PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode

List of cipher suites supported on firewalls running PAN-OS® 8.1 in FIPS-CC mode.
The following table lists cipher suites that are supported on firewalls running a PAN-OS® 8.1 release in FIPS-CC mode.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 8.1
Functions
Standards
Certificates
Asymmetric key generation
FFC key pair generation (key size 2048 bits)
FIPS PUB 186-4
Appliances:
DSA #1485
VMs:
DSA #1497
ECC key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
ECDSA #1570
VMs:
ECDSA #1575
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
RSA #3086
VMs:
RSA #3090
Cryptographic Key Generation (for IKE Peer Authentication)
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
RSA #3086
VMs:
RSA #3090
ECDSA key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
ECDSA #1570
VMs:
ECDSA #1575
Cryptographic Key Establishment
ECDSA-based key establishment
NIST SP 800-56A Revision 2
Appliances:
CVL #2119
VMs:
CVL #2128
FFC-based key establishment
NIST SP 800-56A Revision 2
Appliances:
CVL #2119
VMs:
CVL #2128
AES Data Encryption/Decryption
  • AES CTR 128/192/256
  • AES CBC 128/192/256
  • AES GCM 128/256
  • AES CCM 128
  • AES as specified in ISO 18033-3
  • CBC/CTR as specified in ISO 10116
  • GCM as specified in ISO 19772
  • NIST SP 800-38A/C/D/F
  • FIPS PUB 197
Appliances:
AES #5890
VMs:
AES #5902
Signature Generation and Verification
RSA Digital Signature Algorithm (rDSA) (2048 bits or greater)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2
or
Digital Signature scheme 3
Appliances:
RSA #3086
VMs:
RSA #3090
ECDSA (NIST curves P-256, P-384, and P-521)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256, P-384, ISO/IEC 14888-3, Section 6.4
Appliances:
RSA #1570
VMs:
RSA #1575
Cryptographic hashing
SHA1, SHA256, SHA384, and SHA512 (digest sizes 160, 256, 384, and 512 bits)
ISO/IEC 10118-3:2004
FIPS PUB 180-4
Appliances:
SHS #4641
VMs:
SHS #4658
Keyed-hash message authentication
  • HMAC-SHA1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
ISO/IEC 9797-2:2011
FIPS PUB 198-1
Appliances:
HMAC #3865
VMs:
HMAC #3882
Random bit generation
CTR_DRBG (AES-256)
ISO/IEC 18031:2011
NIST SP 800-90A
Appliances:
DRBG #2451
VMs:
DRBG #2464

Recommended For You