U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Certificate #3133


Module Name
PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls
FIPS 140-2
Sunset Date
Validation Dates
Overall Level
When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy.
Security Level Exceptions
  • Roles, Services, and Authentication: Level 3
  • Design Assurance: Level 3
  • Mitigation of Other Attacks: N/A
Module Type
Multi-Chip Stand Alone
The Palo Alto Networks PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security polices - safely enabling organizations to adopt new applications.
Tested Configuration(s)
  • N/A
FIPS Algorithms
AES Cert. #4532
CKG vendor affirmed
CVL Certs. #1211, #1212 and #1213
DRBG Cert. #1489
DSA Cert. #1207
ECDSA Cert. #1103
HMAC Cert. #2990
KAS SP 800-56Arev2 with CVL Certs. #1211 and #1212, vendor affirmed
KTS AES Cert. #4532; key establishment methodology provides 128 or 256 bits of encryption strength
KTS AES Cert. #4532 and HMAC Cert. #2990; key establishment methodology provides 128 or 256 bits of encryption strength
RSA Cert. #2467
SHS Cert. #3713
Allowed Algorithms
Diffie-Hellman (CVL Cert. #1211, key agreement; key establishment methodology provides 112 bits of encryption strength); MD5; NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)
Hardware Versions
PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [10] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [10]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8] and 920-000119 Rev. A [9]; Network Processing Cards [10]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A
Firmware Versions
8.0.3, 8.0.6, 8.0.9, 8.0.12 or 8.0.13


Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054

Jake Bajic
Phone: 408-753-4000


NVLAP Code: 100432-0