The TOE is the Palo Alto Networks WF-500-B appliance running WildFire 11.1. The TOE provides detection and prevention of zero-day malware using a combination of dynamic and static analysis to detect threats and create protections to block malware. The WF-500-B appliance extends the capabilities of Palo Alto Networks’ Next Generation Firewalls by receiving network traffic samples to identify and block targeted and unknown malware.
\r\nThe WF-500-B appliance is the only TOE model included in the evaluation.
","evaluation_configuration":"The evaluated version of the TOE consists of Palo Alto WildFire 11.1.11 running on the WF-500-B appliance.
\r\nThe TOE must be deployed as described in the Validation Report and be configured in accordance with the Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) for WildFire 11.1.
\r\nPer NIAP Scheme Policy Letter #22, user installation of vendor-delivered bug fixes and security patches is encouraged between completion of the evaluation and the Assurance Maintenance Date; with such updates properly installed, the product is still considered by NIAP to be in its evaluated configuration.
","security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the collaborative Protection Profile for Network Devices [NDcPP] and Functional Package for Secure Shell (SSH) [SSHPKG]. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Palo Alto Networks WF-500-B appliance running WildFire 11.1 Security Target. The evaluation was completed in October 2025. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Security Audit
\r\nThe TOE is designed to be able to generate logs for a variety of security relevant events including the events specified in the claimed Protection Profile and Functional Package. The TOE can be configured to store the logs locally or can be configured to send the logs to a designated external log server.
\r\nCryptographic Support
\r\nThe TOE implements NIST-validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature generation and verification, cryptographic hashing, and keyed-hash message authentication features in support of higher-level cryptographic protocols, including SSH and TLS.
\r\nIdentification and Authentication
\r\nThe TOE requires that all users that access the TOE be successfully identified and authenticated before they can have access to any security functions that are available in the TOE. The TOE offers functions through connections using SSH for administrators.
\r\nThe TOE supports the local definition and authentication of administrators with username, password, SSH keys, and role that it uses to authenticate the operator. These items are associated with an operator and an authorized role for access to the TOE. The TOE uses X.509 certificates to support TLS authentication. In the evaluated configuration, the syslog connection implements OCSP for status verification for the certificate. The connection to the firewalls can use either CRLs or OCSP.
\r\nSecurity Management
\r\nThe TOE provides access to its security management features using the CLI. CLI commands are transmitted over SSH for secure connections. Security management commands are limited to administrators and only available after the operator has successfully authenticated themselves to the TOE. The TOE provides access to these services using an SSHv2 client. The product also includes a console port, but once FIPS-CC mode is enabled, the console port is disabled.
\r\nProtection of the TSF
\r\nThe TOE implements features designed to protect itself, and to ensure the reliability and integrity of its security functions.
\r\nStored passwords and cryptographic keys are protected so that unauthorized access does not result in sensitive data being lost, and the TOE also implements various self-tests so that it can detect if there are any errors with the system or if malicious activity has occurred. The TOE provides its own timing mechanism to ensure that reliable time information is present. The TOE uses digital signature mechanisms when performing trusted updates to ensure installation of software is valid and authenticated properly.
\r\nTOE Access
\r\nThe TOE provides the ability for both TOE and user-initiated termination of interactive sessions and for the TOE termination of an interactive session after a period of inactivity is observed. Additionally, the TOE is able to display an advisory message regarding unauthorized use of the TOE before establishing a user session.
\r\nTrusted Path/Channels
\r\nThe TOE protects interactive communication with administrators using SSH. Communication with other devices and services (such as a Syslog server) are protected using TLS and X.509 certificates to support TLS authentication.
\r\n","features":[{"id":1053,"feature_name":"Asymmetric Key Generation"},{"id":1048,"feature_name":"Auditing"},{"id":1063,"feature_name":"Certificate Authentication"},{"id":1058,"feature_name":"Certificate Validation"},{"id":1056,"feature_name":"Cryptograhic Hashing"},{"id":1057,"feature_name":"Cryptographic Hashing"},{"id":1054,"feature_name":"Cryptographic Key Establishment"},{"id":1055,"feature_name":"Cryptographic Signature Verification"},{"id":1052,"feature_name":"DRBG"},{"id":1059,"feature_name":"DTLS Server with Mutual Authentication"},{"id":1047,"feature_name":"Flaw Remediation"},{"id":1061,"feature_name":"HTTPS Client"},{"id":1062,"feature_name":"IPsec"},{"id":1049,"feature_name":"Key Destruction"},{"id":1050,"feature_name":"SSH Client"},{"id":1051,"feature_name":"SSH Server"},{"id":1065,"feature_name":"TLS 1.2"},{"id":1066,"feature_name":"TLS 1.3"},{"id":1060,"feature_name":"TLS Client"}]}