NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Palo Alto Networks PA-220 Series, PA-800 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 10.0.5

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

For this Assurance Continuity, the change consists of making the following firmware minor version updates and the removal of the PA-3000 Series Firewalls.

·   From:  Palo Alto Networks PA-220 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 9.0

·  To:  Palo Alto Networks PA-220 Series, PA-800 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 10.0

The PA-3000 Series (PA-3020, PA-3050, PA-3060) Firewalls have reached End-of-Life and are no longer considered part of the evaluated configuration.

The following are new features or product improvements added to PAN-OS since the previous Palo Alto Networks PA-220 Series, PA-800 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 9.1.8 evaluation.

The addition of the optional Palo Alto PA-7000-DPC-A Network Processing Card is considered equivalent to the other five Network Processing Cards. The same networking functionality is performed. The only difference is the speed and bandwidth of the card.

The following new feature additions do not change the security functionality of the TOE. The ST and the AGD documents have been updated to exclude the functionality from the assurance maintenance.

Feature

Description

SD-WAN

The PAN-OS software can include a native SD-WAN subscription to provide intelligent and dynamic path selection on top of what the PAN-OS security software already delivers. Secure SD-WAN provides the optimal end user experience by leveraging multiple ISP links to ensure application performance and scale capacity. The SD-WAN capability is considered out of scope.

The ST and Guidance have been updated to exclude the SD-WAN plugin from the 10.0.5 evaluation.

Include Username in HTTP Header Insertion Entries

Allows the firewall to relay a user’s identity when they are accessing your network through secondary security appliances that are connected to your Palo Alto Networks firewall. You can configure your firewall to include the username in the HTTP header so that other security appliances in your network can identify the user without additional infrastructure (such as proxies used to insert the username). This simplifies deployment, reduces page-load latency, and eliminates multiple authentications for users. This feature is outside the scope of the evaluation.

The ST and AGD have been updated to exclude the Include Username in HTTP Header Insertion Entries from the evaluation.

SAML Authentication

SAML Authentication is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP). External authentication is outside the scope of the evaluation.

The ST and AGD have been updated to exclude the SAML Identity Provider (IdP).

IoT Security

The IoT Security solution works with next-generation firewalls to dynamically discover and maintain a real-time inventory of the IoT devices on your network. Through AI and machine-learning algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device types encountered for the first time. And because it’s dynamic, your IoT device inventory is always up to date. IoT Security also provides the automatic generation of policy recommendations to control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall policies. Requires an IoT Security subscription. IOT Security is outside the scope of the evaluation.

The ST and AGD have been updated to exclude the IoT Security.

Device-ID

The firewall can collect metadata to detect and identify devices on the network and obtain recommendations on how to secure them so you can know what devices are connecting to your networks and use them as match criteria to create adaptive device-based policy rules. The Device-ID functionality has not been tested in the evaluated configuration and is considered outside the scope of the evaluation.

The ST and AGD have been updated to exclude the Device-ID functionality.

TLS v1.3

TLSv1.3 is the latest version of the TLS protocol, which provides security and performance improvements for applications. TLSv1.3 is outside the scope of the evaluation.

The ST and AGD have been updated to exclude TLS v1.3.

Proxy Support for Cortex Data Lake

The firewall can be configured to forward logs to Cortex Data Lake through a proxy server. This enables you to send log data to Cortex Data Lake from a network without a default gateway. The forwarding of logs to Cortex Data Lake is outside the scope of the evaluation.

The ST and AGD have been updated to exclude the Proxy Support for Cortex Data Lake.

 

Vendor Information


Palo Alto Networks, Inc.
Jake Bajic
(669) 235-9283
(669) 444-6627
jbajic@paloaltonetworks.com

www.paloaltonetworks.com
Site Map              Contact Us              Home