CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

Palo Alto Networks provides a wide suite of enterprise-level next-generation firewalls, with a diverse range of security features for the enterprise network.

The Palo Alto next-generation firewalls are network firewall appliances and virtual appliances on specified hardware used to manage enterprise network traffic flow using function-specific processing for networking, security, and management. The next-generation firewalls let the administrator specify security policies based on an accurate identification of each application seeking access to the protected network. The next-generation firewall uses packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. The next-generation firewall also supports the establishment of Virtual Private Network (VPN) connections to other next-generation firewalls or third-party security devices.

The Target of Evaluation (TOE) is comprised of one instance of the Palo Alto Networks next-generation firewall that includes the Palo Alto Networks PA-220, PA-220R, PA-410, PA-440, PA-450, PA-460, PA-820, PA-850, PA-3220, PA-3250, PA-3260, PA-5220, PA-5250, PA-5260, PA-5280, PA-5450, PA-7050, and PA-7080 appliances and the virtual appliances in the VM-Series VM-50, VM-100, VM-200, VM-300, VM-500, VM-700, VM-1000-HV with PAN-OS v10.1.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the PP-Configuration for Network Devices, Stateful Traffic Filter Firewalls, and Virtual Private Network (VPN) Gateways, version 1.2, which includes the following components:

·        collaborative Protection Profile for Network Devices, Version 2.2e, 23 March 2020 [NDcPP]

·        PP-Module for Stateful Traffic Filter Firewalls, Version 1.4 + Errata 20200625, 25 June 2020 [FW-Module]

·        PP-Module for Virtual Private Network (VPN) Gateways, Version 1.2, 31 March 2022 [VPNGW-Module] 

The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Palo Alto Networks PA-220 Series, PA-400 Series, PA-800 Series, PA-3200 Series, PA-5200 Series, PA-5450, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 10.1 Security Target. The evaluation was completed in August 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Security Audit

The TOE is able to generate audit records of security-relevant events including the events specified in [NDcPP], [FW-Module], and [VPNGW-Module]. By default, the TOE stores the logs locally so they can be accessed by an administrator. The TOE can also be configured to send the logs securely to a designated external log server. 

Cryptographic Support

The TOE implements NIST-validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher-level cryptographic protocols, including IPsec, SSH, HTTPS, and TLS. Note that to be in the evaluated configuration, the TOE must be configured in FIPS-CC mode, which ensures the TOE’s configuration is consistent with the FIPS standard and the PP claims.

User Data Protection

The TOE is designed to ensure that it does not inadvertently reuse data found in network traffic.

Identification and Authentication

The TOE requires all users accessing the TOE user interfaces to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers network accessible (HTTPS, SSH, IPsec) and direct connections to the GUI and SSH for interactive administrator sessions and HTTPS for XML and REST API.

The TOE supports the local (i.e., on device) definition and authentication of administrators with username, password or public-key, and role (set of privileges), which it uses to authenticate the user and to associate that user with an authorized role. In addition, the TOE can authenticate users using X.509v3 certificates and can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.

Security Management

The TOE provides a GUI, CLI, or API (XML and REST) to access the security management functions. Security management commands are limited to administrators and are available only after they have provided acceptable user identification and authentication data to the TOE. The TOE provides access to the GUI/API/CLI locally via direct RJ-45 Ethernet cable connection and remotely using an HTTPS/TLS, IPsec, or SSHv2 client.   

The TOE provides a number of management functions and restricts them to users with the appropriate privileges.  The management functions include the capability to configure the login banner, configure the idle timeout, configure IKE/IPsec VPN gateways, and other management functions. The TOE provides pre-defined Security Administrator, Audit Administrator, and Cryptographic Administrator roles. These administrator roles are all considered Security Administrator as defined in the claimed PP for the purposes of the evaluation.

Protection of the TSF

The TOE implements a number of features designed to protect itself to ensure the reliability and integrity of its security features.

It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability).

The TOE includes functions to perform self-tests so that it can detect when it is failing and transition to a secure, maintenance state. It also includes a mechanism to verify TOE updates to prevent malicious or other unexpected changes in the TOE.

TOE Access

The TOE can be configured to display an administrator-defined advisory banner before establishing an administrative user session and to terminate both local and remote interactive sessions after a configurable period of inactivity. It also provides users the capability to terminate their own interactive sessions.

Trusted Path/Channels

The TOE protects interactive communication with remote administrators using SSH, HTTP over TLS (HTTPS), or IPsec. SSH, TLS, and IPsec ensure both integrity and disclosure protection. Note: HTTPS traffic can be tunneled through IPsec secure channel.

The TOE protects communication with external log server with IPsec or TLS; and remote VPN gateways/peers using IPsec to prevent unintended disclosure or modification of the transferred data.

Vendor Information