WIXLIB

FeatureDescriptionRationaleproviding real-time analysis capabilities on thefirewall, which reduces the possibility ofproliferation of unknown JavaScript variantsand other phishing vectors.documentation and has noeffect on the result of anyAssurance Activity test.Increased SecurityAgainst EvasionAttacksNew protections bolster your defenses againstevasion attacks where attackers attempt tobreach your network by bypassing securityinspection. The increased security measurescover evasion techniques that misuse URLs andBase64-encoded content. You begin receivingthis protection as soon as you upgrade to aPAN-OS 10.0 release—no subscription oradditional configuration is required.Minor Change – The increasedsecurity measures coverevasion techniques that misuseURLs and Base64-encodedcontent does not affect theclaimed security functionality.NEW DECRYPTIONFEATUREDecryption forTLSv1.3You can now decrypt, gain full visibility into,and prevent known and unknown threats inTLSv1.3 protocol traffic. TLSv1.3 is the latestversion of the TLS protocol, which providessecurity and performance improvements forapplications. PAN-OS 10.0 supports TLSv1.3decryption in all modes: SSL Forward Proxy, SSLInbound Inspection, SSL Decryption Broker,and SSL Decryption Port Mirroring, and also forGlobalProtect Clientless VPN (browser toGlobalProtect Portal only).Minor Change – TLS v1.3 is notclaimed in the PP and shouldnot be claimed in themaintenance assurance.You can now troubleshoot SSL Decryptionrelated issues and assess your security posturemore easily with new Application CommandCenter (ACC) features and consolidatedDecryption logs. Use the new ACC features toidentify traffic for which decryption causesproblems and then use the new Decryptionlogs to drill down into details and solve theproblem. Also use the new ACC features toidentify the amount of TLS traffic, non-TLStraffic, decrypted traffic, and non-decryptedTLS traffic. In addition, use the ACC to identifytraffic that uses weak algorithms and protocolsand mitigate the risk associated withapplications, servers, and other devices thatuse older, more insecure protocols andalgorithms.Minor Change –Troubleshooting SSLDecryption-related issues isnot a claimed security functionin the ST and does not affectthe security functionality.You can now block the export of a private keywhen generating it on PAN-OS or Panorama, orwhen importing the key into PAN-OS orPanorama. Blocking key export hardens yoursecurity posture because it prevents rogueadministrators from misusing keys. You canview which keys are blocked and which keysMinor Change – Blocking theexport of a private key whengenerating it on PAN-OS orPanorama, or when importingthe key into PAN-OS orPanorama was not claimed inthe previous evaluation andEnhanced SSLDecryptionTroubleshootingBlock Export ofPrivate KeysThe PAN-OS ST and Guidancehas been updated to excludethis functionality.The previous security targetsstated that the TLS and SSHdecryption policies are notevaluated and therefore, thesefeatures are out of scope.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Page 5 of 37

FeatureNEWMANAGEMENTFEATUREWeb InterfaceRefreshTelemetryExternal DynamicList Log FieldsDescriptionRationaleare not blocked. However, even anadministrator with a Superuser role can’texport blocked private keys.should not be claimed in theMaintenance assures.The PAN-OS web interface has a new look andfeel to provide an even better user experience.You can see the new branding, colors, andicons in Panorama and firewalls running aPAN-OS 10.0 release.Minor Change – This newfeature is not security related.Telemetry data collection is expanded to coverdevice health and performance, product usagecategories, and threat prevention. This data isused to power applications that increase yourability to manage and configure your Palo AltoNetworks products and services and to provideimproved visibility into device health,performance, capacity planning, andconfiguration. Palo Alto Networks uses thisdata to improve threat prevention and to helpyou maximize your product usage benefits.Minor Change – This newfeature is not security related.The firewall now features new externaldynamic list (EDL) log fields to help you quicklyidentify when an entry in an EDL matchestraffic and to which EDL that entry belongs.Minor Change – ExternalDynamic List Log Fields werenot claimed in the previousevaluation and should not beclaimed in the assurancemaintenance.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.MillisecondGranularity forPAN-OS LogsIf you collect logs from multiple sources, youneed detailed log timestamps for SOCtroubleshooting, correlation, and visibility toinvestigate network security events andthreats. Now all PAN-OS logs forwarded to anexternal destination, such as a syslog server orthe Cortex Data Lake, support millisecondgranularity timestamps.Minor Change – Themillisecond granularity of thetimestamps does not affect theprior claimed securityfunctionality.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Page 6 of 37

FeatureDescriptionPAN-OS andPanorama REST APIEnhancementsThe REST API now includes endpoints thatenable you to manage network configurationson the firewall and on Panorama. Secondly,you can now configure administrative roletypes to provide granular access to REST APIendpoints. You can enable, disable, or assignread-only access to each endpoint. Thirdly,access domain enforcement, which enablesadministrators to manage access to specificdomains on Panorama and on firewalls, nowextends to the REST API.Minor Change – Theenhancement of the REST APIdoes not affect the claimedsecurity functionality.You can now configure the firewall to forwardlogs to Cortex Data Lake through a proxyserver. This enables you to send log data toCortex Data Lake from a network without adefault gateway.Minor Change – The CortexData Lake was not included inthe prior evaluation andshould not be enabled in amaintenance assurance.Proxy Support forCortex Data LakeRationaleThis feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.The PAN-OS ST and Guidancehas been updated to excludethis functionality.Rule Usage FilteringActionsAdditionalPredefined TimeFilters for the ACC,Monitoring, andReportsDelete, disable, or tag policy rules directly fromthe Policy Optimizer after filtering unused rulesto simplify your policy rule base management.For example, if you have a rule lifecycleprocess to identify obsolete rules, you can usethe Policy Optimizer to filter, identify and tagthe unused rules for offline review. After thereview, you can return to view the list oftagged policy rules to delete any obsolete orunused rules.Minor Change – The PolicyOptimizer does not affect theclaimed SFRs in the PAN-OSSecurity Target or the claimedsecurity functionality.You can now filter the ACC, Monitoring, andReports for up to 60 or 90 days. This enablesimproved performance when queryingbetween 30 and 90 days by optimizing thePanorama query for only relevant logs.Minor Change – The additionof Predefined Time Filters forthe ACC, Monitoring, andReports does not affect theclaimed security functionalityidentified in the SecurityTarget.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity ngYou can now monitor individual dataplane (DP)processor utilization on firewalls with multipledataplanes (PA-7000 and PA-5200 Series) usingthe Simple Network Management Protocol(SNMP) HOST-RESOURCES-MIB. Use the SNMPManager to set alerts when utilization reachesMinor Change – Monitoringindividual dataplane (DP)processor utilization onfirewalls with multipledataplanes (PA-7000 and PA5200 Series does not affect thePage 7 of 37

FeatureDescriptiona specific threshold for each DP processor toavoid service availability issues.Rationaleclaimed security functionalityin the PAN-OS Security Target.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Enhancements forManaging UpdateServer ConnectionYou now have improved visibility andtroubleshooting for connections to the updateserver during firewall or Panoramamanagement server registration, contentupdates, license renewals, and softwareupgrades. Enhancements include:System logs contain more specific reasons forcommunication issues such as command error,file I/O error, network failure, SSL verificationfailure, authentication failure, protocol error,and server error.You can configure up to three reconnectionattempts if there is a connection failure. Thedefault behavior (to not attempt to reconnect)is still the same.The content update package includes a SHA256checksum of the package from the updateserver. You can validate this against checksumof the downloaded file to ensure the integrityof the downloaded content package.New RegionalSupport forTelemetry(Supported in10.0.2 and later)NEW CERTIFICATEMANAGEMENTFEATUREMaster KeyEncryptionEnhancementMinor Change – Improvedvisibility and troubleshootingfor connections to the updateserver during firewall orPanorama management serverregistration, content updates,license renewals, and softwareupgrades does not affect theprior claimed securityfunctionality.Presently the TOE update isverified via a digital signature.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.For critical visibility into your deploymentthrough telemetry-powered application andcompliance with regional data privacyregulations, you can now send telemetry datato a storage destination in Canada, Japan, orSingapore. This feature requires Applicationsand Threats content version 8335 or later.Minor Change – This featurewas not included in theprevious evaluation and doesnot affect the claimed securityfunctionality in the ST.On physical and virtual Palo Alto Networksappliances, you can now configure the MasterKey to use the AES-256-GCM encryptionalgorithm to encrypt data. The AES-256-GCMencryption algorithm increases encryptionstrength to protect keys better and alsoincludes a built-in integrity check. When youchange the encryption level to AES-256-GCM,devices use it instead of the AES-256-CBCMinor Change – Version 10.0.4includes the option to use AESGCM (256 bits) to encrypt themaster key instead of AES-CBC(256 bits). By default, AES-CBCwill be used to encryptsensitive data. However, theadmin can choose to switch touse the AES-GCM. This has noThis feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Page 8 of 37

FeatureDescriptionencryption algorithm when encrypting keysand other sensitive data.Rationaleimpact as the administratordoes not have to switch andeven if they do, AES-GCM isstill FIPS Approved and theMaster key itself is stillinaccessible to anyunauthorized user.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.HSM Enhancements Newer client driver versions are nowsupported for SafeNet and nCipher HardwareSecurity Module (HSM) appliances:SafeNet: You can select from versions 5.4.2 or7.2.Additionally, you can choose to have yourfirewall authenticate and establish trust usingmanually generated certificates.nCipher nShield Connect: Version 12.40.2 isavailable (backward compatible up to v11.50for older appliances)Minor Change – The SafeNetand nCipher Hardware SecurityModule (HSM) appliances werenot included in the previousevaluation and should not beused for a maintenanceassurance.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.NEW NETWORKING Security-conscious customers in financialFEATUREverticals and other markets who have VPNdeployments are standardizing on strong IKEIKEv2 Support forand IPsec security and require PAN-OS firewallsAES-GCMto support AES-GCM (Advanced EncryptionEncryptionStandard with Galois/Counter Mode). PAN-OS(Available withfirewalls now support two new encryptionPAN-OS 10.0.3algorithms for IKEv2 crypto profiles: AES-GCMand later 10.0with 128-bit strength and AES-GCM with 256releases)bit strength to provide compatibility with otherdevices and to provide stronger security thanAES-CBC (AES with Cipher-Block Chaining).Minor Change – All of thealgorithms for IKE (and IPsec)are configurable. In the AGDguidance, Palo Alto specifiesexactly which algorithms theycan use. In this case, AES-GCMis not allowed for use in the CCevaluated configuration (atleast not for IKE, it is allowedfor IPsec though).Bonjour Reflectorfor NetworkSegmentationMinor Change – The AppleBonjour in networkenvironments for networksegmentation was not claimedin the first evaluations and hasnot impact on the claimedsecurity functionality.(Available withPAN-OS 10.0.1and later 10.0releases)To support Apple Bonjour in networkenvironments that use segmentation to routetraffic for security or administrative purposes(for example, where servers and clients are indifferent subnets), you can now forwardBonjour IPv4 traffic between Layer 3 (L3)Ethernet or Aggregated Ethernet (AE)interfaces or sub interfaces that you specify.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Page 9 of 37

FeatureHA Clustering forMultiple DataCentersHA Clustering forHorizontal Scalingof FirewallsHA Additional PathMonitoring GroupsPacket BufferProtection Basedon LatencyDescriptionRationaleThe Bonjour Reflector option allows you toforward multicast Bonjour advertisements andqueries to up to 16 L3 Ethernet and AEinterfaces or sub interfaces, ensuring useraccess to services and device discoverabilityregardless of Time To Live (TTL) values or hoplimitations.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Data centers with multiple locations and highthroughput need high availability (HA) withmore than two members to ensure highreliability and to avoid a single point of failure.PAN-OS HA can now support clustering of up to16 firewalls that perform session statesynchronization. HA pairs in each data centerprevent a single firewall failure and a datacenter failure, and asymmetric traffic from adata center is not dropped when sent toanother data center.Minor Change – HighAvailability was an optionalconfiguration in the previousevaluation. High Availabilitydoes not impact the SFRs orclaimed security functionalityin the v10.0.5.Within a data center, HA solutions must beable to scale horizontally. To provide seamlesshorizontal scalability of performance andcapacity, PAN-OS HA can now supportclustering of up to 16 firewalls that performsession state synchronization. In the event of anetwork outage or a firewall going down, thesessions fail over to a different firewall in thecluster.Minor Change – HighAvailability was an optionalconfiguration in the previousevaluation. High Availabilitydoes not impact the SFRs orclaimed security functionalityin the v10.0.5.To allow more flexible control over highavailability (HA) deployments, you now havesupport for the use of multiple differentdestination IP groups within a single virtualwire (vwire), VLAN, and virtual router instancein PAN-OS and VMs. In addition to the optionto set failure condition parameters fordestination IP groups, you have greatergranularity in controlling your HA failovers overthose vwire, VLAN, and virtual router instancesthrough segmentation.Minor Change – HighAvailability was an optionalconfiguration in the previousevaluation. High Availabilitydoes not impact the SFRs orclaimed security functionalityin the v10.0.5.Some protocols and applications are sensitiveto latency; you can now enable packet bufferprotection based on latency, which triggersprotection before the latency affects theprotocol or application. Packet bufferMinor Change – Theimprovement of packet bufferprotection does not affect theclaimed security functionalityin the 10.0.5 release.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.Page 10 of 37

FeatureEthernet SGTProtectionAggregate InterfaceGroup CapacityIncreaseECMP Strict SourcePathTunnel Accelerationfor GRE, VXLAN,and GTPDescriptionRationaleprotection based on buffer utilization (whichwas available prior to PAN-OS 10.0) defendsyour firewall and network from single-sessionDoS attacks that can overwhelm the firewall’spacket buffer and cause legitimate traffic todrop; it is now enabled by default.This feature results in nochanges to the ST or guidancedocumentation and has noeffect on the result of anyAssurance Activity test.In a Cisco TrustSec network, firewalls need tobe able to identify and block packets that havespecific Security Group Tags (SGTs) in their802.1Q header. You can now do so at theingress zone by creating a Zone Protectionprofile that lists SGTs to block, which results inbetter performance than blocking packets withsecurity policy rules.Minor Change – The SGT in aCisco TrustSec network doesnot affect the claimed securityfunctionality in the 10.0.5release.The need to support more link aggregationgroups for network resiliency has increased asfirewalls are positioned closer to endpoints toprovide better visibility and control. Thenumber of aggregate Ethernet (AE) interfacegroups that the PA-3200 Series, PA-5200Series, and most PA-7000 Series firewallssupport increased from 8 to 16. The exceptionis the PA-7000 Series firewall with PA-7000100G-NPC-A and SMC-B, which increased from8 to 32 AE interface groups. On all of thesesupported firewall models, QoS is supportedon only the first eight AE interface groups.Minor Change – The increasein the number of aggregateEthernet (AE) interface groupsdoes not affect the claimedsecurity functionality in the10.0.5 release.When you enable ECMP for a virtual router, IKEand IPsec traffic originating at the firewall bydefault egresses an interface that the ECMPload-balancing method determines. If thefirewall has more than one ISP providing equalcost paths to the same destination, one ISPcould block legitimate traffic that arrives on anunexpected interface that ECMP chose. Toav

Palo Alto Networks Common Criteria Evaluated Configuration Guide (CCECG) for Firewalls with PAN-OS 10.0 Revision Date: June 1, 2021 Palo Alto Networks PA-220 Series, PA-800 Series, PA- 3200 Series, PA-5200 Series, PA-7000 Series, and VM Series Next- Generation Firewall with PAN-OS 10.0.5 Impact Analysis Report, Version 1.0, June 1, 2021