PAN-OS 10.1 Decryption Cipher Suites

List of cipher suites supported for IPSec on firewalls running PAN-OS® 10.1 in normal operation mode.
The following table lists cipher suites for decryption that are supported on firewalls running a PAN-OS® 10.1 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 10.1 Releases
SSH Decryption (SSHv2 only)—Encryption
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
  • AES-128-CTR
  • AES-192-CTR
  • AES-256-CTR
SSH Decryption (SSHv2 only)—Message Authentication
  • HMAC-RIPEMD
  • HMAC-MD5-96
  • HMAC-MD5
  • HMAC-SHA1-96
  • HMAC-RIPEMD-160
  • HMAC-SHA1
SSL/TLS Decryption
  • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
  • RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-bit keys
    The firewall can authenticate certificates up to 8192-bit RSA keys from the destination server, however the firewall generated certificate to the client supports only up to 4096-bit RSA keys.
  • RSA-RC4-128-MD5
  • RSA-RC4-128-SHA1
  • RSA-3DES-EDE-CBC-SHA1
  • RSA-AES-128-CBC-SHA1
  • RSA-AES-256-CBC-SHA1
  • RSA-AES-128-CBC-SHA-256
  • RSA-AES-256-CBC-SHA-256
  • RSA-AES-128-GCM-SHA-256
  • RSA-AES-256-GCM-SHA-384
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
SSL/TLS Decryption—NIST-approved Elliptical Curves
  • P-192 (secp192r1)
  • P-224 (secp224r1)
  • P-256 (secp256r1)
  • P-384 (secp384r1)
  • P-521 (secp521r1)
  • (
    TLS 1.3 only
    ) X25519
  • (
    TLS 1.3 only
    ) X448
SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
If you use the DHE or ECDHE key exchange algorithms to enable PFS support for SSL decryption, you can use a hardware security module (HSM) to store the private keys used for SSL Inbound Inspection.
  • DHE-RSA-3DES-EDE-CBC-SHA1
  • DHE-RSA-AES-128-CBC-SHA1
  • DHE-RSA-AES-256-CBC-SHA1
  • DHE-RSA-AES-128-CBC-SHA-256
  • DHE-RSA-AES-256-CBC-SHA-256
  • DHE-RSA-AES-128-GCM-SHA-256
  • DHE-RSA-AES-256-GCM-SHA-384
  • ECDHE-RSA-AES-128-CBC-SHA1
  • ECDHE-RSA-AES-256-CBC-SHA1
  • ECDHE-RSA-AES-128-CBC-SHA-256
  • ECDHE-RSA-AES-256-CBC-SHA-384
  • ECDHE-RSA-AES-128-GCM-SHA-256
  • ECDHE-RSA-AES-256-GCM-SHA-384
  • ECDHE-ECDSA-AES-128-CBC-SHA1
  • ECDHE-ECDSA-AES-256-CBC-SHA1
  • ECDHE-ECDSA-AES-128-CBC-SHA-256
  • ECDHE-ECDSA-AES-256-CBC-SHA-384
  • ECDHE-ECDSA-AES-128-GCM-SHA-256
  • ECDHE-ECDSA-AES-256-GCM-SHA-384
  • (
    TLS 1.3 only
    ) TLS_AES_128_GCM_SHA256
  • (
    TLS 1.3 only
    ) TLS_AES_256_GCM_SHA384
  • (
    TLS 1.3 only
    ) TLS_CHACHA20_POLY1305_SHA256
TLS 1.3 Decryption—Signature Algorithms
  • ECDSA-SECP256r1-SHA256
  • RSA-PSS-RSAE-SHA256
  • RSA-PKCS1-SHA256
  • ECDSA-SECP384r1-SHA384
  • RSA-PSS-RSAE-SHA384
  • RSA-PKCS1-SHA386
  • RSA-PSS-RSAE-SHA512
  • RSA-PKCS1-SHA512
  • RSA-PKCS1-SHA1

Recommended For You