Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cryptographic Module Validation Program CMVP

Certificate #3884


Module Name
PAN-OS 9.0 Firewalls PA-220, PA-220R, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series
FIPS 140-2
Sunset Date
Overall Level
When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy.
Security Level Exceptions
  • Roles, Services, and Authentication: Level 3
  • Design Assurance: Level 3
  • Mitigation of Other Attacks: N/A
Module Type
Multi-Chip Stand Alone
The Palo Alto Networks PA-220, PA-220R, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security policies to safely enabling organizations to adopt new applications.
Tested Configuration(s)
  • N/A
Approved Algorithms
AES Cert. #C1005
CKG vendor affirmed
CVL Cert. #C1005
DRBG Cert. #C1005
DSA Cert. #C1005
ECDSA Cert. #C1005
HMAC Cert. #C1005
KAS KAS-SSC Cert. #A2670 and CVL Cert. #C1005
KAS-SSC Cert. #A2670
KTS AES Cert. #C1005 and HMAC Cert. #C1005; key establishment methodology provides between 128 and 256 bits of encryption strength
KTS AES Cert. #C1005; key establishment methodology provides 128 or 256 bits of encryption strength
RSA Cert. #C1005
SHS Cert. #C1005
Allowed Algorithms
MD5; NDRNG; RSA (key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)
Hardware Versions
PA-220 P/N 910-000128 Rev. A with [1], PA-220R P/N 910-000147 Rev. B with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-3220 P/N 910-000162 Rev. A with [6], PA-3250 P/N 910-000163 Rev. A with [6], PA-3260 P/N 910-000164 Rev. A with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-5280 P/N 910-000157 Rev. A with [7], PA-5280-K2-EXP: P/N: 910-000257 Rev. A with [7], PA-5280-K2-SEC: P/N: 910-000357 Rev. B with [7], PA-7050 P/N 910-000102 Rev. B with [8], [12], [14] and at least one from [10]; PA-7080 P/N 910-000122 Rev. A with [9], [12], [15] and at least one from [10]; PA-7050 P/N 910-000102 Rev. B with [8], [13], one from [11] and one from [17]; PA-7080 P/N 910-000122 Rev. A with [9], [13], one from [11] and one from [16]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000226 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000212 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8] and 920-000119 Rev. A [9]; Network Processing Cards [10]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A, 910-000136-00A, 910-000156-00A, 910-000256-00A and 910-000356-00B; Network Processing Cards [11]: P/Ns 910-000156-00A, 910-000256-00A, and 910-000356-00B; Log Processing Card [12]: P/N 910-0000014-00A; Log Forwarding Card [13]: P/N 910-000183-00A; Switch Management Card [14]: P/N 910-000013-00P; Switch Management Card [15]: P/N 910-000012-00L; Switch Management Cards [16]: P/Ns 910-000186-00A, 910-000286-00D, 910-000386-00D; Switch Management Cards [17]: P/Ns 910-000185-00A, 910-000285-00C, 910-000385-00C
Firmware Versions


Palo Alto Networks, Inc.
3000 Tannery Way
Santa Clara, CA 95054

Amir Shahhosseini
Phone: 408-753-4000
Jake Bajic
Phone: 408-753-4000

Validation History

Date Type Lab
7/5/2022 Update LEIDOS CSTL