PAN-OS 8.1 Decryption Cipher Suites

List of cipher suites supported for IPSec on firewalls running PAN-OS® 8.1 in normal operation mode.

The following table lists cipher suites for decryption that are supported on firewalls running a PAN-OS® 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode.

SSH Decryption (SSHv2 only)—Encryption
SSH Decryption (SSHv2 only)—Message Authentication
SSL/TLS Decryption
SSL/TLS Decryption—NIST-approved Elliptical Curves
SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers

Feature or Function	Ciphers Supported in PAN-OS 8.1 Releases
SSH Decryption (SSHv2 only)—Encryption	AES-128-CBC AES-192-CBC AES-256-CBC AES-128-CTR AES-192-CTR AES-256-CTR
SSH Decryption (SSHv2 only)—Message Authentication	HMAC-RIPEMD HMAC-MD5-96 HMAC-MD5 HMAC-SHA-96 HMAC-RIPEMD-160 HMAC-SHA
SSL/TLS Decryption	SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites RSA 512-, 1024-, 2048-, 3072-, 4096-, and 8192-bit keys The firewall can authenticate certificates up to 8192-bit RSA keys from the destination server, however the firewall generated certificate to the client supports only up to 2048-bit RSA keys. RSA-RC4-128-MD5 RSA-RC4-128-SHA RSA-3DES-EDE-CBC-SHA RSA-AES-128-CBC-SHA RSA-AES-256-CBC-SHA RSA-AES-128-CBC-SHA-256 RSA-AES-256-CBC-SHA-256 RSA-AES-128-GCM-SHA-256 RSA-AES-256-GCM-SHA-384
SSL/TLS Decryption—NIST-approved Elliptical Curves	P-192 (secp192r1) P-224 (secp224r1) P-256 (secp256r1) P-384 (secp384r1) P-521 (secp521r1)
SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers If you use the DHE or ECDHE key exchange algorithms to enable PFS, you cannot use a hardware security module (HSM) to store the private keys used for SSL Inbound Inspection.	DHE-RSA-3DES-EDE-CBC-SHA DHE-RSA-AES-128-CBC-SHA DHE-RSA-AES-256-CBC-SHA DHE-RSA-AES-128-CBC-SHA-256 DHE-RSA-AES-256-CBC-SHA-256 DHE-RSA-AES-128-GCM-SHA-256 DHE-RSA-AES-256-GCM-SHA-384 ECDHE-RSA-AES-128-CBC-SHA ECDHE-RSA-AES-256-CBC-SHA ECDHE-RSA-AES-128-CBC-SHA-256 ECDHE-RSA-AES-256-CBC-SHA-384 ECDHE-RSA-AES-128-GCM-SHA-256 ECDHE-RSA-AES-256-GCM-SHA-384 ECDHE-ECDSA-AES-128-CBC-SHA ECDHE-ECDSA-AES-256-CBC-SHA ECDHE-ECDSA-AES-128-CBC-SHA-256 ECDHE-ECDSA-AES-256-CBC-SHA-384 ECDHE-ECDSA-AES-128-GCM-SHA-256 ECDHE-ECDSA-AES-256-GCM-SHA-384

Document:Palo Alto Networks® Compatibility Matrix

PAN-OS 8.1 Decryption Cipher Suites

PAN-OS 8.1 Decryption Cipher Suites

Related Documentation

Document:Palo Alto Networks® Compatibility Matrix

PAN-OS 8.1 Decryption Cipher Suites

PAN-OS 8.1 Decryption Cipher Suites

Related Documentation

Cipher Suites Supported in PAN-OS 8.1

PAN-OS 8.1 HA1 SSH Cipher Suites

PAN-OS 8.1 Management Port SSH Cipher Suites

PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 8.1 IPSec Cipher Suites

PAN-OS 8.1 GlobalProtect Cipher Suites

GlobalProtect Cryptography References

PAN-OS 8.1 Administrative Session Cipher Suites

PAN-OS 8.1 IKE and Web Certificate Cipher Suites

PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode