PAN-OS 8.1 GlobalProtect Cipher Suites

List of cipher suites supported for GlobalProtect™ on firewalls running PAN-OS® 8.1 in normal operation mode.
The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-OS® 8.1 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 8.1 Releases
GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal
  • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites
  • RSA-SEED-SHA
  • RSA-CAMELLIA-128-SHA
  • RSA-CAMELLIA-256-SHA
  • RSA-3DES-SHA
  • RSA-AES-128-SHA
  • RSA-AES-256-SHA
  • RSA-AES-128-SHA-256
  • RSA-AES-256-SHA-256
  • RSA-AES-128-GCM-SHA-256
  • RSA-AES-256-GCM-SHA-384
  • DHE-RSA-SEED-SHA
  • DHE-RSA-AES-128-SHA
  • DHE-RSA-AES-256-SHA
  • DHE-RSA-AES-128-GCM-SHA-256
  • DHE-RSA-AES-256-GCM-SHA-384
  • EDH-RSA-3DES-SHA
  • ECDHE-RSA-AES-128-SHA
  • ECDHE-RSA-AES-256-SHA
  • ECDHE-RSA-AES-128-GCM-SHA-256
  • ECDHE-RSA-AES-128-GCM-SHA-384
  • ECDHE-ECDSA-AES-128-SHA
  • ECDHE-ECDSA-AES-256-SHA
  • ECDHE-ECDSA-AES-128-GCM-SHA-256
  • ECDHE-ECDSA-AES-256-GCM-SHA-384
GlobalProtect App/Agent—IPSec mode
(Keys transported through SSL session with gateway)
  • AES-128-CBC-HMAC-SHA
  • AES-128-GCM-HMAC-SHA
  • AES-256-GCM-HMAC-SHA
GlobalProtect Portal—Browser Access
  • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites
  • RSA-SEED-SHA
  • RSA-CAMELLIA-128-SHA
  • RSA-CAMELLIA-256-SHA
  • RSA-3DES-SHA
  • RSA-AES-128-SHA
  • RSA-AES-256-SHA
  • RSA-AES-128-SHA-256
  • RSA-AES-256-SHA-256
  • RSA-AES-128-GCM-SHA-256
  • RSA-AES-256-GCM-SHA-384
  • DHE-RSA-AES-256-SHA
  • DHE-RSA-AES-128-SHA
  • DHE-RSA-AES-128-GCM-SHA-256
  • DHE-RSA-AES-256-GCM-SHA-384
  • EDH-RSA-3DES-SHA
  • ECDHE-ECDSA-AES-128-SHA
  • ECDHE-ECDSA-AES-256-SHA
  • ECDHE-ECDSA-AES-128-GCM-SHA-256
  • ECDHE-ECDSA-AES-256-GCM-SHA-384

Related Documentation