Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Projects Cryptographic Module Validation Program Validated Modules Search

Cryptographic Module Validation Program CMVP

Certificate #4841

Details

Module Name
PAN-OS 10.1 Next-Generation Hardware Firewalls
Standard
FIPS 140-3
Status
Active
Sunset Date
10/15/2029
Overall Level
2
Caveat
When installed, initialized and configured as specified in Section 11 of the Security Policy. The tamper evident seals and Physical Kit installed as indicated in the Security Policy
Security Level Exceptions
  • Roles, services, and authentication: Level 3
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Life-cycle assurance: Level 3
  • Mitigation of other attacks: N/A
  • Documentation requirements: N/A
  • Cryptographic module security policy: N/A
Module Type
Hardware
Embodiment
Multi-Chip Stand Alone
Description
Palo Alto Networks offers a full line of next-generation security appliances that range from the PA-220, designed for enterprise remote offices, to the PA-7080, which is a modular chassis designed for high-speed datacenters. The platform architecture is based on our single-pass engine, PAN-OS, for networking, security, threat prevention, and management functionality that is consistent across all platforms. The devices differ only in capacities, performance, and physical configuration.
Tested Configuration(s)
  • N/A
Approved Algorithms
AES-CBC
A2137
AES-CCM
A2137
AES-CFB128
A2137
AES-CTR
A2137
AES-GCM
A2137
Conditioning Component AES-CBC-MAC SP800-90B
A1791
Conditioning Component AES-CBC-MAC SP800-90B
A2138
Conditioning Component AES-CBC-MAC SP800-90B
A2153
Conditioning Component AES-CBC-MAC SP800-90B
A2165
Counter DRBG
A2137
ECDSA KeyGen (FIPS186-4)
A2137
ECDSA KeyVer (FIPS186-4)
A2137
ECDSA SigGen (FIPS186-4)
A2137
ECDSA SigVer (FIPS186-4)
A2137
HMAC-SHA-1
A2137
HMAC-SHA2-224
A2137
HMAC-SHA2-256
A2137
HMAC-SHA2-384
A2137
HMAC-SHA2-512
A2137
KAS-ECC-SSC Sp800-56Ar3
A2137
KAS-FFC-SSC Sp800-56Ar3
A2137
KDF IKEv2
A2137
KDF SNMP
A2137
KDF SSH
A2137
KDF TLS
A2137
RSA KeyGen (FIPS186-4)
A2137
RSA SigGen (FIPS186-4)
A2137
RSA SigVer (FIPS186-4)
A2137
Safe Primes Key Generation
A2137
Safe Primes Key Verification
A2137
SHA-1
A2137
SHA2-224
A2137
SHA2-256
A2137
SHA2-384
A2137
SHA2-512
A2137
Allowed Algorithms
MD5 (Only allowed as the PRF in TLS v1.1 per IG 2.4.A; Message digest used in TLSv1.0 / v1.1 KDF only)
Hardware Versions
910-000128 with Physical Kit 920-000084, 910-000147 with Physical Kit 920-000226, [910-000231, 910-000212, 910-000232, and 910-000230] with Physical Kit 920-000454, [910-000120 and 910-000119] with Physical Kit 920-000185, [910-000162, 910-000163, and 910-000164] with Physical Kit 920-000212, [910-000132, 910-000131, 910-000125, 910-000157, 910-000257, and 910-000357] with Physical Kit 920-000186, 910-000223 with components 920-000293, 910-000195, 910-000194, and 910-000204 with Physical Kit 920-000309, 910-000102 with components 910-000137, 910-000136, 910-000156, 910-000256, 910-000356, 910-000183, 910-0000014, 910-000169, 910-000185, 910-000285, 910-000385, and 910-000013 with Physical Kit 920-000112, and 910-000122 with components 910-000137, 910-000136, 910-000156, 910-000256, 910-000356, 910-000183, 910-0000014, 910-000169, 910-000186, 910-000286, 910-000386, and 910-000012 with Physical Kit 920-000119
Firmware Versions
10.1.5

Vendor

Palo Alto Networks, Inc.
3000 Tannery Way
Santa Clara, CA 95054
USA

Jake Bajic
certifications@paloaltonetworks.com
Phone: 408-753-4000
 Amir Shahhosseini
certifications@paloaltonetworks.com
Phone: 408-753-4000

Related Files

Security Policy

Validation History

Date Type Lab
10/16/2024 Initial LEIDOS CSTL