NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Palo Alto Networks PA-220 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 9.0

CC Certificate [PDF] Security Target [PDF] * Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

* This is the Security Target (ST) associated with the latest Maintenance Release.  To view previous STs for this TOE, click here.

Product Description

The TOE is the Palo Alto Networks PA-220 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 9.0. The Palo Alto Networks next-generation firewalls are network firewall appliances and virtual appliances used to manage enterprise network traffic flow using function specific processing for networking, security, and management.  The next-generation firewalls let the administrator specify security policies based on an accurate identification of each application seeking access to the protected network.  The next-generation firewall uses packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. The next-generation firewall also supports the establishment of Virtual Private Network (VPN) connections to other next-generation firewalls or third-party security devices.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 5. The product, when delivered and configured as described in the guidance documentation, satisfies all of the security functional requirements stated in the Palo Alto Networks PA-220 Series, PA-800 Series, PA-3000 Series, PA-3200 Series, PA-5200 Series, PA-7000 Series, and VM Series, Next-Generation Firewall with PAN-OS v9.0 Security Target. The project underwent CCEVS validation team review. The evaluation was completed in October 2020.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE generates audit records of security relevant events. Generated audit records include the date and time of the event, the event type, the subject identity and the outcome of the event. For audit events resulting from the actions of identified users, the identity of the user is recorded in the generated audit record. The TOE can be configured to store audit records locally so they can be accessed by an administrator and can also be configured to export the audit records to an external audit server.

In the event the space available for storing audit records locally is exhausted, the TOE will overwrite the oldest stored audit records with new audit records as they are generated. The TOE can be configured to store the logs locally and be configured to send the logs securely to a designated external log server.

Cryptographic Support

The TOE implements NIST-validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher-level cryptographic protocols, including IPsec, SSH, HTTPS, and TLS.  Note that to be in the evaluated configuration, the TOE must be configured in FIPS-CC mode, which ensures the TOE’s configuration is consistent with the FIPS 140-2 standard.

User Data Protection

The TOE is designed to ensure that it does not inadvertently reuse data found in network traffic.

Identification and Authentication

The TOE requires all users accessing the TOE user interfaces to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers network accessible (IPsec, HTTPS, SSH) and local connections to the GUI and SSH for interactive administrator sessions and HTTPS for XML and REST API.  HTTPS connections can also be tunneled over IPsec.

The TOE supports the local (i.e., on device) definition and authentication of administrators with username, password or public-key, and role (set of privileges), which it uses to authenticate the human user and to associate that user with an authorized role. In addition, the TOE can authenticate users using X509 certificates and can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.

When a user authenticates a local interactive session, no information about the authentication data (i.e., password) is echoed to the user. Passwords can be composed of any combination of upper and lower case letters, numbers, and the following special characters: !; @; #; $; %; ^; &; *; (; ); _; <; >; .; ~; '; +; ,; -; /; :; “;”; =; [; \; ]; `; {; and }. The TOE supports the use of X.509v3 certificates for IPsec and TLS authentication and also supports certificate revocation checking using Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL). The TOE will not accept a certificate if it is unable to establish a connection in order to determine the certificate’s validity.

Security Management

The TOE provides a Graphical User Interface (GUI) to access its security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE. The TOE provides access to the GUI/API/CLI locally via direct RJ-45 Ethernet cable connection and remotely using HTTPS, IPsec or SSHv2 client.   

The TOE provides a number of management functions and restricts them to users with the appropriate privileges.  The management functions include the capability to configure the login banner, configure the idle timeout, configure IKE/IPsec VPN gateways, and other management functions. The TOE provides pre-defined Security Administrator, Audit Administrator, and Cryptographic Administrator roles. 

Protection of the TSF

The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.

It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for audit accountability).

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE Access

The TOE can be configured to display an administrator-defined advisory banner before establishing an administrative user session and to terminate both local and remote interactive sessions after a configurable period of inactivity. It also provides users the capability to terminate their own interactive sessions.

Trusted Path/Channels

The TOE protects interactive communication with remote administrators using SSH, IPsec, or HTTP over TLS. SSH, IPsec, and TLS ensure both integrity and disclosure protection.

The TOE protects communication with the UIA, Panorama, Global Protect, and Wildfire using TLS connections; the external log server with IPsec or TLS; and remote VPN gateways/peers using IPsec to prevent unintended disclosure or modification of the transferred data.

Stateful Traffic Filtering

The TOE implements a stateful traffic filter firewall for layers 3 and 4 (IP and TCP/UDP) network traffic, optimized through the use of stateful packet inspection.  

An administrator can configure the TOE to control the type of information that is allowed to pass through the TOE. The administrator groups interfaces into security zones. Each zone identifies one or more interfaces on the TOE. Separate zones must be created for each type of interface (Layer 2, Layer 3, or virtual wire), and each interface must be assigned to a zone before it can process traffic. Security policies provide the firewall rule sets that specify whether to block or allow network connections, based on the source and destination zones, and addresses, and the application service (such as UDP port 67 or TCP port 80). Security policy rules are processed in sequence, applying the first rule that matches the incoming traffic.

Packet Filtering

The TOE provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. An administrator can configure security policies that determine whether to block, allow, or log a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service.

Vendor Information

Palo Alto Networks, Inc
Jake Bajic
(669) 235-9283
(669) 444-6627
Site Map              Contact Us              Home