PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls Non-Proprietary Security Policy                       Palo Alto Networks  Revision Date: 4/28/2016  www.paloaltonetworks.com © 2016 Palo Alto Networks. This non‐proprietary security policy may be  reproduced only in its original entirety (without revision). Palo Alto Networks, PAN‐OS, and Panorama  are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective  owners.   Palo Alto Networks Change Record Table 1 - Change Record Revision Date Author Description of Change A 8/23/2010 N. Campagna Initial authoring Added detail to the identity and authentication of B 1/24/2011 N. Campagna IPSec endpoints. C 5/31/2011 N. Campagna Added FW Version 3.1.7-h1 Added PA-5000 Series and updated firmware D 6/15/2011 N. Campagna version Updates related to FW Version 4.0.10, TLS, E 3/9/2012 Jake Bajic SSHv2, IPSec/IKEv1 and RSA F 4/20/2012 Jake Bajic Updated algorithms certificate numbers G 6/7/2012 Jake Bajic Minor updates H 1/2/2013 Jake Bajic Addressing CMVP comments I 7/29/13 Jake Bajic Updated with new production part numbers Updates related to PAN-OS 5.0.8, added PA-200 J 9/17/13 Jake Bajic and PA-3000 Series K 1/15/14 Jake Bajic Updates PAN-OS 5.0.11 Added additional PA-200 and PA-3000 Series L 3/14/2014 Richard Bishop information and minor edits M 9/5/2014 Richard Bishop Updates related to PAN-OS 6.0, added PA-7050 N 3/3/2015 Richard Bishop Added PAN-OS version 6.0.8. O 11/19/2015 Richard Bishop Updated FIPS Kit Part Number for PA-7050 P 4/28/2016 Richard Bishop Updated to version 7.0.1-h4 and 7.0.3 Palo Alto Networks Firewall Security Policy Page 2 of 87 Palo Alto Networks Contents Module Overview .................................................................................................................................................... 6 Security Level ........................................................................................................................................................ 20 Modes of Operation ............................................................................................................................................... 20 FIPS Approved Mode of Operation ........................................................................................................................... 20 Approved and Allowed Algorithms ............................................................................................................................ 21 Non-Approved, Non-Allowed Algorithms .................................................................................................................. 23 Ports and Interfaces ................................................................................................................................................ 23 Identification and Authentication Policy ............................................................................................................... 28 Assumption of Roles................................................................................................................................................... 28 Access Control Policy ............................................................................................................................................ 30 Roles and Services ..................................................................................................................................................... 30 Unauthenticated Services .......................................................................................................................................... 31 Definition of Critical Security Parameters (CSPs) .................................................................................................... 31 Definition of Public Keys ........................................................................................................................................... 33 Definition of CSPs Modes of Access .......................................................................................................................... 34 Operational Environment ....................................................................................................................................... 35 Security Rules ........................................................................................................................................................ 35 FIPS 140-2 Security Rules ......................................................................................................................................... 35 Physical Security Mechanisms .................................................................................................................................. 37 Operator Required Actions ........................................................................................................................................ 49 Mitigation of Other Attacks Policy ........................................................................................................................ 50 Definitions and Acronyms ..................................................................................................................................... 50 Reference Documents ............................................................................................................................................ 51 Appendix A - PA-200 - FIPS Accessories/Tamper Seal Installation (5 Seals) ..................................................... 52 Appendix B - PA-500 - FIPS Accessories/Tamper Seal Installation (12 Seals) .................................................... 55 Appendix C - PA-2000 Series - FIPS Accessories/Tamper Seal Installation (10 Seals) ....................................... 62 Appendix D - PA-3020 and PA-3050 - FIPS Accessories/Tamper Seal Installation (7 Seals) ............................. 66 Appendix E - PA-4000 Series – FIPS Accessories/Tamper Seal Installation (10 Seals)....................................... 69 Appendix F - PA-5000 Series - FIPS Accessories/Tamper Seal Installation (17 Seals) ....................................... 74 Appendix G - PA-7050 - FIPS Accessories/Tamper Seal Installation (24 Seals) ................................................. 77 Palo Alto Networks Firewall Security Policy Page 3 of 87 Palo Alto Networks Tables Table 1 - Change Record ......................................................................................................................................... 2 Table 2 - Validated Version Information ............................................................................................................... 18 Table 3 - Module Security Level Specification ..................................................................................................... 20 Table 4 - FIPS Approved Algorithms Used in the Module ................................................................................... 21 Table 5 - FIPS Allowed Algorithms Used in the Module ...................................................................................... 22 Table 6 - Supported Protocols in FIPS Approved Mode ....................................................................................... 22 Table 7 - Non-Approved Mode of Operation ........................................................................................................ 23 Table 8 - PA-200 FIPS 140-2 Ports and Interfaces ................................................................................................ 23 Table 9 - PA-500 FIPS 140-2 Ports and Interfaces ................................................................................................ 23 Table 10 - PA-2000 Series FIPS 140-2 Ports and Interfaces ................................................................................. 24 Table 11 - PA-3000 Series FIPS 140-2 Ports and Interfaces ................................................................................. 24 Table 12 - PA-4000 Series FIPS 140-2 Ports and Interfaces ................................................................................. 25 Table 13 - PA-5000 Series FIPS 140-2 Ports and Interfaces ................................................................................. 25 Table 14 - PA-7050 FIPS 140-2 Ports and Interfaces ............................................................................................ 26 Table 15 - Roles and Required Identification and Authentication ......................................................................... 28 Table 16 - Strengths of Authentication Mechanisms ............................................................................................. 28 Table 17 - Authenticated Service Descriptions ...................................................................................................... 30 Table 18 - Authenticated Services ......................................................................................................................... 30 Table 19 - Unauthenticated Services ..................................................................................................................... 31 Table 20 - CSPs ..................................................................................................................................................... 31 Table 21 - Public Keys ........................................................................................................................................... 33 Table 22 - CSP Access Rights within Roles & Services ....................................................................................... 34 Table 23 - Inspection/Testing of Physical Security Mechanisms .......................................................................... 49 Figures Figure 1 - PA-200 Front Image ................................................................................................................................ 8 Figure 2 - PA-200 Back Image ................................................................................................................................ 8 Figure 3 - PA-200 with Front Opacity Shield and Cage Enclosure ......................................................................... 8 Figure 4 - PA-500 Front Image ................................................................................................................................ 9 Figure 5 - PA-500 Back Image ................................................................................................................................ 9 Figure 6 - PA-500 with Front Opacity Shield .......................................................................................................... 9 Figure 7 - PA-500 with Side Opacity Shield ........................................................................................................... 9 Figure 8 - PA-2020 / PA-2050 Front Images ......................................................................................................... 10 Figure 9 - PA-2020 / PA-2050 Back Image ........................................................................................................... 10 Figure 10 - PA-2020 / PA-2050 Front Opacity Shield .......................................................................................... 11 Figure 11 - PA-2020 / PA-2050 with Side Opacity Shield .................................................................................... 11 Figure 12 - PA-3020 / PA-3050 Front Image ........................................................................................................ 11 Figure 13 - PA-3020 / PA-3050 Back Image ......................................................................................................... 12 Figure 14 - PA-3020 / PA-3050 Opacity Shield .................................................................................................... 12 Figure 15 - PA-3020 / PA-3050 side with Opacity Shield..................................................................................... 12 Palo Alto Networks Firewall Security Policy Page 4 of 87 Palo Alto Networks Figure 16 - PA-4020 / PA-4050 Front Image ........................................................................................................ 13 Figure 17 - PA-4060 Front Image .......................................................................................................................... 13 Figure 18 - PA-4020 / PA-4050 / PA-4060 Back Image ....................................................................................... 13 Figure 19 - PA-4020 / PA-4050 / PA-4060 Left Side with Opacity Shield ........................................................... 14 Figure 20 - PA-5020 Front Image .......................................................................................................................... 14 Figure 21 - PA-5050/PA-5060 Front Image .......................................................................................................... 14 Figure 22 - PA-5000 Series Back Image ............................................................................................................... 15 Figure 23 - PA-5000 Series Left Side with front Opacity Shield .......................................................................... 15 Figure 24 - PA-7050 Ports and Interface View ...................................................................................................... 16 Figure 25 - PA-7050 Front view with Opacity Shields.......................................................................................... 17 Figure 26 - PA-7050 Rear view with Opacity Shields ........................................................................................... 17 Figure 27 - PA-7050 Front and Right Side with Opacity Shields.......................................................................... 17 Figure 28 - PA-7050 Rear and Left Side with Opacity Shields ............................................................................. 17 Figure 29 - Logical Diagram .................................................................................................................................. 19 Figure 30 - PA-200 Left Side and Top Tamper Seal Placement (3) ...................................................................... 37 Figure 31 - PA-200 Right Side Tamper Seal Placement (2) .................................................................................. 37 Figure 32 - PA-500 Front Tamper Seal Placement (1) .......................................................................................... 38 Figure 33 - PA-500 Left Side Tamper Seal Placement (3) .................................................................................... 38 Figure 34 - PA-500 Right Side Tamper Seal Placement (2) .................................................................................. 39 Figure 35 - PA-500 Rear Tamper Seal Placement (6) ........................................................................................... 39 Figure 36 - PA-2000 Series Front Tamper Seal Placement (1).............................................................................. 40 Figure 37 - PA-2000 Series Left Side Tamper Seal Placement (3) ....................................................................... 40 Figure 38 - PA-2000 Series Right Side Tamper Seal Placement (3) ..................................................................... 41 Figure 39 - PA-2000 Series Rear Tamper Seal Placement (3)............................................................................... 41 Figure 40 - PA-3020/PA-3050 Series Tamper Seal Placement (3) ........................................................................ 42 Figure 41 - PA-3020/PA-3050 Series Tamper Seal Placement (2) ........................................................................ 42 Figure 42 - PA-3020/PA-3050 Series Tamper Seal Placement (2) ........................................................................ 42 Figure 43 - PA-4000 Series Rear Tamper Seal Placement – From Top (4)........................................................... 43 Figure 44 - PA-4000 Series Rear Side Tamper Seal Placement – From Underside (4)......................................... 43 Figure 45 - PA-4000 Series Right Side Tamper Seal Placement (1) ..................................................................... 43 Figure 46 - PA-4000 Series Left Side Tamper Seal Placement (1) ....................................................................... 44 Figure 47 - PA-5000 Series Rear Tamper Seal Placement (9)............................................................................... 45 Figure 48 - PA-5000 Series Right Side Tamper Seal Placement (4) ..................................................................... 45 Figure 49 - PA-5000 Series Left Side Tamper Seal Placement (4) ....................................................................... 46 Figure 50 - PA-7050 Tamper Seal Placement for Top Plenum (1-4) .................................................................... 47 Figure 51 - PA-7050 Tamper Seal Placement for Bottom Plenum (5-6) ............................................................... 47 Figure 52 - PA-7050 Tamper Seal Placement for Rear (7-20) ............................................................................. 48 Figure 53 - PA-7050 Tamper Seal Placement for Top Plenum Bracket (21-22) ................................................... 48 Figure 54 - PA-7050 Tamper Seal Placement for Bottom Plenum Bracket (23-24) ............................................. 49 Palo Alto Networks Firewall Security Policy Page 5 of 87 Palo Alto Networks Module Overview Palo Alto Networks offers a full line of next-generation security appliances that range from the PA-200, designed for enterprise remote offices, to the PA-7050, which is a modular chassis designed for high-speed datacenters. Our platform architecture is based on our single-pass software engine, PAN-OS, for networking, security, threat prevention, and management functionality that is consistent across all platforms. The devices differ only in capacities, performance, and physical configuration. The Palo Alto Networks PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7050 firewalls (hereafter referred to as the modules) are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content – not just ports, IP addresses, and packets – using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise firewalls, enable enterprises to create business-relevant security policies – safely enabling organizations to adopt new applications, instead of the traditional “all-or-nothing” approach offered by traditional port-blocking firewalls used in many security infrastructures. Features and Benefits  Application visibility and control: Accurate identification of the applications traversing the network enables policy-based control over application usage at the firewall, the strategic center of the security infrastructure.  Visualization tools: Graphical visibility tools, customizable reporting and logging enables administrators to make a more informed decision on how to treat the applications traversing the network.  Application browser: Helps administrators quickly research what the application is, its’ behavioral characteristics and underlying technology resulting in a more informed decision making process on how to treat the application.  User-based visibility and control: Seamless integration with enterprise directory services (Active Directory, LDAP, eDirectory) facilitates application visibility and policy creation based on user and group information, not just IP address. In Citrix and terminal services environments, the identity of users sitting behind Citrix or terminal services can be used to enable policy-based visibility and control over applications, users and content. An XML API enables integration with other, 3rd party user repositories.  Real-time threat prevention: Detects and blocks application vulnerabilities, viruses, spyware, and worms; controls web activity; all in real-time, dramatically improving performance and accuracy.  File and data filtering: Taking full advantage of the in-depth application inspection being performed by App-ID, administrators can implement several different types of policies that reduce the risk associated with unauthorized file and data transfer. Palo Alto Networks Firewall Security Policy Page 6 of 87 Palo Alto Networks  Legacy firewall support: Support for traditional inbound and outbound port-based firewall rules mixed with application-based rules smooth the transition to a Palo Alto Networks next generation firewall.  Networking architecture: Support for dynamic routing (OSPF, RIP, BGP), virtual wire mode and layer 2/layer 3 modes facilitates deployment in nearly any networking environment.  Policy-based Forwarding: Forward traffic based on policy defined by application, source zone/interface, source/destination address, source user/group, and service.  Virtual Systems: Create multiple virtual “firewalls” within a single device as a means of supporting specific departments or customers. Each virtual system can include dedicated administrative accounts, interfaces, networking configuration, security zones, and policies for the associated network traffic.  VPN connectivity: Secure site-to-site connectivity is enabled through standards-based IPSec VPN support while remote user access is delivered via SSL VPN connectivity.  Quality of Service (QoS): Deploy traffic shaping policies (guaranteed, maximum and priority) to enable positive policy controls over bandwidth intensive, non-work related applications such as streaming media while preserving the performance of business applications.  Real-time bandwidth monitor: View real-time bandwidth and session consumption for applications and users within a selected QoS class.  Purpose-built platform: combines single pass software with parallel processing hardware to deliver the multi-Gbps performance necessary to protect today’s high speed networks. Palo Alto Networks Firewall Security Policy Page 7 of 87 Palo Alto Networks Note: Modules are shown in figures with no opacity shields included to demonstrate module interfaces and other physical characteristics. Pictures are included of each chassis with the opacity shields in place. Figure 1 - PA-200 Front Image Figure 2 - PA-200 Back Image Figure 3 - PA-200 with Front Opacity Shield and Cage Enclosure Palo Alto Networks Firewall Security Policy Page 8 of 87 Palo Alto Networks Figure 4 - PA-500 Front Image Figure 5 - PA-500 Back Image Figure 6 - PA-500 with Front Opacity Shield Figure 7 - PA-500 with Side Opacity Shield Palo Alto Networks Firewall Security Policy Page 9 of 87 Palo Alto Networks Figure 8 - PA-2020 / PA-2050 Front Images Figure 9 - PA-2020 / PA-2050 Back Image Palo Alto Networks Firewall Security Policy Page 10 of 87 Palo Alto Networks Figure 10 - PA-2020 / PA-2050 Front Opacity Shield Figure 11 - PA-2020 / PA-2050 with Side Opacity Shield Figure 12 - PA-3020 / PA-3050 Front Image Palo Alto Networks Firewall Security Policy Page 11 of 87 Palo Alto Networks Figure 13 - PA-3020 / PA-3050 Back Image Figure 14 - PA-3020 / PA-3050 Opacity Shield Figure 15 - PA-3020 / PA-3050 side with Opacity Shield Palo Alto Networks Firewall Security Policy Page 12 of 87 Palo Alto Networks Figure 16 - PA-4020 / PA-4050 Front Image Figure 17 - PA-4060 Front Image Figure 18 - PA-4020 / PA-4050 / PA-4060 Back Image Palo Alto Networks Firewall Security Policy Page 13 of 87 Palo Alto Networks Figure 19 - PA-4020 / PA-4050 / PA-4060 Left Side with Opacity Shield Figure 20 - PA-5020 Front Image Figure 21 - PA-5050/PA-5060 Front Image Palo Alto Networks Firewall Security Policy Page 14 of 87 Palo Alto Networks Figure 22 - PA-5000 Series Back Image Figure 23 - PA-5000 Series Left Side with front Opacity Shield Palo Alto Networks Firewall Security Policy Page 15 of 87 Palo Alto Networks Figure 24 - PA-7050 Ports and Interface View Palo Alto Networks Firewall Security Policy Page 16 of 87 Palo Alto Networks Figure 25 - PA-7050 Front view with Opacity Figure 26 - PA-7050 Rear view with Opacity Shields Shields Figure 27 - PA-7050 Front and Right Side with Figure 28 - PA-7050 Rear and Left Side with Opacity Shields Opacity Shields Palo Alto Networks Firewall Security Policy Page 17 of 87 Palo Alto Networks The configurations for this validation are: Table 2 - Validated Version Information Module Part Number Hardware FIPS Kit Part FIPS Kit FW Version Number Hardware Version PA-200 910-000015-00E Rev. E 920-000084-00A Rev. A 7.0.1-h4 and 7.0.3 PA-500 910-000006-00O Rev. O 920-000005-00A Rev. A 7.0.1-h4 and 7.0.3 PA-500-2GB 910-000094-00O Rev. O 920-000005-00A Rev. A 7.0.1-h4 and 7.0.3 PA-2020 910-000004-00Z Rev. Z 920-000004-00A Rev. A 7.0.1-h4 and 7.0.3 PA-2050 910-000003-00Z Rev. Z 920-000004-00A Rev. A 7.0.1-h4 and 7.0.3 PA-3020 910-000017-00J Rev. J 920-000081-00A Rev. A 7.0.1-h4 and 7.0.3 PA-3050 910-000016-00J Rev. J 920-000081-00A Rev. A 7.0.1-h4 and 7.0.3 PA-4020 910-000002-00AB Rev. AB 920-000003-00A Rev. A 7.0.1-h4 and 7.0.3 PA-4050 910-000001-00AB Rev. AB 920-000003-00A Rev. A 7.0.1-h4 and 7.0.3 PA-4060 910-000005-00S Rev. S 920-000003-00A Rev. A 7.0.1-h4 and 7.0.3 PA-5020 910-000010-00F Rev. F 920-000037-00A Rev. A 7.0.1-h4 and 7.0.3 PA-5050 910-000009-00F Rev. F 920-000037-00A Rev. A 7.0.1-h4 and 7.0.3 PA-5060 910-000008-00F Rev. F 920-000037-00A Rev. A 7.0.1-h4 and 7.0.3 PA-7050 * 910-000102-00B Rev. B 920-000112-00A Rev. A 7.0.1-h4 and 7.0.3 * Palo Alto Networks PA-7000 Series firewalls are tested with two different Network Processing Cards (NPC) and either NPC may be configured for use in the approved mode of operation.  910-000028-00B: PAN-PA-7000-20G-NPC Palo Alto Networks Firewall Security Policy Page 18 of 87 Palo Alto Networks  910-000117-00A: PAN-PA-7000-20GQ-NPC Figure 29 depicts the logical block diagram for the modules. The cryptographic boundary includes all of the logical components of the modules and the boundary is the physical enclosure of the firewall. Figure 29 - Logical Diagram Palo Alto Networks Firewall Security Policy Page 19 of 87 Palo Alto Networks Security Level The cryptographic modules meet the overall requirements applicable to Level 2 security of FIPS 140-2. Table 3 - Module Security Level Specification Security Requirements Section Level Cryptographic Module Specification 2 Module Ports and Interfaces 2 Roles, Services and Authentication 3 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 3 Mitigation of Other Attacks N/A Modes of Operation FIPS Approved Mode of Operation The modules support both a Common Criteria (CC) mode (FIPS Approved mode) and a non-CC mode (Non-Approved mode). The following procedure will put the modules into the FIPS-approved mode of operation:  Install FIPS kit opacity shields and tamper evidence seals according to the Physical Security Policy section. FIPS kits must be correctly installed to operate in the Approved mode of operation. The tamper evidence seals and opacity shields shall be installed for the module to operate in a FIPS Approved mode of operation.  During initial boot up, break the boot sequence via the console port connection (by pressing the maint button when instructed to do so) to access the main menu.  Select “Continue.”  Select the “Set CCEAL4 Mode” option to enter CC mode.  Select “Enable CCEAL4 Mode”.  When prompted, select “Reboot” and the module will re-initialize and continue into CC mode (FIPS mode).  The module will reboot.  In CC mode, the console port is available as a status output port. Palo Alto Networks Firewall Security Policy Page 20 of 87 Palo Alto Networks  If using RADIUS or TACACS+, configure the service route via an IPSec tunnel. Otherwise, skip this step. The module will automatically indicate the FIPS Approved mode of operation in the following manner:  Status output interface will indicate “**** CCEAL4 MODE ENABLED ****” via the CLI session.  Status output interface will indicate “CCEAL4 mode enabled successfully” via the console port.  The module will display “CC” at all times in the status bar at the bottom of the web interface. Should one or more power-up self-tests fail, the FIPS Approved mode of operation will not be achieved. Feedback will consist of:  The module will output “CC EAL4 failure”  The module will reboot and enter a state in which the reason for the reboot can be determined.  To determine which self-test caused the system to reboot into the error state, connect the console cable and follow the on-screen instructions to view the self-test output. Approved and Allowed Algorithms The cryptographic modules support the following FIPS Approved algorithms. Table 4 - FIPS Approved Algorithms Used in the Module FIPS Approved Algorithm CAVP Cert. # AES: 3475 - ECB, CBC, CFB1, CFB8, CFB128, OFB, CTR modes; Encrypt/Decrypt; 128, 192 and 256-bit AES-CCM - 128 bit AES-GCM - 128 and 256 bit Note: GCM is used compliant with SP 800-52 and used in accordance to Section 4 of RFC 5288 for TLS key establishment. GCM is also compliant with RFC 6071 for use in IPSec. ECDSA P-256 and P-384 713,CVL 566 - Key Pair Generation - Signature Generation - Signature Verification FIPS 186-4 RSA : 1782 - Key Generation: 2048 and 3072-bit - Signature Generation: 2048 and 3072-bit - Signature Verification: 1024, 2048 and 3072-bit HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC- 2220 SHA-512 SHA-1, SHA-256, SHA-384, SHA-512 2870 SP800-90a CTR DRBG AES 256 870 Palo Alto Networks Firewall Security Policy Page 21 of 87 Palo Alto Networks FIPS Approved Algorithm CAVP Cert. # SP 800-56A ECDHE Section 5.7.1.2 CVL 567 SP 800-56A ECDHE except KDF CVL 564 SP 800-135 KDF – TLS 1.0/1.1/1.2, SNMPv3, SSH, IKEv1/v2* CVL 565 The cryptographic modules support the following non-FIPS Approved algorithms that are allowed for use in CC (FIPS) mode. Table 5 - FIPS Allowed Algorithms Used in the Module FIPS Allowed Algorithm EC Diffie-Hellman (CVL Cert. #567, key agreement; key establishment methodology provides 128 bits or 192 bits of encryption strength) Diffie-Hellman (key agreement; key establishment methodology provides 112 bits of encryption strength) AES (Cert.#3475 key wrapping; key establishment methodology provides 128 or 256 bits of encryption strength) RSA (key wrapping, key establishment methodology provides 112 or 128 bits of encryption strength) NDRNG (used to seed SP800-90 DRBG) MD5 (within TLS) Table 6 - Supported Protocols in FIPS Approved Mode Supported Protocols* TLSv1.0, 1.1 and v1.2 SSHv2 IPSec, IKEv1 and v2 SNMPv2/v3 *Note: these protocols were not reviewed or tested by the CMVP or CAVP. Palo Alto Networks Firewall Security Policy Page 22 of 87 Palo Alto Networks Non-Approved, Non-Allowed Algorithms The cryptographic modules support the following non-Approved algorithms. No security claim is made in the current modules for any of the following non-Approved algorithms. Table 7 - Non-Approved Mode of Operation Non-Approved Algorithms in Non-FIPS mode Hashing: RIPEMD, MD5 Encrypt/Decrypt: Camellia, SEED, Triple-DES, Blowfish, CAST, RC4 Message Authentication: UMAC, HMAC-MD5, HMAC-RIPEMD Digital Signatures (non-Approved strengths or SHA-1 in Signature Generation): RSA, ECDSA, DSA Key Exchange (non-Approved strengths): ECDH (sect571r1, sect571k1, secp521r1, sect409k1, sect409r1, sect283k1, sect283r1, secp256k1, sect239k1, sect233k1, sect233r1, secp224k1, secp224r1, sect193r1, sect193r2, secp192k1, secp192r1, sect163k1, sect163r1, sect163r2, secp160k1, secp160r1, secp160r2) DH (768, 1024 and 1536 bit) RSA: Less than 2048 bit modulus Ports and Interfaces The modules are multi-chip standalone modules with ports and interfaces as shown below. Table 8 - PA-200 FIPS 140-2 Ports and Interfaces Interface Qty FIPS 140-2 Designation Name and Description RJ45 1 Data input, control input, Console port data output, status output RJ45 1 Data input, control input, Out of band management data output, status output RJ45 4 Data input, control input, 10/100/1000 Ethernet data output, status output interface DC-12V 1 Power input Power interface LEDs 6 Status output Status indicators USB 1 Disabled except for power Used in manufacturing Table 9 - PA-500 FIPS 140-2 Ports and Interfaces Interface Qty FIPS 140-2 Designation Name and Description RJ45 1 Data input, control input, Console port data output, status output Palo Alto Networks Firewall Security Policy Page 23 of 87 Palo Alto Networks RJ45 1 Data input, control input, Out of band management data output, status output RJ45 8 Data input, control input, 10/100/1000 Ethernet data output, status output interface 100-240 1 Power input Power interface V LEDs 6 Status output Status indicators USB 1 Disabled except for power Used in manufacturing Table 10 - PA-2000 Series FIPS 140-2 Ports and Interfaces Interface PA- PA-2020 FIPS 140-2 Designation Name and Description 2050 Qty Qty RJ45 1 1 Data input, control input, Console port data output, status output RJ45 1 1 Data input, control input, Out of band management data output, status output SFP 4 2 Data input, control input, Ethernet optical gigabit interface data output, status output RJ45 16 12 Data input, control input, 10/100/1000 Ethernet interface data output, status output 100-240 V 1 1 Power input Power interface LEDs 6 6 Status output Status indicators USB 1 1 Disabled except for power Used in manufacturing Table 11 - PA-3000 Series FIPS 140-2 Ports and Interfaces Interface PA-3050 PA-3020 FIPS 140-2 Name and Description Qty Qty Designation RJ45 1 1 Data input, control Console port input, data output, status output RJ45 1 1 Data input, control Out of band management input, data output, status output RJ45 2 2 Data input, control 10/100/1000 HA Ethernet input, data output, interface status output SFP+ N/A N/A Data input, control Ethernet optical 10-gigabit input, data output, Palo Alto Networks Firewall Security Policy Page 24 of 87 Palo Alto Networks Interface PA-3050 PA-3020 FIPS 140-2 Name and Description Qty Qty Designation status output interface SFP 8 8 Data input, control Ethernet optical gigabit interface input, data output, status output RJ45 12 12 Data input, control 10/100/1000 Ethernet interface input, data output, status output 100-240 V 1 1 Power input Power interface LEDs 6 6 Status output Status indicators USB 1 1 Disabled except for Future Use power Table 12 - PA-4000 Series FIPS 140-2 Ports and Interfaces Interface PA- PA-4050 PA-4020 FIPS 140-2 Designation Name and Description 4060 Qty Qty Qty DB9 1 1 1 Data input, control input, Console port data output, status output RJ45 1 1 1 Data input, control input, Out of band data output, status output management XFP 4 N/A N/A Data input, control input, Ethernet optical 10- data output, status output gigabit interface SFP 4 8 8 Data input, control input, Ethernet optical gigabit data output, status output interfaces RJ45 2 2 2 Data input, control input, 10/100/1000 HA data output, status output Ethernet interface RJ45 N/A 16 16 Data input, control input, 10/100/1000 Ethernet data output, status output Interfaces 100-240 V 2 2 2 Power input Power interface LEDs 8 8 8 Status output Status indicators USB 2 2 2 Disabled except for power Used in manufacturing Table 13 - PA-5000 Series FIPS 140-2 Ports and Interfaces Interface PA- PA- PA-5020 FIPS 140-2 Name and Description 5060 5050 Qty Designation Qty Qty Palo Alto Networks Firewall Security Policy Page 25 of 87 Palo Alto Networks Interface PA- PA- PA-5020 FIPS 140-2 Name and Description 5060 5050 Qty Designation Qty Qty RJ45 1 1 1 Data input, control Console port input, data output, status output RJ45 1 1 1 Data input, control Out of band management input, data output, status output SFP+ 4 4 N/A Data input, control Ethernet optical 10-gigabit input, data output, interface status output SFP 8 8 8 Data input, control Ethernet optical gigabit input, data output, interfaces status output RJ45 2 2 2 Data input, control 10/100/1000 HA Ethernet input, data output, interface status output RJ45 12 12 12 Data input, control 10/100/1000 Ethernet input, data output, Interfaces status output 100-240 V 2 2 2 Power input Power interface LEDs 8 8 8 Status output Status indicators USB 2 2 2 Disabled except for Used in manufacturing power Table 14 - PA-7050 FIPS 140-2 Ports and Interfaces Chassis(a) Interface 20G 20GQ FIPS 140-2 Designation Name and Description NPC (b) NPC Qty Qty Qty RJ45 1 N/A N/A Data input, control input, Console port data output, status output RJ45 1 N/A N/A Data input, control input, Out of band management data output, status output RJ45 N/A 12 N/A Data input, control input, 10/100/1000 Ethernet data output, status output Interfaces SFP N/A 8 N/A Data input, control input, Ethernet optical gigabit data output, status output interfaces SFP+ N/A 4 12 Data input, control input, Ethernet optical 10- data output, status output gigabit interface Palo Alto Networks Firewall Security Policy Page 26 of 87 Palo Alto Networks RJ45 2 N/A N/A Data input, control input, 10/100/1000 HA Ethernet data output, status output interface HSCI 2 N/A N/A Data input, control input, QSFP HA interface data output, status output QSFP N/A N/A 2 Data input, control input, IEEE 802.3ba interface data output, status output 100-240 4 N/A N/A Power input Power interface V 48(d) 52(c) 32(c) LEDs Status output Status indicators USB 1 N/A N/A Disabled except for power Used in manufacturing a. The PA-7050 chassis includes two cards that are installed in the front slots of the chassis. These cards include the following: The Switch Management Card (SMC) provides management connectivity to the chassis and the Log Processing Card (LPC) handles all log processing and log storage for the firewall. b. NPC (Network Processing Card) - The PA-7050 may contain up to six (6) NPC cards. At least one (1) Network Processing Cards (NPC) must be installed before the firewall can process data traffic. c. NPC - With the four (4) standard status LED, each networking interface contains two (2) LED the link status and activity LED. d. PA-7050 - Status LED count (36) includes the following; 4 for fan status, 12 for the LPC and 20 for the SMC, 12 for power supplies. Palo Alto Networks Firewall Security Policy Page 27 of 87 Palo Alto Networks Identification and Authentication Policy Assumption of Roles The modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote Access VPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using unique authentication credentials associated with operator accounts. The modules support concurrent operators. The modules do not provide a maintenance role or bypass capability. Table 15 - Roles and Required Identification and Authentication Authentication Role Description Authentication Data Type CO This role has access to all Identity-based Username/password and/or configuration, show status and operator certificate based update services offered by the authentication authentication modules. Within the PAN-OS software, this role maps to the “Superuser” administrator role. User This role has limited access to Identity-based Username/password and/or services offered by the modules. operator certificate based This role does not have access to authentication authentication modify or view the passwords associated with other administrator accounts, it may not view CSPs of any type stored on the module. The User may change their own password. Within the PAN-OS software, this role maps to the “Superuser (read-only)” administrator role (also referred to as “Superreader”). Remote Remote user accessing the network Identity-based Username/password and/or Access via VPN. operator certificate based VPN authentication authentication (RA VPN) Site-to- Remote VPN device establishing a Identity-based IKE/IPSec Pre-shared keys - site VPN VPN session to facilitate access to operator Identification with the IP (S-S the network. authentication Address and authentication VPN) with the Pre-Shared Key or certificate based authentication Table 16 - Strengths of Authentication Mechanisms Authentication Mechanism Strength of Mechanism Palo Alto Networks Firewall Security Policy Page 28 of 87 Palo Alto Networks Authentication Mechanism Strength of Mechanism Username and Password Minimum length is 6 characters (95 possible characters). The probability that a random attempt will succeed or a false acceptance will occur is 1/(956) which is less than 1/1,000,000. The probability of successfully authenticating to the module within one minute is 10/(956), which is less than 1/100,000. The firewall’s configuration supports at most ten failed attempts to authenticate in a one-minute period. Certificate based The security modules support certificate-based authentication using RSA authentication 2048, RSA 3072, ECDSA P-256 or ECDSA P-384. For RSA, the minimum equivalent strength supported is 112 bits. The probability that a random attempt will succeed is 1/(2112) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2112), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. For ECDSA, the minimum equivalent strength supported is 128 bits. The probability that a random attempt will succeed is 1/(2128) which is less than 1/1,000,000. The probability of successfully authenticating to the module within a one minute period is 3,600,000/(2128), which is less than 1/100,000. The firewall supports at most 60,000 new sessions per second to authenticate in a one-minute period. The 160 bit key length supports 2160 different combinations. The IKE/IPSec pre-shared keys probability of successfully authenticating to the module is 1/(2160), which is less than 1/1,000,000. The number of authentication attempts is limited by the number of new connections per second supported (120,000) on the fastest platform of the Palo Alto Networks firewalls. The probability of successfully authenticating to the module within a one minute period is 7,200,000/(2160), which is less than 1/100,000. Palo Alto Networks Firewall Security Policy Page 29 of 87 Palo Alto Networks Access Control Policy Roles and Services The Approved and non-Approved mode of operation provide identical services. While in the Approved mode of operation all CO and User services are accessed via SSH or TLS sessions. Approved and allowed algorithms, relevant CSPs and public keys related to these protocols are accessed to support the following services. CSP access by services is further described in the following tables. The services listed below are also available in the non-Approved mode. In the Non-Approved mode SSH, TLS and VPN processes will use non-Approved Algorithms and Approved algorithms with non-approved strength. Table 17 - Authenticated Service Descriptions Service Description Security Configuring and managing cryptographic parameters and setting/modifying Configuration security policy, creating User accounts and additional CO accounts, as well as Management configuring usage of third party external HSMs. Other Configuration Networking parameter configuration, logging configuration, and other non- security relevant configuration. View Other Read-only of non-security relevant configuration (see above). Configuration Show Status View status via the web interface or command line interface. VPN Provide network access for remote users or site-to-site connections. Firmware update Provides a method to update the firmware on the firewall. Note: Additional information on the services the module provides can be found at https://www.paloaltonetworks.com/documentation.html Table 18 - Authenticated Services Crypto S-S Service User RA VPN Officer VPN Y(a) Security Configuration Management Y N N Other Configuration Y N N N View Other Configuration Y Y N N Show Status Y Y Y Y Palo Alto Networks Firewall Security Policy Page 30 of 87 Palo Alto Networks VPN N N Y Y Firmware update Y N N N a. The User role has use of this service only to change their own password. Unauthenticated Services The cryptographic module supports the following unauthenticated services: Table 19 - Unauthenticated Services Service Description Zeroize The device will overwrite all CSPs. Self-Tests Run power up self-tests on demand by power cycling the module. Show Status (LEDs) View status of the module via the LEDs. The zeroization procedure is invoked when the operator exits CC (FIPS) mode. The procedure consists of overwriting keystore files, formatting the harddisk, and overwriting with a reinstalled firmware image. The operator must be in control of the module during the entire procedure to ensure that it has successfully completed. During the zeroization procedure, no other services are available. Definition of Critical Security Parameters (CSPs) The modules contain the following CSPs: Table 20 - CSPs CSP # CSP/Key Name Type Description 1 RSA Private Keys RSA RSA Private keys for verification of signatures, authentication or key establishment. (RSA 2048 or 3072 bits) 2 ECDSA Private key for verification of signatures and authentication ECDSA Private Keys ECDSA (P-256 or P-384) 3 TLS PreMaster Secret TLS Secret Secret value used to derive the TLS session keys 4 TLS DH Private DH Diffie-Hellman private FFC or EC Components component used in TLS (DHE 2048, ECDHE P-256, P-384) 5 TLS HMAC Keys HMAC TLS integrity and authentication session Palo Alto Networks Firewall Security Policy Page 31 of 87 Palo Alto Networks CSP # CSP/Key Name Type Description keys (SHA1, SHA256, SHA384) 6 TLS Encryption Keys AES TLS encryption session keys (128 and 256 CBC or GCM) 7 SSH Session Authentication HMAC Authentication keys used in all SSH Keys connections to the security module’s command line interface.(SHA1) 8 SSH Session Encryption AES Used in all SSH connections to the Keys security module’s command line interface. (128, 192, and 256 CBC or CTR) 9 SSH DH Private DH Diffie Hellman private component used in Components key establishment (DHE 2048) 10 S-S VPN IPSec/IKE HMAC (SHA1, SHA256, SHA384 or SHA 512) authentication Keys Used to authenticate the peer in an IKE/IPSec tunnel connection. 11 S-S VPN IPSec/IKE session AES Used to encrypt IKE/IPSec data. These Keys are AES (128, 192, and 256 CBC) IKE keys and (128, 192 and 256 CBC, 128 CCM, 128 and 256 GCM) IPSec keys 12 S-S VPN IPSec/IKE Diffie DH Diffie Hellman (Group 14, 19 and 20) Hellman Private private component used in key Components establishment 13 S-S VPN IPSEC pre-shared Part of HMAC Manually distributed by an administrator Keys in the CO role. Used in authentication. 14 RA VPN IPSec session AES (128 CBC, 128 and 256 GCM) Used to Keys encrypt remote access sessions utilizing IPSec. 15 RA VPN IPSec HMAC (SHA-1) Used in authentication of remote authentication HMAC access IPSec data. 16 Firmware code integrity HMAC Used to check the integrity of crypto- check related code. HMAC-SHA-256 17 Firmware Content AES-256 Used to decrypt firmware, software, and Encryption Key content. 18 Password Password Authentication string with a minimum length of 6 characters. 19 DRBG Seed /State DRBG Used by DRBG. The state includes the V and the Key. Palo Alto Networks Firewall Security Policy Page 32 of 87 Palo Alto Networks CSP # CSP/Key Name Type Description 20 SNMPv3 Secrets SNMPv3 SNMPv3 Authentication Secret and Secrets Privacy Secret 21 SNMPv3 Keys SNMPv3 Keys AES Privacy key and HMAC-SHA-1 Authentication keys Note: The CSPs in Volatile memory locations are zeroized by overwrite with a pseudo random pattern followed by read-verify. Intermediate plaintext key material (CSP) is zeroized when it is copied from one to another memory location. All keys (CSPs) are zeroized when they expire. Session keys (CSPs) are zeroized as soon as the associated session has ended/timed out/ or been closed. Private keys (CSPs) are zeroized when their corresponding public keys (certificates) expire. Definition of Public Keys The modules contain the following public keys: Table 21 - Public Keys Key Name Description CA Certificates Used to extend trust for certificates ECDSA Public keys managed as certificates for the verification of signatures, establishment of TLS, operator ECDSA Public Keys / authentication and peer authentication. Certificates (ECDSA P-256 or P-384) RSA Public keys managed as certificates for the verification of signatures, establishment of TLS, operator RSA Public Keys / Certificates authentication and peer authentication. (RSA 2048 or 3072 bits) TLS DH public components Used in key agreement (DHE 2048, ECDHE P-256, P-384) SSH DH public components Used in key agreement (DHE 2048) SSH Host public key SSH Host public key (RSA 2048) SSH Client public key SSH Client RSA public key (RSA 2048) S-S VPN - IPSec/IKE Diffie Used in key agreement Hellman public component (DHE 2048, ECDHE P-256, P-384) Public Key for firmware Used to authenticate firmware and content to be installed content load test on the firewall (RSA 2048) Palo Alto Networks Firewall Security Policy Page 33 of 87 Palo Alto Networks Definition of CSPs Modes of Access Table 22 defines the relationship between access to CSPs and the different module services. The modes of access shown in the table are defined as:  R = Read: The module reads the CSP. The read access is typically performed before the module uses the CSP.  W = Write: The module writes the CSP. The write access is typically performed after a CSP is imported into the module, or the module generates a CSP, or the module overwrites an existing CSP.  Z = Zeroize: The module zeroizes the CSP. Table 22 - CSP Access Rights within Roles & Services Role Authorized Service Mode Cryptographic Key or CSP CO Security Configuration RW 1, 2, 3, 4, 5, 6, 7, 8, 9, 16, 17, Management 18, 19, 20, 21 CO Other Configuration RW 1, 2, 3, 4, 5, 6, 7, 8, 9 User Security Configuration W 18 (operator’s own password) Management User, CO Show Status R 1, 2, 3, 4, 5, 6, 7, 8, 9 Unauthenticated Zeroize Z All CSPs are zeroized. S-S VPN VPN R 10, 11, 12, 13 RA VPN VPN R 1, 2, 3, 4, 5, 6, 14, 15 CO Firmware Update RW 17 Unauthenticated Self-Tests N/A N/A Unauthenticated Show Status (LEDs) N/A N/A Palo Alto Networks Firewall Security Policy Page 34 of 87 Palo Alto Networks Operational Environment The FIPS 140-2 Area 6 Operational Environment requirements are not applicable because the PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series, and PA-7050 Firewalls do not contain modifiable operational environments. The operational environment is limited since the Module includes a firmware load service to support necessary updates. New firmware versions within the scope of this validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into this module is out of the scope of this validation and require a separate FIPS 140-2 validation. Security Rules The module design corresponds to the module security rules. This section documents the security rules enforced by the cryptographic module to implement the security requirements of this FIPS 140-2 Level 2 module. FIPS 140-2 Security Rules 1. The cryptographic module shall provide four distinct operator roles. These are the User role, Remote Access VPN role, Site-to-site VPN role, and the Cryptographic Officer role. 2. The cryptographic module shall provide identity-based authentication. 3. The cryptographic module shall clear previous authentications on power cycle. 4. When the module has not been placed in a valid role, the operator shall not have access to any cryptographic services. 5. The cryptographic module shall perform the following tests A. Power up Self-Tests 1. Cryptographic algorithm tests a. AES Encrypt Known Answer Test b. AES Decrypt Known Answer Test c. AES GCM Encrypt Known Answer Test d. AES GCM Decrypt Known Answer Test e. AES CCM Encrypt Known Answer Test f. AES CCM Decrypt Known Answer Test g. RSA Sign Known Answer Test h. RSA Verify Known Answer Test i. ECDSA Sign Known Answer Test j. ECDSA Verify Known Answer Test k. HMAC-SHA-1 Known Answer Test l. HMAC-SHA-256 Known Answer Test m. HMAC-SHA-384 Known Answer Test n. HMAC-SHA-512 Known Answer Test o. SHA-1 Known Answer Test p. SHA-256 Known Answer Test Palo Alto Networks Firewall Security Policy Page 35 of 87 Palo Alto Networks q. SHA-384 Known Answer Test r. SHA-512 Known Answer Test s. DRBG SP800-90A Known Answer Tests t. SP 800-90A Section 11.3 Health Tests u. ECDH Known Answer Test 2. Firmware Integrity Test –verified with HMAC-SHA-256. B. Critical Functions Tests 1. N/A C. Conditional Self-Tests 1. Continuous Random Number Generator (RNG) test – performed on NDRNG and DRBG 2. RSA Pairwise Consistency Test (when a key generation fails, the error message displayed is “Cannot verify key and certificate.”) 3. ECDSA Pairwise Consistency Test (when a key generation fails, the error message displayed is “Cannot verify key and certificate.”) 4. Firmware Load Test – Verify RSA 2048 with SHA-256 signature on firmware at time of load 5. If any conditional test fails, the module will output a description of the error condition. 6. The operator shall be capable of commanding the module to perform the power-up self- test by cycling power of the module. 7. Power-up self-tests do not require any operator action. 8. Data output shall be inhibited during power-up self-tests, zeroization and error states. 9. Status information does not contain CSPs or sensitive data that if misused could lead to a compromise of the module. 10. There are no restrictions on which keys or CSPs are zeroized by the zeroization service. 11. The module maintains separation between concurrent operators. 12. The module does not support a maintenance interface or role. 13. The module does not have any external input/output devices used for entry/output of data. 14. The module does not enter or output plaintext CSPs. 15. The module does not output intermediate key generation values. Vendor imposed security rules: 1. If the cryptographic module remains inactive in any valid role for the administrator specified time interval, the module automatically logs out the operator. 2. The module enforces a timed access protection mechanism that supports at most ten authentication attempts per minute. After the administrator specified number of consecutive unsuccessful Password validation attempts have occurred, the cryptographic module shall enforce a wait period of at least one (1) minute before any more login attempts can be attempted. This wait period shall be enforced even if the module power is momentarily removed. Palo Alto Networks Firewall Security Policy Page 36 of 87 Palo Alto Networks Physical Security Mechanisms The multi-chip standalone modules are production quality containing standard passivation. Chip components are protected by an opaque enclosure. There are tamper evident seals that are applied on the modules by the Crypto-Officer. All unused seals are to be controlled by the Crypto-Officer. The seals prevent removal of the opaque enclosure without evidence. The Crypto-Officer must ensure that the module surface is clean and dry. Tamper evident labels must be pressed firmly onto the adhering surfaces during installation and once applied the Crypto- Officer shall permit 24 hours of cure time for all tamper evident labels. The Crypto-Officer should inspect the seals and shields for evidence of tamper every 30 days. If the seals show evidence of tamper, the Crypto-Officer should assume that the modules have been compromised and contact Customer Support. Note: For ordering information, see Table 2 for FIPS kit part numbers and versions. Opacity shields are included in the FIPS kits. Refer to Appendix A for instructions on installation of the tamper seals and opacity shields. The locations of the five (5) tamper evident seals implemented on the PA-200 are shown in Figure 30 through Figure 31 [1] [3] [2] Figure 30 - PA-200 Left Side and Top Tamper Seal Placement (3) [5] [4] Figure 31 - PA-200 Right Side Tamper Seal Placement (2) Palo Alto Networks Firewall Security Policy Page 37 of 87 Palo Alto Networks Refer to Appendix B for instructions on installation of the tamper seals and opacity shields. The locations of the twelve (12) tamper evident seals implemented on the PA-500 are shown in Figure 32 through Figure 33 [1] Figure 32 - PA-500 Front Tamper Seal Placement (1) [3] [4] [2] Figure 33 - PA-500 Left Side Tamper Seal Placement (3) Palo Alto Networks Firewall Security Policy Page 38 of 87 Palo Alto Networks [6] [5] Figure 34 - PA-500 Right Side Tamper Seal Placement (2) [7] [9] [11] [8] [12] [10] Figure 35 - PA-500 Rear Tamper Seal Placement (6) Palo Alto Networks Firewall Security Policy Page 39 of 87 Palo Alto Networks Refer to Appendix C for instructions on installation of the tamper seals and opacity shields for the PA-2000 series. The locations of the ten (10) tamper evident seals on the PA-2000 Series modules are shown in Figure 36 through Figure 39 [1] Figure 36 - PA-2000 Series Front Tamper Seal Placement (1) [2] [4] [3] Figure 37 - PA-2000 Series Left Side Tamper Seal Placement (3) Palo Alto Networks Firewall Security Policy Page 40 of 87 Palo Alto Networks [7] [5] [6] Figure 38 - PA-2000 Series Right Side Tamper Seal Placement (3) [9] [10] [8] Figure 39 - PA-2000 Series Rear Tamper Seal Placement (3) Palo Alto Networks Firewall Security Policy Page 41 of 87 Palo Alto Networks Refer to Appendix D for instructions on installation of the tamper seals and opacity shields for the PA- 3020 and PA-3050. The locations of the seven (7) tamper evident seals on the PA-3020/PA-3050 modules are shown in Figure 40 through Figure 42 [2] [3] [1] Figure 40 - PA-3020/PA-3050 Series Tamper Seal Placement (3) [4] [5] Figure 41 - PA-3020/PA-3050 Series Tamper Seal Placement (2) [7] [6] Figure 42 - PA-3020/PA-3050 Series Tamper Seal Placement (2) Palo Alto Networks Firewall Security Policy Page 42 of 87 Palo Alto Networks Refer to Appendix E for instructions on installation of the tamper seals and opacity shields for the PA-4000 series. The locations of the ten (10) tamper evident seals implemented on the PA- 4000 Series modules are shown in Figure 43 through Figure 46 below. [1] [2] [3] [4] Figure 43 - PA-4000 Series Rear Tamper Seal Placement – From Top (4) [5] [6] [7] [8] Figure 44 - PA-4000 Series Rear Side Tamper Seal Placement – From Underside (4) [9] Figure 45 - PA-4000 Series Right Side Tamper Seal Placement (1) Palo Alto Networks Firewall Security Policy Page 43 of 87 Palo Alto Networks [10] Figure 46 - PA-4000 Series Left Side Tamper Seal Placement (1) Palo Alto Networks Firewall Security Policy Page 44 of 87 Palo Alto Networks Refer to Appendix F for instructions on installation of the tamper seals and opacity shields for the PA-5000 series. The locations of the seventeen (17) tamper evident seals implemented on the PA-5000 Series modules are shown in Figure 47 through Figure 49 below. [2] [4] [6] [1] [3] [5] [7] [8] [9] Figure 47 - PA-5000 Series Rear Tamper Seal Placement (9) [10] [12] [11] [13] Figure 48 - PA-5000 Series Right Side Tamper Seal Placement (4) Palo Alto Networks Firewall Security Policy Page 45 of 87 Palo Alto Networks [16] [15] [17] [14] Figure 49 - PA-5000 Series Left Side Tamper Seal Placement (4) Palo Alto Networks Firewall Security Policy Page 46 of 87 Palo Alto Networks Refer to Appendix G for instructions on installation of the tamper seals and opacity shields for the PA-7050. The locations of the twenty-four (24) tamper evident seals implemented on the PA- 7050 Series modules are shown in Figure 50 through Figure 54 below. [1] [2] [3] [4] Front Rear Figure 50 - PA-7050 Tamper Seal Placement for Top Plenum (1-4) [6] [5] Rear Front Figure 51 - PA-7050 Tamper Seal Placement for Bottom Plenum (5-6) Palo Alto Networks Firewall Security Policy Page 47 of 87 Palo Alto Networks [17] [18] [9] [7] [8] [19] [13] [14] [15] [16] [20] [10] [11] [12] Figure 52 - PA-7050 Tamper Seal Placement for Rear (7-20) [21] [22] Figure 53 - PA-7050 Tamper Seal Placement for Top Plenum Bracket (21-22) Palo Alto Networks Firewall Security Policy Page 48 of 87 Palo Alto Networks [24] [23] Figure 54 - PA-7050 Tamper Seal Placement for Bottom Plenum Bracket (23-24) Operator Required Actions Table 23 - Inspection/Testing of Physical Security Mechanisms Physical Recommended Model Security Frequency of Inspection/Test Guidance Details Mechanisms Inspection/Test PA-7050, PA-5060, Tamper 30 days Verify integrity of tamper evident PA-5050, PA-5020, Evident Seals seals in the locations identified in the PA-4060, PA-4050, FIPS Kit Installation Guide. Seal PA-4020, ,PA-3050, integrity to be verified within the PA-3020, PA-2050, modules operating temperature PA-2020, PA-500, range. PA 200 PA-7050 Top, Bottom, 30 days Verify that the plenums and opacity Front and shields have not been deformed from Rear Opacity their original shape, thereby Shields reducing their effectiveness PA-5060, PA-5050, Front Cover 30 days Verify that front cover and side PA-5020, PA-3050, and Side opacity shields have not been PA-3020, PA-2050, Opacity deformed from their original shape, PA-2020, PA-500 Shields thereby reducing their effectiveness PA-4020, PA-4050, Front Cover 30 days Verify that front cover has not been PA-4060 deformed from its original shape thereby reducing its effectiveness PA-200 Front cover 30 days Verify that front cover and cage and Cage enclosure have not been deformed Enclosure from their original shape, thereby reducing their effectiveness Palo Alto Networks Firewall Security Policy Page 49 of 87 Palo Alto Networks Mitigation of Other Attacks Policy The module has not been designed to mitigate any specific attacks outside of the scope of FIPS 140-2, so these requirements are not applicable. Definitions and Acronyms API – Application Programming Interface App-ID – Application Identification - Palo Alto Networks’ ability to identify applications and apply security policy based on the ID rather than the typical port and protocol-based classification. BGP – Border Gateway protocol – Dynamic routing protocol CA – Certificate authority Content-ID – Content Identification – Palo Alto Networks’ threat prevention features including Antivirus, Antispyware, and Intrusion Prevention. CO – Cryptographic Officer DB9 – Console port connector DLP – Data loss prevention Gbps – Gigabits per second HA – High Availability HSCI - High Speed Chassis Interconnect IKE – Internet Key Exchange IP – Internet Protocol IPSec – Internet Protocol Security LDAP – Lightweight Directory Access Protocol LED – Light Emitting Diode NDRNG – Non-deterministic random number generator OCSP – Online Certificate Status Protocol OSPF – Open Shortest Path First – Dynamic routing protocol PAN-OS – Palo Alto Networks’ Operating System QoS – Quality of Service QSFP - Quad Small Form-factor Pluggable RA VPN – Remote Access Virtual Private Network RIP – Routing Information Protocol – Dynamic routing protocol RJ45 – Networking Connector Palo Alto Networks Firewall Security Policy Page 50 of 87 Palo Alto Networks RNG –Random number generator S-S VPN – Site to site Virtual Private Network SFP – Small Form-factor Pluggable Transceiver SSL – Secure Sockets Layer TLS – Transport Layer Security USB – Universal Serial Bus User-ID – User Identification – Palo Alto Networks’ ability to apply security policy based on who initiates the traffic rather than the typical IP-based approach. VPN – Virtual Private Network XFP – 10 Gigabit Small Form Factor Pluggable Transceiver XML – Extensible Markup Language Reference Documents FIPS 140-2 - FIPS Publication 140-2 Security Requirements for Cryptographic Modules Palo Alto Networks Firewall Security Policy Page 51 of 87 Palo Alto Networks Appendix A - PA-200 - FIPS Accessories/Tamper Seal Installation (5 Seals) 1. Insert the PA-200 unit into the cage. 2. Secure right side of the PA-200 unit to the cage with (2x) 4-40x1/2” screws provided in the kit. Repeat for the left side of the cage. Palo Alto Networks Firewall Security Policy Page 52 of 87 Palo Alto Networks 3. Install the front panel with the curve side up to the front cage. 4. Secure the front panel to the cage with (5x) 4-40x3/16” screws. Palo Alto Networks Firewall Security Policy Page 53 of 87 Palo Alto Networks 5. Affix a tamper seal on the top middle of the front panel screw. 6. Affix two tamper seals over both screw mounting holes on the cage and right side screw on the front panel. Repeat for the left side Palo Alto Networks Firewall Security Policy Page 54 of 87 Palo Alto Networks Appendix B - PA-500 - FIPS Accessories/Tamper Seal Installation (12 Seals) 1. Remove the right side cover screws. Repeat for the left side cover screws. 2. Install the right side FIPS opacity shield and secure with 2x #4-40x1/4” SEMS screws provided in the kit. Repeat for the left side. Palo Alto Networks Firewall Security Policy Page 55 of 87 Palo Alto Networks 3. Install the front FIPS panel with the curve side up and align with the ear mounting screw holes. 4. Sandwich the right side mounting ear between the front panel and the opacity shield. Repeat with the left side of the chassis. Palo Alto Networks Firewall Security Policy Page 56 of 87 Palo Alto Networks 5. Install and secure the right side mounting ear with (2x) #6-32x1/2” Truss screws provided in the kit. Repeat on the left side. 6. Remove 1x upper-right fan screw. Palo Alto Networks Firewall Security Policy Page 57 of 87 Palo Alto Networks 7. Install and partially tighten the screw on one of the fan guard mounting holes. 8. Remove the other 3x fan screws. Palo Alto Networks Firewall Security Policy Page 58 of 87 Palo Alto Networks 10. Align the fan guard and secure with 3x screws as shown. Repeat the installation steps for the other fan. Caution: The fan guard may crack if you over-tighten the screws. 11. Affix one tamper seal over top cover/rear left chassis. Affix one tamper seal over the upper PSU screw. Affix four tamper seals over the fan cover screws. Palo Alto Networks Firewall Security Policy Page 59 of 87 Palo Alto Networks 12 Affix a tamper seal over both screw access holes on the left side opacity shield. Affix a tamper seal over the bottom ear screw on the left side of the chassis. Affix a tamper seal on top of the opacity shield/cover on the left side of the chassis. 13. Affix a tamper seal over the bottom ear screw on the right side of the chassis. Affix a tamper seal on top of the opacity shield/cover on the right side of the chassis. Palo Alto Networks Firewall Security Policy Page 60 of 87 Palo Alto Networks 14. Affix a tamper seal on the top of the cover and panel. Palo Alto Networks Firewall Security Policy Page 61 of 87 Palo Alto Networks Appendix C - PA-2000 Series - FIPS Accessories/Tamper Seal Installation (10 Seals) Install the front panel with the curve side up and line it up to the left and right side ear mounting holes. Install and secure the right side mounting ear with (2x) 6-32x1/2” screws provided in the kit. Repeat the same step on the left side of the chassis. Palo Alto Networks Firewall Security Policy Page 62 of 87 Palo Alto Networks Remove the right side cover screws. Repeat the same steps for the left side cover screws. Install the right side FIPS opacity shield and secure with 3x #4-40x1/4” SEM screws provided by the kit. Repeat the same steps for the left side. Palo Alto Networks Firewall Security Policy Page 63 of 87 Palo Alto Networks Affix a tamper seal to cover the right Affix a tamper seal at right side of the chassis between side bottom ear mounting bracket the top cover and the FIPS opacity shield. Affix another screw. Repeat the same steps for the tamper seal between the bottom chassis and the FIPS left side. opacity shield. Repeat the same steps for the left side. Affix tamper seals evenly spaced between the top cover mounting screws. Palo Alto Networks Firewall Security Policy Page 64 of 87 Palo Alto Networks Affix a tamper seal on top of the cover/panel. Palo Alto Networks Firewall Security Policy Page 65 of 87 Palo Alto Networks Appendix D - PA-3020 and PA-3050 - FIPS Accessories/Tamper Seal Installation (7 Seals) 1. Install the front panel with the curve side up and line it up to the left and right side ear mounting holes. 2. Install and secure the right side mounting ear and (2x) 6-32x1/2” screws provided in the kit. Repeat the same step on the left side of the chassis. Palo Alto Networks Firewall Security Policy Page 66 of 87 Palo Alto Networks 3. Install the right side FIPS plenum and secure with (4x) #6-32x1” SEM screws provided by the kit. Repeat the same steps for the left side. 4. Affix a tamper seal to cover the right side bottom ear mounting bracket screw. Repeat the same steps for the left side. Affix a tamper seal at right side of the chassis between the top cover and the FIPS plenum. Affix another tamper seal between the bottom of the chassis and the FIPS plenum. Repeat the same steps for the left side. Palo Alto Networks Firewall Security Policy Page 67 of 87 Palo Alto Networks 5. Affix a tamper seal on top of the cover / panel. Palo Alto Networks Firewall Security Policy Page 68 of 87 Palo Alto Networks Appendix E - PA-4000 Series – FIPS Accessories/Tamper Seal Installation (10 Seals) Install the front panel FIPS opacity shield as shown. Install right mounting bracket and secure with (2x) 8-32x3/8” screws provided by the kit. Repeat the same steps for the right mounting bracket. Palo Alto Networks Firewall Security Policy Page 69 of 87 Palo Alto Networks Remove 1x upper-left fan screw. Install and secure the fan guard with the fan screw to one of the fan guard mounting holes as shown. Palo Alto Networks Firewall Security Policy Page 70 of 87 Palo Alto Networks Remove the other 3x fan screws Align the fan guard and secure with 3x screws as shown. Repeat above installation steps for the other fans. Warning: Over tighten the screw will result cracking the fan guard. Palo Alto Networks Firewall Security Policy Page 71 of 87 Palo Alto Networks Install the fan filter and clip on the fan guard cover onto the fan guard as shown. Affix a tamper proof seal over screw on the lower right side mounting bracket. Repeat the same step for left side bracket. Palo Alto Networks Firewall Security Policy Page 72 of 87 Palo Alto Networks Affix four tamper proof seals between the top cover/fan guards and top cover/PSU where as shown. Affix four tamper proof seals between the bottom chassis/fan guards and bottom chassis/PSU where as shown. Palo Alto Networks Firewall Security Policy Page 73 of 87 Palo Alto Networks Appendix F - PA-5000 Series - FIPS Accessories/Tamper Seal Installation (17 Seals) 6. Install the front panel. 7. Install the right FIPS mounting bracket and secure with (2x) #8-32x3/8” screws provided in the original accessory kit. Repeat for the left mounting bracket. 8. Install the side panel on the right side of the chassis and secure with (4x) #8-32x1.00”L screws. Place the leading edge towards front of the chassis. Repeat for the left side of the chassis. Leading Edge Palo Alto Networks Firewall Security Policy Page 74 of 87 Palo Alto Networks 9. Affix two tamper evident labels over both upper and lower screws on the FIPS mounting bracket. Repeat for the left side panel. 10. Affix two tamper evident labels over front upper and rear lower of the right side panel screws. Repeat for the left side panel. 11. Affix three tamper evident labels on the top cover /rear chassis. Ensure the top cover screws are covered by the labels. Palo Alto Networks Firewall Security Policy Page 75 of 87 Palo Alto Networks 12. Affix a tamper evident label on the top cover/fan access panel. Affix another tamper evident label on the bottom chassis/fan access panel. 13. Affix a tamper evident label on upper HDD access panel/rear chassis. Affix a tamper evident label on lower HDD access panel/rear chassis. 14. Affix a tamper evident label on the upper left PSU/rear chassis. Affix a tamper evident label on the upper right PSU/rear chassis. Palo Alto Networks Firewall Security Policy Page 76 of 87 Palo Alto Networks Appendix G - PA-7050 - FIPS Accessories/Tamper Seal Installation (24 Seals) 1. Attach front right rack mount brackets in 4-post rack position. Do not attach rear rack mount brackets. Note that brackets are rotated 180 degrees, so the screw holes lineup and the rack mount holes are now on the front of the chassis. 2. Align right plenum bracket with 5 open screw holes. Attach air plenum brackets using 5 of the remaining bracket screws as shown. Repeat for left side. Palo Alto Networks Firewall Security Policy Page 77 of 87 Palo Alto Networks 3. Attach bottom plenum to the front right rack mount bracket. Place only the middle two screws. 4. Attach the bottom plenum to the rearward right plenum bracket. Palo Alto Networks Firewall Security Policy Page 78 of 87 Palo Alto Networks 5. Rotate PA-7050 chassis clockwise 90 degrees onto the bottom plenum. 6. Assemble top plenum and cable guide hardware. Palo Alto Networks Firewall Security Policy Page 79 of 87 Palo Alto Networks 7. Attach top plenum to the front left rack mount bracket 8. Attach front opacity shield using the four captive screws Palo Alto Networks Firewall Security Policy Page 80 of 87 Palo Alto Networks 9. Attach top plenum to the rearward left plenum bracket along with plenum’s rear opacity shield as shown 10. Loosen four screws on the panel containing the power supply vent. Insert the power supply vent opacity shield and tighten screws. Palo Alto Networks Firewall Security Policy Page 81 of 87 Palo Alto Networks 11. Facing the front of the module, affix two (2) labels to top of the front opacity shield, one near left edge and one near the right edge. Ensure the labels, when placed, overlap onto the top of the plenum, as shown. (2 total) 12. Facing the front of the module affix one (1) label centered to the bottom of the front opacity shield to the bottom air plenum, as shown. (1 total) Palo Alto Networks Firewall Security Policy Page 82 of 87 Palo Alto Networks 13. Facing the rear of the module, affix two (2) labels to top of the rear opacity shield, one near left edge and one near the right edge. Ensure the labels, when placed, overlap onto the top of the plenum, as shown. (2 total) Palo Alto Networks Firewall Security Policy Page 83 of 87 Palo Alto Networks 14. Facing the rear of the module; A. Affix one (1) label to the top plenum/opacity shield, covering the left and right outermost screws, as shown. B. Affix one (1) label to the left and right edge of the top plenum bracket folding over the outer edge of the module, as shown. C. Affix one (1) label to the top of each rear panel (3 panels). Ensure that the labels lap onto the top rear plenum brackets, as shown. (7 total) A B B C Palo Alto Networks Firewall Security Policy Page 84 of 87 Palo Alto Networks 15. Facing the rear of the module, A. Affix one (1) label to the bottom of each rear panel (3 panels). Ensure that the labels laps onto the bottom rear plenum brackets, as shown. B. Affix one (1) label to the left and right edge of the bottom plenum bracket folding over the outer edge of the module, as shown. C. Affix one (1) label to the bottom plenum’s rear side and the bottom plenum rear bracket. (6 total) A B B C Palo Alto Networks Firewall Security Policy Page 85 of 87 Palo Alto Networks 16. Facing the rear of the module;  Affix one (1) label to cover one screw for each power switch, as shown.  Affix one (1) label to the top and bottom of the vent opacity shield, as shown. Please ensure that the captive screw is covered. (6 total) A B Palo Alto Networks Firewall Security Policy Page 86 of 87 Palo Alto Networks Palo Alto Networks Firewall Security Policy Page 87 of 87