PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
Table of Contents
Expand all | Collapse all
- CN-Series Firewalls
- MFA Vendor Support
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.2 GlobalProtect Cipher Suites
- PAN-OS 11.2 IPSec Cipher Suites
- PAN-OS 11.2 IKE and Web Certificate Cipher Suites
- PAN-OS 11.2 Decryption Cipher Suites
- PAN-OS 11.2 Administrative Session Cipher Suites
- PAN-OS 11.2 HA1 SSH Cipher Suites
- PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.1 GlobalProtect Cipher Suites
- PAN-OS 11.1 IPSec Cipher Suites
- PAN-OS 11.1 IKE and Web Certificate Cipher Suites
- PAN-OS 11.1 Decryption Cipher Suites
- PAN-OS 11.1 Administrative Session Cipher Suites
- PAN-OS 11.1 HA1 SSH Cipher Suites
- PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
- Prisma Access
- Strata Cloud Manager and Panorama Feature Parity
- User-ID Agent
- Terminal Server (TS) Agent
- Strata Logging Service Software Compatibility
- Cortex XDR
- Endpoint Security Manager (ESM)
- IPv6 Support by Feature
- Mobile Network Infrastructure Feature Support
PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
List of cipher suites supported on firewalls running PAN-OS® 11.1 in FIPS-CC
mode.
The following table lists cipher suites that are supported on firewalls running a PAN-OS®
11.1 release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has
additional details regarding the algorithm implementation.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 11.1
Functions | Standards | Certificates |
---|---|---|
Asymmetric key generation
| ||
ECC key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 | Appliances:
#A3453 VMs:
#A3454 |
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 | Appliances:
#A3453 VMs:
#A3454 |
Cryptographic Key Generation (for IKE Peer Authentication)
| ||
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 | Appliances:
#A3453 VMs:
#A3454 |
ECDSA key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 | Appliances:
#A3453 VMs:
#A3454 |
Cryptographic Key Establishment
| ||
ECC-based key establishment | SP 800-56A Revision 3 | Appliances:
#A3453 VMs:
#A3454 |
FFC-based key establishment | SP 800-56A Revision 3 | Appliances:
#A3453 VMs:
#A3454 |
AES Data Encryption/Decryption
| ||
|
| Appliances:
#A3453 VMs:
#A3454 |
Signature Generation and Verification
| ||
RSA (2048 bits or greater) | FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5,
using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or
RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2 or Digital Signature scheme 3 | Appliances:
#A3453 VMs:
#A3454 |
ECDSA (NIST curves P-256, P-384, and P-521) | FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and
Appendix D, Implementing "NIST curves" P-256, P-384, P-521 ISO/IEC
14888-3, Section 6.4 | Appliances:
#A3453 VMs:
#A3454 |
Cryptographic hashing
| ||
SHA-1, SHA-256, SHA-384 and SHA-512 (digest sizes 160, 256, 384 and
512 bits) | ISO/IEC 10118-3:2004 FIPS PUB 180-4 | Appliances:
#A3453 VMs:
#A3454 |
Keyed-hash message authentication
| ||
| ISO/IEC 9797-2:2011 FIPS PUB 198-1 | Appliances:
#A3453 VMs:
#A3454 |
Random bit generation
| ||
CTR_DRBG (AES-256) | ISO/IEC 18031:2011 NIST SP 800-90A | Appliances:
#A3453 VMs:
#A3454 |