Support for Post-Quantum Features
Supported quantum RFCs, upgrade and downgrade considerations, HA, etc.
Where Can I Use This? | What Do I Need? |
Support for post-quantum features and capabilities includes RFCs, HA, and upgrade and
downgrade considerations. It's early in the development of post-quantum standards and
features as nations, vendors, and enterprises grapple with how to defend their data from
post-quantum attacks. As standards progress and Palo Alto Networks platforms support
them, this topic will be updated to indicate that support.
RFCs Supported and Interoperability
Palo Alto Networks devices interoperate with other devices that support the same
standards, although some vendors implementations might differ based on the
interpretation of the RFCs. For example, some vendors might not offer the ability to
configure as many post-quantum pre-shared keys (PQ PPKs) with RFC 8784 or they might
not support the broad set of PQCs Palo Alto Networks supports with RFC 9370.
HA Support
High availability (HA) for IKE VPNs is the same as before the introduction of
post-quantum features: VPN tunnels continue to run after a failover, and IKE peers
re-sync and refresh IKE keys after a failover.
Upgrade and Downgrade Considerations
When you upgrade from a version that doesn't support post-quantum IKEv2 VPNs, the
platform provides support for the post-quantum features and capabilities.
When you downgrade to a version that supports the post-quantum features you
configured, the configuration is not changed and the post-quantum IKEv2 VPN security
remains in place.
When you downgrade to a version that doesn't support the post-quantum IKEv2 VPN
features:
-
If you didn't configure post-quantum IKEv2 VPNs, the downgrade proceeds as
usual and the post-quantum IKEv2 VPN security configuration options are
removed.
-
If you configured post-quantum IKEv2 VPNs, the downgrade is blocked because
the downgrade version doesn't support the post-quantum configuration
options. A warning message appears when the downgrade is blocked that
notifies you to remove the post-quantum IKEv2 VPN configuration and to
select the cipher you want to use for the VPN after the downgrade.
After you remove the post-quantum IKEv2 VPN configuration and select the
cipher, you can proceed with the downgrade.
The log files retain the post-quantum logs after the downgrade.