: PAN-OS 11.1 IKE and Web Certificate Cipher Suites
Focus
Focus

PAN-OS 11.1 IKE and Web Certificate Cipher Suites

Table of Contents

PAN-OS 11.1 IKE and Web Certificate Cipher Suites

List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 11.1 in normal operation mode.
The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web certificates that are supported on firewalls running a PAN-OS 11.1 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 11.1 Releases
IKE Certificate Support
  • RSA
    • Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
    • Digital signature algorithms—SHA-1, SHA-256, SHA-384, or SHA-512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
IKE—Encryption
  • 3DES
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
Starting with PAN-OS 10.0.3:
  • AES-128-GCM
  • AES-256-GCM
IKE—Message Authentication
  • HMAC-MD5
  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
IKE—Key Exchange
Diffie-Hellman groups
  • Group 1 (768-bit keys)
  • Group 2 (1024-bit keys)
  • Group 5 (1536-bit keys)
  • Group 14 (2048-bit keys)
  • Group 15 (3072-bit modular exponential group)
  • Group 16 (4096-bit modular exponential group)
  • Group 19 (256-bit elliptic curve group)
  • Group 20 (384-bit elliptic curve group)
  • Group 21 (512-bit random elliptic curve group)
PAN-OS Web Certificates
  • RSA
    • Keys—2048-bit, 3072-bit, and 4096-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512