PAN-OS 9.0 Cipher Suites Supported in FIPS-CC Mode

List of cipher suites supported on firewalls running PAN-OS® 9.0 in FIPS-CC mode.
The following table lists cipher suites that are supported on firewalls running a PAN-OS® 9.0 release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details regarding the algorithm implementation.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 9.0
Functions
Standards
Certificates
Asymmetric key generation
FFC key pair generation (key size 2048 bits)
FIPS PUB 186-4
Appliances:
#C1005
VMs:
#C999
ECC key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#C1005
VMs:
#C999
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#C1005
VMs:
#C999
Cryptographic Key Generation (for IKE Peer Authentication)
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#C1005
VMs:
#C999
ECDSA key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#C1005
VMs:
#C999
Cryptographic Key Establishment
ECDSA-based key establishment
NIST SP 800-56A Revision 2
Appliances:
#C1005
VMs:
#C999
FFC-based key establishment
NIST SP 800-56A Revision 2
Appliances:
#C1005
VMs:
#C999
AES Data Encryption/Decryption
  • AES CTR 128/192/256
  • AES CBC 128/192/256
  • AES GCM 128/256
  • AES CCM 128
  • AES as specified in ISO 18033-3
  • CBC/CTR as specified in ISO 10116
  • GCM as specified in ISO 19772
  • NIST SP 800-38A/C/D/F
  • FIPS PUB 197
Appliances:
#C1005
VMs:
#C999
Signature Generation and Verification
RSA Digital Signature Algorithm (rDSA) (2048 bits or greater)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2
or
Digital Signature scheme 3
Appliances:
#C1005
VMs:
#C999
ECDSA (NIST curves P-256, P-384, and P-521)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256, P-384, ISO/IEC 14888-3, Section 6.4
Appliances:
#C1005
VMs:
#C999
Cryptographic hashing
SHA1, SHA256, SHA384, and SHA512 (digest sizes 160, 256, 384, and 512 bits)
ISO/IEC 10118-3:2004
FIPS PUB 180-4
Appliances:
#C1005
VMs:
#C999
Keyed-hash message authentication
  • HMAC-SHA1
  • HMAC-SHA256
  • HMAC-SHA384
  • HMAC-SHA512
ISO/IEC 9797-2:2011
FIPS PUB 198-1
Appliances:
#C1005
VMs:
#C999
Random bit generation
CTR_DRBG (AES-256)
ISO/IEC 18031:2011
NIST SP 800-90A
Appliances:
#C1005
VMs:
#C999

Recommended For You