Compliant Product - Palo Alto Networks GlobalProtect App 6
Certificate Date:
2023.10.20
CC Certificate Validation Report Number: CCEVS-VR-VID11402-2023 Product Type: Network Encryption Application Software Conformance Claim: Protection Profile Compliant PP Identifier: Functional Package for TLS Version 1.1 Protection Profile for Application Software Version 1.4 CC Testing Lab: Leidos Common Criteria Testing Laboratory ![[PDF]](/assets/images/icon_pdf.gif){kind=icon}
Security Target
Validation Report
Assurance Activity
Administrative Guide: Common Criteria Evaluated Configuration Guide (CCECG)
GlobalProtect Administrator's Guide Version 10.1
GlobalProtect App User Guide Version 6.0
Product Description
Palo Alto Networks GlobalProtect App 6 provides users with the ability to access their company network resources via the Palo Alto Networks GlobalProtect Portals and Gateways. The TOE also provides several management functions that include, for example, allowing the endpoint user to select their desired gateway, and to collect troubleshooting logs from the TOE.
Evaluated Configuration
The evaluated configuration consists of GlobalProtect App 6, supported and tested on the following operating systems[1]:
Palo Alto Networks GlobalProtect App 6 provides users with the ability to access their company network resources via the Palo Alto Networks GlobalProtect Portals and Gateways. The TOE also provides several management functions that include, for example, allowing the endpoint user to select their desired gateway, and to collect troubleshooting logs from the TOE. [1] While the TOE was tested on these operating systems, the TOE is compatible with later versions of the operating systems identified here. This is vendor affirmed.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4, 7 October 2021 The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered configured as identified in the guidance document, satisfies all of the security functional requirements stated in the Palo Alto Networks GlobalProtect App 6 Security Target. The evaluation was completed in July 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Environmental Strengths
Cryptographic Support The TOE implements NIST validated cryptographic algorithms that provide key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of cryptographic protocols such as TLS. In order to utilize these features, the TOE must be configured in FIPS-CC mode. GlobalProtect App includes algorithms that are covered by CAVP certificates and the TOE also relies on the underlying platforms. User Data Protection The TOE restricts its access to only using network connectivity when it is needed to communicate to the Palo Alto Networks Gateway or Portal. Other functionality on the host platform such as its camera, Bluetooth, USB, or microphone are not needed. The TOE does not store any sensitive data in non-volatile memory. Identification and Authentication The TOE authenticates the X.509 certificate of the Palo Alto Networks GlobalProtect Gateway/Portal as part of establishing a TLS connection. Security Management The TOE provides access to the security management features using an interface on a general-purpose computer. Security management operations are provided to the user of the TOE. A user is able to perform security management by configuring necessary items such as assigning the Palo Alto Networks GlobalProtect Portal and Gateway that the TOE will use for its connections. It also provides the user with the ability to collect troubleshooting logs, configure gateway and portal, check the current version, check for updates, and to enable/disable the transmission of information regarding the system’s hardware/software or configuration. The TOE relies on the OS’ network ports (i.e. ethernet ports) for communication and management capabilities. In order to install or uninstall the TOE, the user is required to have platform administrator privileges. Privacy The TOE does not transmit PII over the network. Protection of the TSF The TOE implements a variety of functions to ensure that it is protected against corruption. These include utilizing platform APIs, memory mapping, and stack-based buffer overflow protection. Palo Alto Networks provides customers with a means of updating the TOE using trusted updates. These trusted updates are securely delivered and installed using protection mechanisms such as TLS, and by using approved digital signature methods. Palo Alto Networks signs all updates using RSA 2048 with SHA-256. The trusted update site also provides a checksum of the updates that can be used for additional verification before it is utilized. Trusted Path/Channels The TOE protects communication between itself as the endpoint and other networks using TLS. The TOE uses TLS 1.2 to encrypt all data that it transmits to external IT entities (i.e., Palo Alto Networks GlobalProtect Portals and Gateways).
Vendor InformationPalo Alto Networks, Inc. Jake Bajic 408-753-3901 jbajic@paloaltonetworks.com www.paloaltonetworks.com |