920-000186, 910-000223 with components 920-000293, 910-000195, 910-000194, and 910-000204 with Physical Kit 920-000309, 910-000102 with components 910-000137, 910-000136, 910-000156, 910-000256, 910-000356, 910-000183, 910-0000014, 910-000169, 910-000185, 910-000285, 910-000385, and 910-000013 with Physical Kit 920-000112, and 910-000122 with components 910-000137, 910-000136, 910-000156, 910-000256, 910-000356, 910-000183, 910-0000014, 910-000169, 910-000186, 910-000286, 910-000386, and 910-000012 with Physical Kit 920-000119",
"level": 2,
"mentioned_certs": {},
"module_name": "PAN-OS 10.1 Next-Generation Hardware Firewalls",
"module_type": "Hardware",
"revoked_link": null,
"revoked_reason": null,
"standard": "FIPS 140-3",
"status": "active",
"sw_versions": null,
"tested_conf": null,
"validation_history": [
{
"_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
"date": "2024-10-16",
"lab": "LEIDOS CSTL",
"validation_type": "Initial"
},
{
"_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
"date": "2025-03-13",
"lab": "LEIDOS CSTL",
"validation_type": "Update"
}
],
"vendor": "Palo Alto Networks, Inc.",
"vendor_url": "http://www.paloaltonetworks.com"
}
}