Compliant Product - Palo Alto Networks M-100, M-200, M-500, and M-600 Hardware, and Virtual Appliances all running Panorama 9.0
Certificate Date: 2020.08.17CC Certificate Security Target * Validation Report
Validation Report Number: CCEVS-VR-VID11070-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
CC Testing Lab: Leidos Common Criteria Testing Laboratory
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
Palo Alto Networks Panorama management appliances provide centralized monitoring and management of Palo Alto Networks next-generation firewalls and Wildfire appliances. It provides a single location from which administrators can oversee all applications, users, and content traversing the whole network, and then use this knowledge to create application enablement policies that control and protect the network. Using Panorama for centralized policy and firewall management increases operational efficiency in managing and maintaining a network of firewalls.
The TOE models included in the evaluation are Palo Alto Networks Panorama M-100, M-200, M-500, and M-600 models, and virtual appliances all running version 9.0.9.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the collaborative Protection Profile for Network Devices [NDcPP]. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Palo Alto Networks Panorama v9.0 Security Target. The evaluation was completed in August 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is able to generate audit records of security-relevant events including the events specified in [NDcPP]. By default, the TOE stores the logs locally so they can be accessed by an administrator. The TOE can also be configured to send the logs securely to a designated external log server.
The TOE implements NIST-validated cryptographic algorithms that provide key management, random bit generation (RBG), encryption/decryption, digital signature generation and verification, cryptographic hashing, and keyed-hash message authentication features in support of higher level cryptographic protocols, including SSH and TLS. Note that to be in the evaluated configuration, the TOE must be configured in FIPS-CC mode, which ensures the TOE’s configuration is consistent with the FIPS 140-2 standard and [NDcPP].
Identification and Authentication
The TOE requires all users accessing the TOE user interfaces to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers network accessible (HTTP over TLS, SSH) and direct connections to the GUI and SSH for interactive administrator sessions.
The TOE supports the local (i.e., on device) definition and authentication of administrators with username, password, and role (set of privileges), which it uses to authenticate the human user and to associate that user with an authorized role. In addition, the TOE can authenticate users using X509 certificates and can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.
The TOE provides a GUI, CLI, or API (XML and REST) to access the security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE. The TOE provides access to the GUI/CLI locally via direct RJ-45 Ethernet cable connection and remotely using an HTTPS/TLS or SSHv2 client.
The TOE provides a number of management functions and restricts them to users with the appropriate privileges. The management functions include the capability to configure the audit function, configure the idle timeout, and review the audit trail. The TOE provides pre-defined Security Administrator, Audit Administrator, and Cryptographic Administrator roles. These administrator roles are all considered Security Administrator as defined in the [NDcPP] for the purposes of this ST.
Protection of the TSF
The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.
It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability).
The TOE includes functions to perform self-tests so that it can detect when it is failing. It also includes mechanism to verify TOE updates to prevent malicious or other unexpected changes in the TOE.
The TOE provides the capabilities for both TOE- and user-initiated locking of interactive sessions and for TOE termination of an interactive session after a period of inactivity. The TOE will display an advisory and consent warning message regarding unauthorized use of the TOE before establishing a user session.
The TOE protects interactive communication with remote administrators using SSH or HTTP over TLS (HTTPS). SSH and TLS ensure both integrity and disclosure protection.
The TOE protects communication with the syslog server, Palo Alto Networks firewalls and Wildfire Appliances using TLS connections.
Palo Alto Networks