Module Name
PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls
Historical Reason
SP 800-56Arev3 transition
Caveat
When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy. The module generates cryptographic keys whose strengths are modified by available entropy.
Security Level Exceptions
- Roles, Services, and Authentication: Level 3
- Design Assurance: Level 3
- Mitigation of Other Attacks: N/A
Embodiment
Multi-Chip Stand Alone
Description
The Palo Alto Networks PA-200, PA-220, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security polices - safely enabling organizations to adopt new applications.
Approved Algorithms
| AES |
Cert. #4532 |
| CKG |
vendor affirmed |
| CVL |
Certs. #1211, #1212 and #1213 |
| DRBG |
Cert. #1489 |
| DSA |
Cert. #1207 |
| ECDSA |
Cert. #1103 |
| HMAC |
Cert. #2990 |
| KAS |
SP 800-56Arev2 with CVL Certs. #1211 and #1212, vendor affirmed |
| KTS |
AES Cert. #4532; key establishment methodology provides 128 or 256 bits of encryption strength |
| KTS |
AES Cert. #4532 and HMAC Cert. #2990; key establishment methodology provides 128 or 256 bits of encryption strength |
| RSA |
Cert. #2467 |
| SHS |
Cert. #3713 |
Allowed Algorithms
Diffie-Hellman (CVL Cert. #1211, key agreement; key establishment methodology provides 112 bits of encryption strength); MD5; NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)
Hardware Versions
PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [10] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [10]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8] and 920-000119 Rev. A [9]; Network Processing Cards [10]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A
Firmware Versions
8.0.3, 8.0.6, 8.0.9, 8.0.12 or 8.0.13
