NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Palo Alto Networks M-200, M-500, and M-600 Hardware, and Virtual Appliances all running Panorama 10.0.5

Date of Maintenance Completion:  2021.07.14

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1

Original Evaluated TOE:  2020.08.17 - Palo Alto Networks M-100, M-200, M-500, and M-600 Hardware, and Virtual Appliances all running Panorama 9.0

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The TOE consists of the Panorama M-200, M-500 and M-600 appliances and virtual appliances all running PAN-OS version 10.0.5 (hereafter Panorama, i.e., the TOE). The Palo Alto Networks M-100 hardware appliance has reached end of life and has been removed from the assurance maintenance. The vendor also has made software changes to the PAN-OS that addressed bug fixes and added new features to the software, revising it from the evaluated Panorama version 9.1.8 to version 10.0.5.  

TOE new features:

New features have been identified in the table below. Each table includes the feature name and a description of the feature.  The description also explains the impact of the feature on the evaluation and its inclusion or exclusion from the evaluation.

Name

Description

Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances

Dedicated Log Collectors and WildFire appliances now support multiple local admins with granular authentication parameters, as well as remote authentication and authorization leveraging LDAP, RADIUS, or TACACS+ to enable central user management and ensure audit compliance. You can create and manage Log Collector and WildFire admins from the Panorama management server. This new feature is out of scope on the Panorama. The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Automatic Content Updates Through Offline Panorama

You can now automate content updates for firewalls in an air-gapped network (where Panorama and the firewall are not connected to the internet) to reduce the operational burden and maintain an up-to-date security posture. Now, you can deploy a Panorama server to automatically download content updates from the Palo Alto Networks Update server and export them to an SCP server. On a configured schedule, the air-gapped Panorama retrieves the packages from the SCP server to install on firewalls.  The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Increased Configuration Size for Panorama

The Panorama management server now supports increased configuration size for the M-Series and Panorama virtual appliances without performance impact to tasks such as configuration changes, commits, and pushes to managed firewalls. The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Syslog Forwarding Using Ethernet Interfaces

Forwarding logs over the management interface can result in loss of logs and impact performance of management tasks due to insufficient bandwidth. Now, you can forward all PAN-OS logs to an external syslog server over an Ethernet interface on the Panorama management server and Dedicated Log Collector. This is not applicable as these are PAN-OS logs (firewall traffic logs) that are sent (i.e., forwarded) to another Panorama configured as a Log Collector. This does not affect the local logs on the Panorama that are sent over TLS to an audit server. The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Access Domain Enhancements for Multi-Tenancy

IT administrators managing multiple unrelated tenants from a single Panorama can now create Device Group and Template (DG&T) admins with better visibility and control of managed firewalls in their access domains. DG&T admins in multi-tenant environments can now perform essential day-to-day tasks related to firewall management in their access domain. The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Log Query Debugging

You can now view log collector queries to monitor bottlenecks in your deployment. If your log collectors are experiencing impacted performance, you can query all jobs or a specific job ID to better understand why your log query is experiencing issues. The new feature does not change the ST or guidance documentation and has no effect on the result of any Assurance Activity test.

Configurable Key Limits in Scheduled Reports

To improve the accuracy of scheduled reports, you can now configure the minimum and maximum key limits Panorama utilizes to generate reports. By increasing the number of keys, Panorama can aggregate, sort, and group larger sets of data to generate more accurate report results. Reports can be configured to run immediately or schedule them to run at specific intervals. The TOE can save and export the reports or email them to specific recipients. The Scheduled Reports capability has not been tested and is considered out of scope for the Panorama evaluation. The ST and AGD have been updated to exclude this functionality. This new feature does not have any effect on the testing or AAR.

Scheduled Reports for Cortex Data Lake

(PAN-OS 10.0.2 or later and Cloud Services plugin 1.8.0 or later) For better visibility into your Cortex Data Lake data, you can now generate scheduled reports on it. NIAP TD0407 excludes the evaluation of cloud deployments and services. The ST and AGD have been updated to exclude this functionality. This new feature does not have any effect on the testing or AAR.

Vendor Information


Palo Alto Networks, Inc
Jake Bajic
(669) 235-9283
(669) 444-6627
jbajic@paloaltonetworks.com

www.paloaltonetworks.com
Site Map              Contact Us              Home