Entrust nShield hardware security modules (HSMs) integrate with Next-Generation Firewalls to securely generate and store master keys and private keys. As the nShield client-side software for PAN-OS® 11.2 and earlier versions approaches its end-of-support date, organizations face compliance and service continuity issues. To address these issues, PAN-OS 12.1 upgrades the legacy Security World software to version 13.6.3. Security World 13.6.3 ensures FIPS 140-3 compliance and is compatible with both older and newer nShield HSM models integrated with Palo Alto Networks. This compatibility ensures that nShield HSM operations remain uninterrupted and modernizes your HSM infrastructure through security and functionality enhancements.

Gaining comprehensive visibility into all internal firewall certificates can be a challenge, often requiring manual checks across various system components and increasing the risk of human error. The Firewall Web Interface addresses this by displaying a centralized list of all internal Palo Alto Networks® certificates under DeviceCertificate ManagementCertificatesPAN-OS System Certificates.

This new feature provides a single, unified location for managing critical assets. You can easily review certificate details, check expiration dates, and track the overall status of system certificates without navigating to multiple sections of the firewall. By consolidating this information, this feature reduces the time and effort needed for audits and compliance checks.

Along with these enhancements, new cryptographic dynamic updates ensure that your Certificate Authority Trust Store and PAN-issued certificates remain up to date.

Future quantum computers will break today's encryption. Adversaries are taking advantage by stealing encrypted data today to decrypt once a cryptographically relevant quantum computer (CRQC) is available. This "Harvest Now, Decrypt Later" strategy requires a proactive response. Management connections are prime targets for adversaries because the encrypted traffic contains sensitive, long-lived data such as login credentials and configuration details. To defend against the quantum computing threat, PAN-OS® 12.1 now supports post-quantum cryptography (PQC) for administrative access to Next-Generation Firewalls (NGFWs) and Panorama®. This feature protects TLSv1.3 management connections using quantum-resistant algorithms standardized by the National Institute of Standards and Technology (NIST).

SSL/TLS service profiles now offer ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the post-quantum key exchange algorithm specified in FIPS 203. The NGFW or Panorama ensures interoperability by automatically negotiating a supported classical algorithm if a web browser doesn't support PQC. You can also enable hybrid post-quantum key exchange, which combines a classical algorithm like ECDH with a post-quantum algorithm to generate a shared key. Hybrid key exchange secures your organization from attacks by today's classical computers and future CRQCs. These capabilities prevent disruption to critical operations and ease your transition to PQC.

You can also generate certificates using the NIST-approved digital signatures: ML-DSA (Module-Lattice-based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-based Digital Signature Algorithm). These algorithms are specified in FIPS-204 and FIPS-205, respectively. PQC certificates are for testing only while industry standards are under development.