Support for Post-Quantum Features
Focus
Focus
Network Security

Support for Post-Quantum Features

Table of Contents

Support for Post-Quantum Features

Supported quantum RFCs, upgrade and downgrade considerations, HA, etc.
Where Can I Use This?What Do I Need?
  • PAN-OS
  • PAN-OS 11.1 or later.
Support for post-quantum features and capabilities includes RFCs, HA, and upgrade and downgrade considerations. It's early in the development of post-quantum standards and features as nations, vendors, and enterprises grapple with how to defend their data from post-quantum attacks. As standards progress and Palo Alto Networks platforms support them, this topic will be updated to indicate that support.

RFCs Supported and Interoperability

Palo Alto Networks devices fully support the RFC 8784, RFC 9242, and RFC 9370 open standards.
Palo Alto Networks devices interoperate with other devices that support the same standards, although some vendors implementations might differ based on the interpretation of the RFCs. For example, some vendors might not offer the ability to configure as many post-quantum pre-shared keys (PQ PPKs) with RFC 8784 or they might not support the broad set of PQCs Palo Alto Networks supports with RFC 9370.

HA Support

High availability (HA) for IKE VPNs is the same as before the introduction of post-quantum features: VPN tunnels continue to run after a failover, and IKE peers re-sync and refresh IKE keys after a failover.

Upgrade and Downgrade Considerations

When you upgrade from a version that doesn't support post-quantum IKEv2 VPNs, the platform provides support for the post-quantum features and capabilities.
When you downgrade to a version that supports the post-quantum features you configured, the configuration is not changed and the post-quantum IKEv2 VPN security remains in place.
When you downgrade to a version that doesn't support the post-quantum IKEv2 VPN features:
  • If you didn't configure post-quantum IKEv2 VPNs, the downgrade proceeds as usual and the post-quantum IKEv2 VPN security configuration options are removed.
  • If you configured post-quantum IKEv2 VPNs, the downgrade is blocked because the downgrade version doesn't support the post-quantum configuration options. A warning message appears when the downgrade is blocked that notifies you to remove the post-quantum IKEv2 VPN configuration and to select the cipher you want to use for the VPN after the downgrade.
    After you remove the post-quantum IKEv2 VPN configuration and select the cipher, you can proceed with the downgrade.
The log files retain the post-quantum logs after the downgrade.