PAN-OS 9.0 IKE and Web Certificate Cipher Suites

List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 9.0 in normal operation mode.
The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web certificates that are supported on firewalls running a PAN-OS 9.0 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.0 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 9.0 Releases
IKE Certificate Support
  • RSA
    • Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
    • Digital signature algorithms—SHA1, SHA256, SHA384, or SHA512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA256, SHA384, or SHA512
IKE—Encryption
  • DES
  • 3DES
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
IKE—Message Authentication
  • HMAC-MD5
  • HMAC-SHA1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
IKE—Key Exchange
Diffie-Hellman groups
  • Group 1 (768-bit keys)
  • Group 2 (1024-bit keys)
  • Group 5 (1536-bit keys)
  • Group 14 (2048-bit keys)
  • Group 19 (256-bit elliptic curve group)
  • Group 20 (384-bit elliptic curve group)
PAN-OS Web Certificates
  • RSA
    • Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit keys
    • Digital signature algorithms—SHA1, SHA256, SHA384, or SHA512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA256, SHA384, or SHA512

Recommended For You