Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Certificate #3536


Module Name
PA-200, PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls
FIPS 140-2
 Historical Reason
SP 800-56Arev3 transition
Overall Level
When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy.
Security Level Exceptions
  • Roles, Services, and Authentication: Level 3
  • Design Assurance: Level 3
  • Mitigation of Other Attacks: N/A
Module Type
Multi-Chip Stand Alone
The Palo Alto Networks PA-200, PA-220, PA-220R, PA-500 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security policies to safely enabling organizations to adopt new applications.
Tested Configuration(s)
  • N/A
Approved Algorithms
AES Cert. #5890
CKG vendor affirmed
CVL Certs. #2119, #2120, #2121, and #2122
DRBG Cert. #2451
DSA Cert. #1485
ECDSA Cert. #1570
HMAC Cert. #3865
KAS SP 800-56Arev2 with CVL Certs. #2119 and #2120, vendor affirmed
KTS AES Cert. #5890; key establishment methodology provides 128 or 256 bits of encryption strength
KTS AES Cert. #5890 and HMAC Cert. #3865; key establishment methodology provides between 128 and 256 bits of encryption strength
RSA Cert. #3086
SHS Cert. #4641
Allowed Algorithms
Diffie-Hellman (CVL Cert. #2119 with CVL Cert. #2120, key agreement; key establishment methodology provides 112 bits of encryption strength); MD5; NDRNG; RSA (CVL Cert. #2121, key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)
Hardware Versions
PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-220R P/N 910-000147 Rev. B with [10], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-3220 P/N 910-000162 Rev. A with [11], PA-3250 P/N 910-000163 Rev. A with [11], PA-3260 P/N 910-000164 Rev. A with [11], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-5280 P/N 910-000157 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [12] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [12]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8], and 920-000119 Rev. A [9], 920-000226 Rev. A [10] and 920-000212 Rev. A [11]; Network Processing Cards [12]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A
Firmware Versions
8.1.3 or 8.1.6


Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054

Jake Bajic
Phone: 408-753-4000

Validation History

Date Type Lab