Palo Alto Networks provides a suite of enterprise-level next-generation firewalls, with a range of security features for the enterprise network.
\r\nThe Palo Alto next-generation firewalls are network firewall appliances and virtual appliances on specified hardware used to manage enterprise network traffic flow using function-specific processing for networking, security, and management. The next-generation firewalls let the administrator specify security policies based on an accurate identification of each application seeking access to the protected network. The next-generation firewall uses packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. The next-generation firewall also supports the establishment of Virtual Private Network (VPN) connections to other next-generation firewalls or third-party security devices.
\r\nThe Target of Evaluation (TOE) comprises the following Palo Alto Networks next-generation firewall series and specific appliances:
\r\n\r\n
The Palo Alto VM-Series is supported on the following hypervisors:
\r\n\r\n
The CCTL conducted evaluation testing of the VM-Series on the following platforms:
\r\nVMware ESXi 7.0:
\r\nMicrosoft Hyper-V Server 2019:
\r\nLinux KVM 4 Ubuntu 20.04:
\r\nEvaluation testing covered the following hardware and processors:
\r\nPA-5450: Intel Xeon D-2187NT (DP/MP).
\r\n[1] PA-5280 can operate in Express or Secure mode. Secure mode just means it’s 5G-ready and requires a license upgrade.
\r\n[2] PA-5450 firewall supports the following cards: PA-5400 MPC-A, PA-5400 NC-A, and PA-5400 DPC-A.
\r\n[3] Palo Alto Networks PA-7000 Series firewalls support different Network Processing Cards (NPC) and Switch Management Cards (SMC): PAN-PA-7050-SMC-B, PAN-PA-7080-SMC-B, PAN-PA-7000-LFC-A, PAN-PA-7000-100G-NPC-A-K2-EXP, PAN-PA-7000-100G-NPC-A-K2-SEC, and PAN-PA-7000-100G-NPC.
\r\nThe evaluated version of the TOE consists of Palo Alto PAN-OS 11.1.4 running on the following physical and virtual appliances:
\r\nThe Palo Alto VM-Series is supported on the following hypervisors:
\r\nThe CCTL conducted evaluation testing of the VM-Series on the following platforms:
\r\nVMware ESXi 7.0:
\r\nMicrosoft Hyper-V Server 2019:
\r\nLinux KVM 4 Ubuntu 20.04:
\r\nEvaluation testing covered the following hardware and processors:
\r\n\r\n
The TOE must be deployed as described in section 5.1 of this Validation Report and be configured in accordance with the Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) for Next-Generation Firewall with PAN-OS 11.1 [16].
\r\nPer NIAP Scheme Policy Letter #22, user installation of vendor-delivered bug fixes and security patches is encouraged between completion of the evaluation and the Assurance Maintenance Date; with such updates properly installed, the product is still considered by NIAP to be in its evaluated configuration.
\r\n[1] PA-5280 can operate in Express or Secure mode. Secure mode just means it’s 5G-ready and requires a license upgrade.
\r\n[2] PA-5450 firewall supports the following cards: PA-5400 MPC-A, PA-5400 NC-A, and PA-5400 DPC-A.
\r\n[3] Palo Alto Networks PA-7000 Series firewalls support different Network Processing Cards (NPC) and Switch Management Cards (SMC): PAN-PA-7050-SMC-B, PAN-PA-7080-SMC-B, PAN-PA-7000-LFC-A, PAN-PA-7000-100G-NPC-A-K2-EXP, PAN-PA-7000-100G-NPC-A-K2-SEC, and PAN-PA-7000-100G-NPC.
\r\nThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the PP-Configuration for Network Devices, Stateful Traffic Filter Firewalls, Virtual Private Network (VPN) Gateways, and Intrusion Prevention System, version 2.0, 25 April 2024, which comprises the following components:
\r\n\r\n
The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Palo Alto Networks PA-400 Series, PA-800 Series, PA-1400 Series, PA-3200 Series, PA-3400 Series, PA-5200 Series, PA-5400 Series, PA-5450, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 11.1 Security Target. The evaluation was completed in August 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Security Audit
\r\nThe TOE is able to generate audit records of security-relevant events including the events specified in [NDcPP], [FW-Module], [VPNGW-Module], [IPS-Module], and [SSHPKG]. By default, the TOE stores the logs locally so they can be accessed by an administrator. The TOE can also be configured to send the logs securely to a designated external log server.
\r\nCryptographic Support
\r\nThe TOE implements NIST-validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher-level cryptographic protocols, including IPsec, SSH, HTTPS, and TLS. Note that to be in the evaluated configuration, the TOE must be configured in FIPS-CC mode, which ensures the TOE’s configuration is consistent with the FIPS standard and the PP claims.
\r\nUser Data Protection
\r\nThe TOE is designed to ensure that it does not inadvertently reuse data found in network traffic.
\r\nIdentification and Authentication
\r\nThe TOE requires all users accessing the TOE user interfaces to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers network accessible (HTTPS, SSH, IPsec) connections to the GUI and SSH for interactive administrator sessions and HTTPS for XML and REST API.
\r\nThe TOE supports the local (i.e., on device) definition and authentication of administrators with username, password or public-key, and role (set of privileges), which it uses to authenticate the user and to associate that user with an authorized role. In addition, the TOE can authenticate users using X.509v3 certificates and can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.
\r\nSecurity Management
\r\nThe TOE provides a GUI, CLI, or API (XML and REST) to access the security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE. The TOE provides access to the GUI/API/CLI using an HTTPS/TLS, IPsec, or SSHv2 client.
\r\nThe TOE provides a number of management functions and restricts them to users with the appropriate privileges. The management functions include the capability to configure the login banner, configure the idle timeout, configure IKE/IPsec VPN gateways, configure threat signature rules, and other management functions. The TOE provides pre-defined Security Administrator, Audit Administrator, and Cryptographic Administrator roles. These administrator roles are all considered Security Administrator as defined in [NDcPP] for the purposes of the evaluation.
\r\nProtection of the TSF
\r\nThe TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.
\r\nIt protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability).
\r\nThe TOE includes functions to perform self-tests so that it can detect when it is failing and transition to a secure, maintenance state. It also includes a mechanism to verify TOE updates to prevent malicious or other unexpected changes in the TOE.
\r\nTOE Access
\r\nThe TOE can be configured to display an administrator-defined advisory banner before establishing an administrative user session and to terminate remote interactive sessions after a configurable period of inactivity. It also provides users the capability to terminate their own interactive sessions.
\r\nTrusted Path/Channels
\r\nThe TOE protects interactive communication with remote administrators using SSH, HTTP over TLS (HTTPS), or IPsec. SSH, TLS, and IPsec ensure both integrity and disclosure protection. Note: HTTPS traffic can be tunneled through an IPsec secure channel.
\r\nThe TOE uses IPsec or TLS to protect communication with an external log server and protects remote VPN gateways/peers using IPsec to prevent unintended disclosure or modification of the transferred data. The TOE also uses TLS to protect communications with GlobalProtect TLS client applications.
\r\nStateful Traffic Filtering
\r\nThe TOE provides a stateful traffic filter firewall for layers 3 and 4 (IP and TCP/UDP) network traffic optimized through the use of stateful packet inspection.
\r\nAn administrator can configure the TOE to control the type of information that is allowed to pass through the TOE. The administrator defines the security zone and applies security policies to network traffic attempting to traverse the TOE to determine what actions to take.
\r\nThe TOE groups interfaces into security zones. Each zone identifies one or more interfaces on the TOE. Separate zones must be created for each type of interface (Layer 2, Layer 3, or virtual wire), and each interface must be assigned to a zone before it can process traffic. Security policies provide the firewall rule sets that specify whether to block or allow network connections, based on the source and destination zones, and addresses, and the application service (such as UDP port 67 or TCP port 80). Security policy rules are processed in sequence, applying the first rule that matches the incoming traffic.
\r\nPacket Filtering
\r\nThe TOE provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. An administrator can configure security policies that determine whether to block, allow, or log a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service.
\r\nIntrusion Prevention System
\r\nThe TOE provides IPS functionalities such as malicious list blocking, reconnaissance and Denial of Service (DoS) flooding protection, anomaly-based and signature-based traffic detection and response mechanisms.
","features":[{"id":3448,"feature_name":"Asymmetric Key Generation"},{"id":3444,"feature_name":"Auditing"},{"id":3458,"feature_name":"Certificate Authentication"},{"id":3453,"feature_name":"Certificate Validation"},{"id":3451,"feature_name":"Cryptographic Hashing"},{"id":3449,"feature_name":"Cryptographic Key Establishment"},{"id":3450,"feature_name":"Cryptographic Signature Verification"},{"id":3446,"feature_name":"DRBG"},{"id":3463,"feature_name":"Firewall"},{"id":3443,"feature_name":"Flaw Remediation"},{"id":3456,"feature_name":"HTTPS Client"},{"id":3457,"feature_name":"HTTPS Server without Mutual Authentication"},{"id":3460,"feature_name":"IKEv2"},{"id":3464,"feature_name":"Intrusion Prevention"},{"id":3459,"feature_name":"IPsec"},{"id":3452,"feature_name":"Keyed-hash message authentication"},{"id":3445,"feature_name":"SSH Server"},{"id":3461,"feature_name":"TLS 1.2"},{"id":3462,"feature_name":"TLS 1.3"},{"id":3454,"feature_name":"TLS Client"},{"id":3455,"feature_name":"TLS Server without Mutual Authentication"},{"id":3447,"feature_name":"Virtual Network Device"},{"id":3465,"feature_name":"VPN Gateway"}]}