Deprecated Cipher Suites
Focus
Focus
Compatibility Matrix

Deprecated Cipher Suites

Table of Contents

Deprecated Cipher Suites

Cipher suites and algorithms deprecated in PAN-OS® releases.
The following table lists cipher suites and algorithms that have been deprecated in PAN-OS® releases. Deprecated algorithms are removed from specific contexts to comply with updated security standards. Future releases may add entries to this table as additional ciphers are deprecated in other contexts or modes.
PAN-OS Release
Feature or Function
Mode
Change Description
12.1.8
Management SSH Server—Host Key Algorithms
FIPS-CC only
Starting in PAN-OS 12.1.8, the management SSH server exclusively advertises rsa-sha2-512 for RSA host key authentication in FIPS-CC mode. The previously advertised ssh-rsa and rsa-sha2-256 algorithms are no longer permitted.
This change is required by the collaborative Protection Profile for Network Devices Version 4.0 (NDcPPv4.0e), published December 22, 2025.
Impact: SSH clients older than OpenSSH 7.2 or SecureCRT 9.0 will fail to connect to firewalls running PAN-OS 12.1.8 or later in FIPS-CC mode using default RSA host keys.
Workaround: If a legacy client must connect, configure the default SSH host key for management SSH to an ECDSA key type and commit the configuration. ECDSA-based host key authentication is unaffected by this change.