Module Name
PA-200, PA-220, PA-220R, PA-500, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls
Validation Dates
09/25/2019;02/21/2020
Caveat
When operated in FIPS mode and with the tamper evident seals and opacity shields installed as indicated in the Security Policy.
Security Level Exceptions
- Roles, Services, and Authentication: Level 3
- Design Assurance: Level 3
- Mitigation of Other Attacks: N/A
Embodiment
Multi-Chip Stand Alone
Description
The Palo Alto Networks PA-200, PA-220, PA-220R, PA-500 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series and PA-7000 Series Firewalls are multi-chip standalone modules that provide network security by enabling enterprises to see and control applications, users, and content using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies enable enterprises to create business-relevant security policies to safely enabling organizations to adopt new applications.
FIPS Algorithms
| AES |
Cert. #5890 |
| CKG |
vendor affirmed |
| CVL |
Certs. #2119, #2120, #2121, and #2122 |
| DRBG |
Cert. #2451 |
| DSA |
Cert. #1485 |
| ECDSA |
Cert. #1570 |
| HMAC |
Cert. #3865 |
| KAS |
SP 800-56Arev2 with CVL Certs. #2119 and #2120, vendor affirmed |
| KTS |
AES Cert. #5890; key establishment methodology provides 128 or 256 bits of encryption strength |
| KTS |
AES Cert. #5890 and HMAC Cert. #3865; key establishment methodology provides between 128 and 256 bits of encryption strength |
| RSA |
Cert. #3086 |
| SHS |
Cert. #4641 |
Allowed Algorithms
Diffie-Hellman (CVL Cert. #2119 with CVL Cert. #2120, key agreement; key establishment methodology provides 112 bits of encryption strength); MD5; NDRNG; RSA (CVL Cert. #2121, key wrapping; key establishment methodology provides 112 or 128 bits of encryption strength)
Hardware Versions
PA-200 P/N 910-000015 Rev. E with [1], PA-220 P/N 910-000128 Rev. A with [1], PA-220R P/N 910-000147 Rev. B with [10], PA-500 P/N 910-000006 Rev. O with [2], PA-500-2GB P/N 910-000094 Rev. O with [2], PA-820 P/N 910-000120 Rev. A with [3], PA-850 P/N 910-000119 Rev. A with [3], PA-3020 P/N 910-000017 Rev. J with [4], PA-3050 P/N 910-000016 Rev. J with [4], PA-3060 P/N 910-000104 Rev. C with [5], PA-3220 P/N 910-000162 Rev. A with [11], PA-3250 P/N 910-000163 Rev. A with [11], PA-3260 P/N 910-000164 Rev. A with [11], PA-5020 P/N 910-000010 Rev. F with [6], PA-5050 P/N 910-000009 Rev. F with [6], PA-5060 P/N 910-000008 Rev. F with [6], PA-5220 P/N 910-000132 Rev. A with [7], PA-5250 P/N 910-000131 Rev. A with [7], PA-5260 P/N 910-000125 Rev. A with [7], PA-5280 P/N 910-000157 Rev. A with [7], PA-7050 P/N 910-000102 Rev. B with [8] and at least one from [12] and PA-7080 P/N 910-000122 Rev. A with [9] and at least one from [12]; FIPS Kit: P/Ns 920-000084 Rev. A [1], 920-000005 Rev. A [2], 920-000185 Rev. A [3], 920-000081 Rev. A [4], 920-000138 Rev. A [5], 920-000037 Rev. A [6], 920-000186 Rev. A [7], 920-000112 Rev. A [8], and 920-000119 Rev. A [9], 920-000226 Rev. A [10] and 920-000212 Rev. A [11]; Network Processing Cards [12]: P/Ns 910-000028-00B, 910-000117-00A, 910-000137-00A and 910-000136-00A
Firmware Versions
8.1.3 or 8.1.6
) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)
