Compliant Product - Palo Alto Networks Inc. PA-2000 Series and PA-4000 Series Firewall
Certificate Date: 17 October 2011
Validation Report Number: CCEVS-VR-VID10330-2011
Product Type: Firewall
Conformance Claim: EAL2 Augmented with ALC_FLR.2
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall devices comprising:
- The model appliances PA-2020, PA-2050, PA-4020, PA-4050, and PA-4060 running PAN-OS software version 2.1.7
- The TOE also includes the User Identification Agent version 2.1.4
The TOE is a firewall that provides policy-based application visibility and control to protect traffic flowing through the enterprise network. The TOE is used to manage enterprise network traffic flows using function specific processing for networking, security, and management. The PA-2000 Series and PA-4000 Series firewalls identify which applications are flowing across the network irrespective of port, protocol, or SSL encryption. Administrators can specify security policies based on an accurate identification of each application seeking access to the protected network. The Palo Alto Networks firewall uses packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports.
The purpose of the User Identification Agent component is to provide the firewall with the capability to automatically collect user-specific information that it uses in policies and reporting.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 assurance requirements package, augmented with ALC_FLR.2 (Flaw reporting procedures). The product satisfies all of the security functional requirements stated in the Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall Security Target, when configured as specified in the evaluated guidance documentation.
The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.
A validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in October 2011. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10330-2011), prepared by CCEVS.
The Palo Alto Networks PA-2000 Series and PA-4000 Series Firewall TOE provides a low to moderate level of assurance in a conventional TOE and is suitable for a relatively benign environment with good physical access security and competent administrators. The chosen assurance level in the Basic Robustness PP is consistent with the postulated threat environment. Specifically, that the threat of malicious attacks is not greater than moderate, and the product has undergone a search for obvious flaws.
Palo Alto Networks Firewalls support the following security functions:
The TOE provides the capability to generate audit records of a number of security events including all user identification and authentication, configuration events, and information flow control events (i.e. decisions to allow and/or deny traffic flow). Both the management GUI and the CLI are used to review the audit trail. The management GUI offers options to sort and search the audit records. The TOE stores the audit trail and protects it. The TOE protects the audit trail by providing only restricted access to it; by not providing interfaces to modify the audit records, and by ensuring that no new audit records are lost if the audit trail becomes full. The TOE provides the capability to manually archive log files and securely export them using Secure Copy (SCP). The TOE also provides a time-stamp for the audit records.
User Data Protection
The TOE enforces an information flow control SFP to control the type of information that is allowed to flow through the TOE. The enforcement process involves the TOE performing application identification and policy lookups to determine what actions to take. The security policies specify whether to block or allow a network session based on the application, the source and destination addresses, the application service (such as HTTP), users, the devices and virtual systems, and the source and destination security zones. A security zone, or multiple security zones, are defined and configured as needed to specify the desired security policy. Security zones are commonly classified either as an ‘untrusted’ zone where interfaces are connected to the Internet (or outside network), or as a ‘trusted’ zone where interfaces connect only to the internal network. The virtual systems provide a way to customize administration, networking, and security policies for the network traffic belonging to specific departments or customers. Each virtual system specifies a collection of physical and logical interfaces, and security zones for which specific policies can be tailored. Administrator accounts can be defined that are limited to the administration of a specific virtual system.
In addition, each security policy can also specify one or more security profiles including: Antivirus profiles, Antispyware profiles, Vulnerability protection profiles and File Blocking profiles. The profiles are attached to security rules which can identify which applications are inspected for viruses, a combination of methods to combat spyware, and the level of protection against known vulnerabilities. The TOE compares the policy rules against the incoming traffic to determine what actions to take including: scan for threats, block or allow traffic, logging, and packet marking.
The TOE includes cryptographic mechanisms used for SSL forward proxy to decrypt SSL traffic and apply policy rules before re-encrypting it to its destination. The TOE also provides a method to decrypt incoming SSL traffic and apply policy rules when protecting servers.
Identification and Authentication
The TOE ensures that all users accessing the TOE user interfaces are identified and authenticated. The TOE maintains information that includes username, password, virtual system(s) and role (set of privileges) that it uses to authenticate the human user and associate him/her to a role. The TOE also provides a mechanism to lock out user accounts when an administrator configured number of consecutive unsuccessful login attempts have been made. The TOE can be configured to unlock affected accounts after a configurable period of time or to maintain the account lockout until an administrator unlocks the account.
The TOE provides a number of management functions and restricts them to users with the appropriate privileges. The management functions include the capability to create new user accounts, including allowing users to change their own passwords, configure the audit function, configure the information flow control rules, and review the audit trail. The TOE offers two interfaces to manage its functions and access its data—a text-based CLI and a GUI management interface. Both the CLI and GUI are accessed via direct connection to the device.
The TOE provides fault tolerance, when it is deployed in active/passive pairs. If the active firewall fails because a selected Ethernet link fails, or if one or more of the specified destinations cannot be reached by the active firewall, the passive firewall becomes active automatically with no loss of service. The active firewall continuously synchronizes its configuration and session information with the passive firewall over two dedicated high availability (HA) interfaces. If one HA interface fails, synchronization continues over the remaining interface.
The TOE uses SSLv3 to secure communication between the User Identification Agent and the firewall.