Palo Alto Networks Compatibility Matrix
  • Palo Alto Networks Compatibility Matrix
  • Compatibility Matrix Documentation
  • All Documentation
>
PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
Focus
Download PDF
Focus
  1. Home
  2. Compatibility Matrix
  3. Supported Cipher Suites
  4. Cipher Suites Supported in PAN-OS 11.0
  5. PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
Download PDF
Compatibility Matrix

PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode

Table of Contents

PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode

List of cipher suites supported on firewalls running PAN-OS® 11.0 in FIPS-CC mode.
The following table lists cipher suites that are supported on firewalls running a PAN-OS® 11.0 release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details regarding the algorithm implementation.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 11.0
Functions
Standards
Certificates
Asymmetric key generation
ECC key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#A3453
VMs:
#A3454
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#A3453
VMs:
#A3454
Cryptographic Key Generation (for IKE Peer Authentication)
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#A3453
VMs:
#A3454
ECDSA key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#A3453
VMs:
#A3454
Cryptographic Key Establishment
ECC-based key establishment
SP 800-56A Revision 3
Appliances:
#A3453
VMs:
#A3454
FFC-based key establishment
SP 800-56A Revision 3
Appliances:
#A3453
VMs:
#A3454
AES Data Encryption/Decryption
  • AES CTR 128/192/256
  • AES CBC 128/192/256
  • AES GCM 128/256
  • AES CCM 128
  • AES as specified in ISO 18033-3
  • CBC/CTR as specified in ISO 10116
  • GCM as specified in ISO 19772
  • NIST SP 800-38A/C/D/F
  • FIPS PUB 197
Appliances:
#A3453
VMs:
#A3454
Signature Generation and Verification
RSA (2048 bits or greater)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2
or
Digital Signature scheme 3
Appliances:
#A3453
VMs:
#A3454
ECDSA (NIST curves P-256, P-384, and P-521)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256, P-384, P-521 ISO/IEC 14888-3, Section 6.4
Appliances:
#A3453
VMs:
#A3454
Cryptographic hashing
SHA-1, SHA-256, SHA-384 and SHA-512 (digest sizes 160, 256, 384 and 512 bits)
ISO/IEC 10118-3:2004
FIPS PUB 180-4
Appliances:
#A3453
VMs:
#A3454
Keyed-hash message authentication
  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
ISO/IEC 9797-2:2011
FIPS PUB 198-1
Appliances:
#A3453
VMs:
#A3454
Random bit generation
CTR_DRBG (AES-256)
ISO/IEC 18031:2011
NIST SP 800-90A
Appliances:
#A3453
VMs:
#A3454

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.