1. Home
    2. Palo Alto Networks Compatibility Matrix
    3. Supported Cipher Suites
    4. Cipher Suites Supported in PAN-OS 9.1
    5. PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode

    PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode

    List of cipher suites supported on firewalls running PAN-OS® 9.1 in FIPS-CC mode.
    The following table lists cipher suites that are supported on firewalls running a PAN-OS® 9.1 release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details regarding the algorithm implementation. Also, there were no changes made to the Palo Alto Networks crypto module between PAN-OS 9.0 and PAN-OS 9.1 so all FIPS certificates still apply for this PAN-OS 9.1 release.
    If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 9.1
    Functions
    Standards
    Asymmetric key generation
    FFC key pair generation (key size 2048 bits)
    FIPS PUB 186-4
    ECC key pair generation (NIST curves P-256, P-384)
    FIPS PUB 186-4
    RSA key generation (2048 bits or greater)
    FIPS PUB 186-4
    Cryptographic Key Generation (for IKE Peer Authentication)
    RSA key generation (2048 bits or greater)
    FIPS PUB 186-4
    ECDSA key pair generation (NIST curves P-256, P-384)
    FIPS PUB 186-4
    Cryptographic Key Establishment
    ECDSA-based key establishment
    NIST SP 800-56A Revision 2
    FFC-based key establishment
    NIST SP 800-56A Revision 2
    AES Data Encryption/Decryption
    • AES CTR 128/192/256
    • AES CBC 128/192/256
    • AES GCM 128/256
    • AES CCM 128
    • AES as specified in ISO 18033-3
    • CBC/CTR as specified in ISO 10116
    • GCM as specified in ISO 19772
    • NIST SP 800-38A/C/D/F
    • FIPS PUB 197
    Signature Generation and Verification
    RSA Digital Signature Algorithm (rDSA) (2048 bits or greater)
    FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2
    or
    Digital Signature scheme 3
    ECDSA (NIST curves P-256, P-384, and P-521)
    FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256, P-384, ISO/IEC 14888-3, Section 6.4
    Cryptographic hashing
    SHA-1, SHA-256, SHA-384, and SHA-512 (digest sizes 160, 256, 384, and 512 bits)
    ISO/IEC 10118-3:2004
    FIPS PUB 180-4
    Keyed-hash message authentication
    • HMAC-SHA-1
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512
    ISO/IEC 9797-2:2011
    FIPS PUB 198-1
    Random bit generation
    CTR_DRBG (AES-256)
    ISO/IEC 18031:2011
    NIST SP 800-90A

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo