Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000

Certificate #4704

Webpage information ?

Status active
Validation dates 07.06.2024
Sunset date 06-06-2029
Standard FIPS 140-3
Security level 2
Type Hardware
Embodiment Multi-Chip Stand Alone
Caveat The tamper evident seals installed as indicated in the Security Policy
Exceptions
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Description The Palo Alto Networks Prisma SD-WAN ION 1200, ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW devices are multi-chip standalone modules that enable integration of heterogeneous WAN links, provide confident integration of the cloud, improve application performance/visibility, and reduce overall cost and complexity of customers WAN. Prisma SD-WAN ION 9000 is a multi-chip standalone module designed for the data center to create a secure SD-WAN fabric across branches and data centers. It is designed to install seamlessly in the data center by peering with adjacent data center devices using traditional, standards-based routing protocols.
Version (Hardware) [ION 1200, ION 1200-C-NA, ION 1200-C-ROW, and ION 1200-C-5G-WW] with FIPS Kit (P/N 920-000363), and ION 9000 with FIPS Kit (P/N 920-000311)
Version (Firmware) 5.6.3
Vendor Palo Alto Networks, Inc.
References

This certificate's webpage directly references 0 certificates, transitively this expands into 0 certificates.

Security policy ?

Symmetric Algorithms
AES-, AES, CAST, HMAC
Asymmetric Algorithms
RSA 2048, ECDHE, ECDSA, ECC, Diffie-Hellman
Hash functions
SHA-1
Schemes
MAC, Key Agreement
Protocols
SSH, TLS 1.2, TLSv1.2, TLS, IKEv2, IKE
Randomness
DRBG, RBG
Elliptic Curves
P-256, P-384, P-521, P-224, curve P-256
Block cipher modes
ECB, CBC, CTR, GCM

Trusted Execution Environments
PSP

Security level
Level 1, level 2, Level 2
Certification process
out of scope, of the TELs as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The ION 1200 requires 3 tamper evident labels while the ION 1200-C-NA/ION

Standards
FIPS 140-3, FIPS 197, FIPS140-3, FIPS 186-4, FIPS 198-1, FIPS 180-4, SP 800-38D, SP 800-38A, SP 800-52, SP 800-90B, PKCS#1, RFC 5288, ISO/IEC 24759

File metadata

Author Richard Wang
Creation date D:20240531170038-04'00'
Modification date D:20240531170038-04'00'
Pages 29
Creator Microsoft® Word 2016
Producer Microsoft® Word 2016

Heuristics ?

No heuristics are available for this certificate.

References ?

No references are available for this certificate.

Updates ?

  • 08.07.2024 The certificate data changed.
    Certificate changed

    The web extraction data was updated.

    • The certificate_pdf_url property was set to https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/June 2024_010724_1153.pdf.
  • 04.07.2024 The certificate was first processed.
    New certificate

    A new FIPS 140 certificate with the product name was processed.

Raw data

{
  "_type": "sec_certs.sample.fips.FIPSCertificate",
  "cert_id": 4704,
  "dgst": "68f2e33049d2b239",
  "heuristics": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.Heuristics",
    "algorithms": {
      "_type": "Set",
      "elements": [
        "ECDSA KeyGen (FIPS186-4)A2386",
        "Counter DRBGA2385",
        "HMAC-SHA2-384A2388",
        "AES-ECBA2385",
        "HMAC-SHA-1A2385",
        "HMAC-SHA2-224A2385",
        "KDF TLSA2386",
        "SHA2-512A2388",
        "RSA SigVer (FIPS186-4)RSA 1820",
        "ECDSA SigVer (FIPS186-4)A2385",
        "AES-GCMA2386",
        "HMAC-SHA2-512A2388",
        "HMAC DRBGA2386",
        "ECDSA KeyVer (FIPS186-4)A2386",
        "SHA2-384A2388",
        "SHA-1SHS 2920",
        "ECDSA SigGen (FIPS186-4)A2385",
        "RSA KeyGen (FIPS186-4)A2385",
        "KAS-ECC-SSC Sp800-56Ar3A2386",
        "HMAC-SHA2-256A2388",
        "SHA2-224A2386",
        "AES-CTRA2385",
        "SHA2-256SHS 2920",
        "RSA SigGen (FIPS186-4)A2385",
        "AES-CBCA2388"
      ]
    },
    "cpe_matches": null,
    "direct_transitive_cves": null,
    "extracted_versions": {
      "_type": "Set",
      "elements": [
        "5.6.3"
      ]
    },
    "indirect_transitive_cves": null,
    "module_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "module_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "policy_processed_references": {
      "_type": "sec_certs.sample.certificate.References",
      "directly_referenced_by": null,
      "directly_referencing": null,
      "indirectly_referenced_by": null,
      "indirectly_referencing": null
    },
    "policy_prunned_references": {
      "_type": "Set",
      "elements": []
    },
    "related_cves": null,
    "verified_cpe_matches": null
  },
  "pdf_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.PdfData",
    "keywords": {
      "asymmetric_crypto": {
        "ECC": {
          "ECC": {
            "ECC": 19
          },
          "ECDH": {
            "ECDHE": 33
          },
          "ECDSA": {
            "ECDSA": 44
          }
        },
        "FF": {
          "DH": {
            "Diffie-Hellman": 9
          }
        },
        "RSA": {
          "RSA 2048": 3
        }
      },
      "certification_process": {
        "OutOfScope": {
          "of the TELs as depicted below and any additional requirement per the site security policy which are out of scope of this Security Policy. The ION 1200 requires 3 tamper evident labels while the ION 1200-C-NA/ION": 1,
          "out of scope": 1
        }
      },
      "cipher_mode": {
        "CBC": {
          "CBC": 4
        },
        "CTR": {
          "CTR": 1
        },
        "ECB": {
          "ECB": 1
        },
        "GCM": {
          "GCM": 4
        }
      },
      "cplc_data": {},
      "crypto_engine": {},
      "crypto_library": {},
      "crypto_protocol": {
        "IKE": {
          "IKE": 3,
          "IKEv2": 7
        },
        "SSH": {
          "SSH": 38
        },
        "TLS": {
          "TLS": {
            "TLS": 50,
            "TLS 1.2": 2,
            "TLSv1.2": 24
          }
        }
      },
      "crypto_scheme": {
        "KA": {
          "Key Agreement": 2
        },
        "MAC": {
          "MAC": 2
        }
      },
      "device_model": {},
      "ecc_curve": {
        "NIST": {
          "P-224": 20,
          "P-256": 41,
          "P-384": 24,
          "P-521": 26,
          "curve P-256": 1
        }
      },
      "eval_facility": {},
      "fips_cert_id": {
        "Cert": {
          "#1": 1,
          "#1819": 2,
          "#1820": 2,
          "#2919": 3,
          "#2920": 3
        }
      },
      "fips_certlike": {
        "Certlike": {
          "AES- 256": 1,
          "AES-CBC 128": 2,
          "AES-CBC 256": 4,
          "AES-GCM 256": 4,
          "Cert. #1819 RSA": 1,
          "Cert. #1820 RSA": 1,
          "Cert. #2919 SHS": 2,
          "Cert. #2920 SHS": 2,
          "HMAC-SHA-1": 22,
          "HMAC-SHA-1 160": 2,
          "PKCS#1": 14,
          "RSA 2048": 3,
          "SHA-1": 16,
          "SHA2-224": 4,
          "SHA2-256": 26,
          "SHA2-384": 7,
          "SHA2-512": 10,
          "SHS Cert. #2919": 3,
          "SHS Cert. #2920": 2
        }
      },
      "fips_security_level": {
        "Level": {
          "Level 1": 1,
          "Level 2": 3,
          "level 2": 1
        }
      },
      "hash_function": {
        "SHA": {
          "SHA1": {
            "SHA-1": 16
          }
        }
      },
      "ic_data_group": {},
      "javacard_api_const": {},
      "javacard_packages": {},
      "javacard_version": {},
      "os_name": {},
      "pq_crypto": {},
      "randomness": {
        "PRNG": {
          "DRBG": 49
        },
        "RNG": {
          "RBG": 1
        }
      },
      "side_channel_analysis": {},
      "standard_id": {
        "FIPS": {
          "FIPS 140-3": 12,
          "FIPS 180-4": 23,
          "FIPS 186-4": 19,
          "FIPS 197": 8,
          "FIPS 198-1": 14,
          "FIPS140-3": 2
        },
        "ISO": {
          "ISO/IEC 24759": 2
        },
        "NIST": {
          "SP 800-38A": 3,
          "SP 800-38D": 5,
          "SP 800-52": 1,
          "SP 800-90B": 3
        },
        "PKCS": {
          "PKCS#1": 7
        },
        "RFC": {
          "RFC 5288": 1
        }
      },
      "symmetric_crypto": {
        "AES_competition": {
          "AES": {
            "AES": 15,
            "AES-": 1
          },
          "CAST": {
            "CAST": 1
          }
        },
        "constructions": {
          "MAC": {
            "HMAC": 31
          }
        }
      },
      "tee_name": {
        "AMD": {
          "PSP": 7
        }
      },
      "tls_cipher_suite": {},
      "vendor": {},
      "vulnerability": {}
    },
    "policy_metadata": {
      "/Author": "Richard Wang",
      "/CreationDate": "D:20240531170038-04\u002700\u0027",
      "/Creator": "Microsoft\u00ae Word 2016",
      "/ModDate": "D:20240531170038-04\u002700\u0027",
      "/Producer": "Microsoft\u00ae Word 2016",
      "pdf_file_size_bytes": 1590418,
      "pdf_hyperlinks": {
        "_type": "Set",
        "elements": [
          "https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-wan-admin.pdf",
          "http://www.paloaltonetworks.com/",
          "about:blank"
        ]
      },
      "pdf_is_encrypted": false,
      "pdf_number_of_pages": 29
    }
  },
  "state": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.InternalState",
    "module_download_ok": true,
    "module_extract_ok": true,
    "policy_convert_garbage": false,
    "policy_convert_ok": true,
    "policy_download_ok": true,
    "policy_extract_ok": true,
    "policy_pdf_hash": "80524b113f3f3e5711f8cee6b1daeb7bbdf8ab08cfa92755812bead597731058",
    "policy_txt_hash": "a642e713f58188efe72f72b4b2b700ce925c5efa163929ab1a464af78b7ecd9e"
  },
  "web_data": {
    "_type": "sec_certs.sample.fips.FIPSCertificate.WebData",
    "caveat": "The tamper evident seals installed as indicated in the Security Policy",
    "certificate_pdf_url": "https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/certificates/June 2024_010724_1153.pdf",
    "date_sunset": "2029-06-06",
    "description": "The Palo Alto Networks Prisma SD-WAN ION 1200, ION 1200-C-NA, ION 1200-C-ROW, ION 1200-C-5G-WW devices are multi-chip standalone modules that enable integration of heterogeneous WAN links, provide confident integration of the cloud, improve application performance/visibility, and reduce overall cost and complexity of customers WAN. Prisma SD-WAN ION 9000 is a multi-chip standalone module designed for the data center to create a secure SD-WAN fabric across branches and data centers. It is designed to install seamlessly in the data center by peering with adjacent data center devices using traditional, standards-based routing protocols.",
    "embodiment": "Multi-Chip Stand Alone",
    "exceptions": [
      "Operational environment: N/A",
      "Non-invasive security: N/A",
      "Mitigation of other attacks: N/A",
      "Documentation requirements: N/A",
      "Cryptographic module security policy: N/A"
    ],
    "fw_versions": "5.6.3",
    "historical_reason": null,
    "hw_versions": "[ION 1200, ION 1200-C-NA, ION 1200-C-ROW, and ION 1200-C-5G-WW] with FIPS Kit (P/N 920-000363), and ION 9000 with FIPS Kit (P/N 920-000311)",
    "level": 2,
    "mentioned_certs": {},
    "module_name": "Palo Alto Networks SD-WAN Instant-On Network (ION) Devices ION 1200 and ION 9000",
    "module_type": "Hardware",
    "revoked_link": null,
    "revoked_reason": null,
    "standard": "FIPS 140-3",
    "status": "active",
    "sw_versions": null,
    "tested_conf": null,
    "validation_history": [
      {
        "_type": "sec_certs.sample.fips.FIPSCertificate.ValidationHistoryEntry",
        "date": "2024-06-07",
        "lab": "GOSSAMER SECURITY SOLUTIONS INC",
        "validation_type": "Initial"
      }
    ],
    "vendor": "Palo Alto Networks, Inc.",
    "vendor_url": "http://www.paloaltonetworks.com"
  }
}