NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Palo Alto Networks WF-500 WildFire with 10.0.5

Date of Maintenance Completion:  2021.05.17

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1

Original Evaluated TOE:  2020.07.20 - Palo Alto Networks WF-500 with WildFire 9.0

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

Palo Alto Networks WF-500 with WildFire 10.0.5 (hereafter WF-500, i.e., the TOE) is a physical appliance composed of the WildFire functional component hosted on the PAN-OS operating system. PAN-OS, an operating system derived from the Linux kernel version 3.10.88, is used in Palo Alto Networks next-generation firewalls, Panorama, and the WF-500 product lines.  It provides different services to each product line.

The change in the TOE version number from 9.1.8 to 10.0.5 is due to the release of various patches, and feature updates, that have happened since the WF-500 Assurance Maintenance Action on April 21, 2021. Those changes were for both the PAN-OS portion of WF-500, and WildFire. However, none of those updates involved evaluated WildFire functionality or its security.

The software changes fell into the following categorization:

Major Changes

None.

Minor Changes

The minor changes were collected in two different groups: new features added to PAN-OS, and WildFire; and bug fixes:

New Features

The section “Features Introduced in PAN-OS 10.0” in PAN-OS Release Notes Version 10.0.5 includes updates from the Palo Alto Networks next-generation firewalls, Panorama, and WF-500 product lines.

All new features identified in the Release Notes, that are applicable to the WildFire functional component of WF-500, are identified below. None of them have any impact on the Security Functional Requirements (SFRs) identified in the WF-500 Security Target.

In particular, the new feature for IPv6, addressing support for the WildFire appliance, has not been tested and is out of scope. The ST and AGD have been updated to exclude this functionality.

New WildFire Feature

Description

Impact

WildFire® Inline ML

The firewall is now capable of analyzing Windows executables and PowerShell scripts using machine learning on the dataplane. This enables you to intercept malware before it can infiltrate your network by providing real-time analysis capabilities on the firewall, which reduces the possibility of proliferation of unknown malware variants.

Minor Change – This operational functionality of TOE is excluded from the collaborative Protection Profile for Network Devices, Version 2.1.

This new feature does not have any impact on the Security Target or the security functionality claimed by the SFRs.

WildFire® Real-Time Signature Updates

WildFire antivirus signatures are now globally distributed in real-time as soon as new verdicts are available. This gives you almost instant access to Palo Alto Networks complete global intelligence data that is collected from a multitude of enforcement points and that provides additional leverage for preventing successful attacks by minimizing your exposure time to malicious activity, which effectively reduces your infrastructure attack surface and the resulting damage malware can have within your network.

Minor Change - This operational functionality of TOE is excluded from the collaborative Protection Profile for Network Devices, Version 2.1. The distribution of antivirus signatures were not included in the evaluation.

This new feature does not have any impact on the Security Target or the security functionality claimed by the SFRs.

IPv6 Address Support for the WildFire Appliance

The WildFire appliance now supports IPv6 connections, expanding the number of devices from which it can receive suspicious files and return safety verdicts. As the dwindling number of available IPv4 addresses forces you to introduce more IPv6-addressed devices in to your network, this feature guarantees you are still able to leverage the local file analysis capabilities of the appliance.

Minor Change – IPv6 was not included in the previous evaluation.

The ST and AGD have been updated to explicitly exclude this functionality from evaluation coverage.

 

Windows 10 Analysis Environment for the WildFire Appliance

The WildFire appliance can now use the Windows 10 operating system to analyze unknown files. This increases the threat prevention coverage of the appliance by enabling it to detect threats crafted for Windows 10 environments.

Minor Change – This operational functionality of TOE is excluded from the collaborative Protection Profile for Network Devices, Version 2.1. The detection of threats for Windows 10 environments was not included in the evaluation.

This new feature does not have any impact on the Security Target or the security functionality claimed by the SFRs.

Certificate Management Features

Master Key Encryption Enhancement

On physical and virtual Palo Alto Networks appliances, you can now configure the Master Key to use the AES-256-GCM encryption algorithm to encrypt data. The AES-256-GCM encryption algorithm increases encryption strength to protect keys better and also includes a built-in integrity check. When you change the encryption level to AES-256-GCM, devices use it instead of the AES-256-CBC encryption algorithm when encrypting keys and other sensitive data.

Minor Change – The ST already includes AES-256-GCM in FCS_COP.1.1/DataEncryption.

This new feature does not have any impact on the Security Target or the security functionality claimed by the SFRs.

 

AES-256-CBC is still the default.

HSM Enhancements

Newer client driver versions are now supported for SafeNet and nCipher Hardware Security Module (HSM) appliances:

·         SafeNet: You can select from versions 5.4.2 or 7.2.

Additionally, you can choose to have your firewall authenticate and establish trust using manually generated certificates.

·         nCipher nShield Connect: Version 12.40.2 is available (backward compatible up to v11.50 for older appliances)

Minor Change – The HSM appliances were not claimed in the original evaluation or the prior assurance maintenance.

The HSM appliances are not applicable to the WildFire evaluation.

The ability to add HSM appliances to the operational environment does not have any impact on the Security Target or the security functionality claimed by the SFRs.

 

SSH Service Profile

In PAN-OS 9.1 and earlier releases, you could generate a new pair of public and private SSH host keys and change other SSH configuration parameters such as the default host key type from the CLI.

In PAN-OS 10.0 and later releases, you must create an SSH service profile (Device > Certificate Management > SSH Service Profile) to customize management and HA SSH configurations. You can configure these profiles from the CLI or the firewall or Panorama web interface.

Minor Change – This new feature permits the use of a UI interface. The WildFire evaluation does not include a user interface.

This new feature does not have any impact on the Security Target or the security functionality claimed by the SFRs.

 

 

Vendor Information


Palo Alto Networks, Inc
Jake Bajic
408-753-3901
jbajic@paloaltonetworks.com

www.paloaltonetworks.com
Site Map              Contact Us              Home