>
    PAN-OS 11.0 Decryption Cipher Suites
    Focus
    Download PDF
    Focus
    1. Home
    2. Compatibility Matrix
    3. Supported Cipher Suites
    4. Cipher Suites Supported in PAN-OS 11.0
    5. PAN-OS 11.0 Decryption Cipher Suites
    Download PDF
    Compatibility Matrix

    PAN-OS 11.0 Decryption Cipher Suites

    Table of Contents

    PAN-OS 11.0 Decryption Cipher Suites

    List of cipher suites supported for IPSec on firewalls running PAN-OS® 11.0 in normal operation mode.
    The following table lists cipher suites for decryption that are supported on firewalls running a PAN-OS® 11.0 release in normal (non-FIPS-CC) operational mode.
    If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode.
    Feature or Function
    Ciphers Supported in PAN-OS 11.0 Releases
    SSH Decryption—Host Key Algorithms
    • SSH-RSA (2048-bit)
    • SSH-DSS (2048-bit)
    SSH Decryption (SSHv2 only)—Encryption
    • AES-128-CBC
    • AES-192-CBC
    • AES-256-CBC
    • AES-128-CTR
    • AES-192-CTR
    • AES-256-CTR
    SSH Decryption (SSHv2 only)—Message Authentication
    • HMAC-RIPEMD
    • HMAC-MD5-96
    • HMAC-MD5
    • HMAC-SHA-1-96
    • HMAC-RIPEMD-160
    • HMAC-SHA-1
    SSL/TLS Decryption
    • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
    • RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-bit keys
      The firewall can authenticate certificates up to 8192-bit RSA keys from the destination server, however the firewall generated certificate to the client supports only up to 4096-bit RSA keys.
    • RSA-RC4-128-MD5
    • RSA-RC4-128-SHA-1
    • RSA-3DES-EDE-CBC-SHA-1
    • RSA-AES-128-CBC-SHA-1
    • RSA-AES-256-CBC-SHA-1
    • RSA-AES-128-CBC-SHA-256
    • RSA-AES-256-CBC-SHA-256
    • RSA-AES-128-GCM-SHA-256
    • RSA-AES-256-GCM-SHA-384
    • TLS_AES_256_GCM_SHA-384
    • TLS_CHACHA20_POLY1305_SHA-256
    • TLS_AES_128_GCM_SHA-256
    SSL/TLS Decryption—NIST-approved Elliptical Curves
    • P-192 (secp192r1)
    • P-224 (secp224r1)
    • P-256 (secp256r1)
    • P-384 (secp384r1)
    • P-521 (secp521r1)
    • ( TLS 1.3 only) X25519
    • ( TLS 1.3 only) X448
    SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
    If you use the DHE or ECDHE key exchange algorithms to enable PFS support for SSL decryption, you can use a hardware security module (HSM) to store the private keys used for SSL Inbound Inspection.
    • DHE-RSA-3DES-EDE-CBC-SHA-1
    • DHE-RSA-AES-128-CBC-SHA-1
    • DHE-RSA-AES-256-CBC-SHA-1
    • DHE-RSA-AES-128-CBC-SHA-256
    • DHE-RSA-AES-256-CBC-SHA-256
    • DHE-RSA-AES-128-GCM-SHA-256
    • DHE-RSA-AES-256-GCM-SHA-384
    • ECDHE-RSA-AES-128-CBC-SHA-1
    • ECDHE-RSA-AES-256-CBC-SHA-1
    • ECDHE-RSA-AES-128-CBC-SHA-256
    • ECDHE-RSA-AES-256-CBC-SHA-384
    • ECDHE-RSA-AES-128-GCM-SHA-256
    • ECDHE-RSA-AES-256-GCM-SHA-384
    • ECDHE-ECDSA-AES-128-CBC-SHA-1
    • ECDHE-ECDSA-AES-256-CBC-SHA-1
    • ECDHE-ECDSA-AES-128-CBC-SHA-256
    • ECDHE-ECDSA-AES-256-CBC-SHA-384
    • ECDHE-ECDSA-AES-128-GCM-SHA-256
    • ECDHE-ECDSA-AES-256-GCM-SHA-384
    • ( TLS 1.3 only) TLS_AES_128_GCM_SHA-256
    • ( TLS 1.3 only) TLS_AES_256_GCM_SHA-384
    • ( TLS 1.3 only) TLS_CHACHA20_POLY1305_SHA-256
    TLS 1.3 Decryption—Signature Algorithms
    • ECDSA-SECP256r1-SHA-256
    • RSA-PSS-RSAE-SHA-256
    • RSA-PKCS1-SHA-256
    • ECDSA-SECP384r1-SHA-384
    • RSA-PSS-RSAE-SHA-384
    • RSA-PKCS1-SHA-386
    • RSA-PSS-RSAE-SHA-512
    • RSA-PKCS1-SHA-512
    • RSA-PKCS1-SHA-1

    © 2024 Palo Alto Networks, Inc. All rights reserved.