FIPS and FIPS-CC Security
Learn about the FIPS and FIPS common criteria security.
| Where Can I Use This? | What Do I Need? |
|---|
FIPS (Federal Information Processing Standards) aims to ensure the security and
interoperability of computer systems and software. FIPS mode refers to a configuration
setting in computer systems that enforces the use of FIPS 140-3 validated cryptographic
algorithms and security protocols. This mode ensures that only approved cryptographic
methods are used for encryption, hashing, and digital signatures, enhancing security and
meeting compliance requirements for government agencies and organizations that handle
sensitive data.
FIPS-CC Mode
Common Criteria (CC) defines a common framework for evaluating security
features and capabilities of Information Technology security products against
functional and assurance requirements. FIPS-CC mode on Palo Alto Networks devices
enforces security functions, and when enabled, the device operates in FIPS-CC
compliance.
From Prisma SD-WAN release 6.5.1, FIPS mode of operation will
transition to FIPS-CC mode for Prisma SD-WAN for Common Criteria. If you are running
device software 6.5.1 or lower, you can choose between FIPS and non-FIPS modes. From
6.5.1 onwards, you have the option to choose between FIPS-CC and non-FIPS-CC.
Here are the differences between non-FIPS, FIPS, FIPS-CC modes:
| Category | Non-FIPS | FIPS (140-2 / 140-3) | FIPS-Common Criteria (CC) |
|---|
| Compliance Standard | Not compliant with FIPS | Complies with FIPS 140-2 or FIPS 140-3 standards for
cryptographic modules | Complies with both FIPS (cryptography) and CC (overall IT product
security) |
| Algorithms & Features | May use a wide range of algorithms, including those not approved
by FIPS; offers greater flexibility and backward
compatibility | Only FIPS-approved algorithms; stricter control over
features | Uses only FIPS-approved cryptography, enforces CC security
functions (such as strong password policies, secure
protocols) |
| OCSP Validations for IPSec & TLS | NA | NA | OCSP-based certificate revocation check for Syslog server and
standard IPSec VPN |
| X.509 | Validation is not strict | Ensures the use of only FIPS-approved cryptographic algorithms
and modules | X.509 certificate compliance and validation for TLS and standard
IPSec VPN connections |
| SNMPv3, TLS, SSH, IPsec | NA | These features use approved versions of algorithms | These features use approved versions of algorithms |
| Password Enforcement | No Enforcement | The password strength should be 8 characters in FIPS mode | The password strength should be 8 characters in FIPS mode |
Supported ION Devices
The following ION devices are certified for FIPS or FIPS-CC:
| Software Versions | Supported Devices |
|---|
| 5.6.3 |
- ION 1200
- ION 1200-C-NA
- ION 1200-C-ROW
- ION 1200-C-5G-WW
- ION 9000
|
| 6.1.2 |
- ION 1200
- ION 1200-C-NA
- ION 1200-C-ROW
- ION 1200-C-5G-WW
- ION 1200-S
- ION 1200-S-C-NA
- ION 1200-S-C-ROW
- ION 1200-S-C-5G-WW
- ION 3200
- ION 5200
- ION 9200
- vIONs
|
| 6.4.2 (In Progress) |
- ION 1200
- ION 1200-C-NA
- ION 1200-C-ROW
- ION 1200-C-5G-WW
- ION 1200-S
- ION 1200-S-C-NA
- ION 1200-S-C-ROW
- ION 1200-S-C-5G-WW
- ION 3200
- ION 5200
- ION 9200
- vIONs
|
