PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 8.1 GlobalProtect Cipher Suites
- PAN-OS 8.1 IPSec Cipher Suites
- PAN-OS 8.1 IKE and Web Certificate Cipher Suites
- PAN-OS 8.1 Decryption Cipher Suites
- PAN-OS 8.1 Administrative Session Cipher Suites
- PAN-OS 8.1 HA1 SSH Cipher Suites
- PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode
PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
List of cipher suites supported on firewalls running
PAN-OS® 9.1 in FIPS-CC mode.
The following table lists cipher suites that are supported
on firewalls running a PAN-OS® 9.1 release in FIPS-CC mode. The Cryptographic Algorithm Validation
Program has additional details regarding the algorithm implementation.
Also, there were no changes made to the Palo Alto Networks crypto module
between PAN-OS 9.0 and PAN-OS 9.1 so all FIPS certificates still
apply for this PAN-OS 9.1 release.
If your firewall is running in normal (non-FIPS-CC) operational mode,
see Cipher
Suites Supported in PAN-OS 9.1
Functions | Standards |
|---|---|
Asymmetric key generation | |
FFC key pair generation (key size 2048 bits) | FIPS PUB 186-4 |
ECC key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 |
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 |
Cryptographic Key Generation
(for IKE Peer Authentication) | |
RSA key generation (2048 bits or greater) | FIPS PUB 186-4 |
ECDSA key pair generation (NIST curves P-256, P-384) | FIPS PUB 186-4 |
Cryptographic Key Establishment | |
ECDSA-based key establishment | NIST SP 800-56A Revision 2 |
FFC-based key establishment | NIST SP 800-56A Revision 2 |
AES Data Encryption/Decryption | |
|
|
Signature Generation and
Verification | |
RSA Digital Signature Algorithm (rDSA) (2048
bits or greater) | FIPS PUB 186-4, “Digital Signature Standard
(DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS
and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2 or Digital
Signature scheme 3 |
ECDSA (NIST curves P-256, P-384, and P-521) | FIPS PUB 186-4, “Digital Signature Standard
(DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256,
P-384, ISO/IEC 14888-3, Section 6.4 |
Cryptographic hashing | |
SHA-1, SHA-256, SHA-384, and SHA-512 (digest sizes
160, 256, 384, and 512 bits) | ISO/IEC 10118-3:2004 FIPS PUB 180-4 |
Keyed-hash message authentication | |
| ISO/IEC 9797-2:2011 FIPS PUB 198-1 |
Random bit generation | |
CTR_DRBG (AES-256) | ISO/IEC 18031:2011 NIST SP 800-90A |