Certifications

 

Palo Alto Networks network security solutions have performed consistently against a variety of rigorous evaluations for certification. We are committed to the continued certification and performance evaluation of our products. The following certifications and third-party validations have been accredited to our next-generation firewalls based on conformance to various standards.

 

Common Criteria

Palo Alto Networks Next-Generation Firewalls have achieved Common Criteria (CC) certification under the rigorous National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS). The certified products are compliant with Protection Profile for Network Devices Version 1.1, Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall Version 1.0, and Network Device Protection Profile (NDPP) Extended Package VPN Gateway Version 1.1. The VPN Gateway evaluation also included additional requirements per the NSA Commercial Solutions for Classified Networks (CSfC).

The certification applies to the Palo Alto Networks PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7000 Series next-generation firewalls, and the VM-Series virtual next-generation firewall.

For certification details, please visit https://www.niap-ccevs.org/Product/Compliant.cfm?pid=10640.

The certification above builds upon the previous Common Criteria certification at Evaluation Assurance Level 4+ (EAL4+) that Palo Alto Networks received in 2013. The certificate was issued by the NIAP. The EAL4+ Assurance Continuity Maintenance Report (ACMR) is available at http://www.commoncriteriaportal.org/files/epfiles/st_vid10392-add2.pdf.

 

Service Organizations Control 2 (SOC2)

Palo Alto Networks WildFire has received SOC2 certification. Service Organizations Control 2 (SOC2) is a reporting standard defined by the American Institute of Certified Public Accountants (AICPA).
The SOC2 certification is a testament to the quality and comprehensiveness of security controls put in place to manage the data sent to WildFire, providing third-party validation supporting the trust foundation between us and our WildFire customers. This certification applies to the WildFire global cloud Palo Alto Networks WildFire has received SOC2 certification. Service Organizations Control 2 (SOC2) is a reporting standard defined by the American Institute of Certified Public Accountants (AICPA).

 

FIPS 140-2

Palo Alto Networks products have been validated against FIPS 140-2, a certification focused on cryptographic functionality. The following certificates have been issued by the National Institute of Standards and Technology (NIST) under the Cryptographic Module Validation Program (CMVP):

Certificate No. 2799 - PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2799
Certificate No. 2797 - PA-3060 and PA-7080 Firewalls posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2797
Certificate No. 2800 - PAN-OS VM–Series posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2800
Certificate No. 2802 - WildFire WF-500 posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2802
Certificate No. 2787 - Panorama M-100 and M-500 posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2787

Certificate No. 2637 - PA-200, PA-500, PA-2000 Series, PA-3000 Series, PA-4000 Series, PA-5000 Series and PA-7050 Firewalls posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2637
Certificate No. 2616 - PA-3060 and PA-7080 Firewalls posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2616
Certificate No. 2620 - PAN-OS VM–Series posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2620
Certificate No. 2617 - WildFire WF-500 posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2617
Certificate No. 2453 - Panorama M-100 posted at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2453

For earlier certified versions of the Palo Alto Networks products, please search http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Validated modules can be accepted by US Federal Agencies using cryptographic-based security to protect sensitive information in computer and telecommunication systems.

 

UC APL

Palo Alto Networks next-generation firewalls completed the evaluation for the Department of Defense (DoD) Unified Capabilities (UC) Approved Product List (APL). The http://jitc.fhu.disa.mil/tssi/cert_pdfs/PaloAlto_IDS_IPS_M100_Nov15.pdf allows the products on the DoD UC-APL to be used by the US Department of Defense.

 

Commercial Solutions for Classified (CSfC)

Palo Alto Networks, Inc.’s Next Generation Firewall Product Series is eligible to be used as a Traffic Filtering Firewall component in a CSfC solution. More information can be found at www.nsa.gov.

Palo Alto Networks, Inc.’s Next Generation Firewall Product Series is eligible to be used as an IPSec VPN Gateway component in a CSfC solution. More information can be found at www.nsa.gov.

 

USGV6

Palo Alto Networks next-generation firewalls have completed IPv6 conformance testing as firewall, IDS, and IPS devices. USGv6, a testing program from the National Institute of Standards and Technology (NIST) provides proof of compliance to IPv6 specifications outlined in current industry standards for common network products. 

 

ICSA

Palo Alto Networks next-generation firewalls and WildFire cloud-based threat analysis environment have been tested and certified by ICSA Labs, an independent division of Verizon. Certified firewall solutions passed the evaluation against ICSA Labs Modular Firewall Product Certification Criteria version 4.2x for general-purpose network firewalls, in the corporate category. WildFire has passed the evaluation against ICSA Labs Advanced Threat Defense Criteria version 1.0.

 

NEBS

Network Equipment Building System (NEBS) Level 3 certification is in place for select Palo Alto Networks next-generation firewalls, which is the most common set of safety, spatial and environmental design guidelines applied to telecommunications equipment in the United States. 

 

CESG Foundation Grade Certification

Palo Alto Networks PA-200, PA-500, PA-2000, PA-3000, PA-4000, PA-5000, PA-7000 & VM Series, Next-Generation Firewall Foundation Grade certificate has been posted at https://www.cesg.gov.uk/products/palo-alto-networks-pa-200-pa-500-pa-2000-pa-3000-pa-4000-pa-5000-pa-7000-vm-series-next.

This Foundation Grade certification is based upon the product's successful Common Criteria evaluation against the Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall Version 1.0.

 

ANSSI top-level certification

The Palo Alto Networks platform was the first to be certified by the Agence nationale de la sécurité des systèmes d’information (ANSSI) on next-generation firewall criteria, including protections based on applications (App-ID) and users (User-ID). The tests were conducted by the CESTI and information technology security consultants at AMOSSYS – organizations approved by the ANSSI to conduct these security assessments.