High availability firewall pair master key encryption.
To use the AES-256-GCM encryption level on a firewall
high availability (HA) pair, both firewalls must run PAN-OS 10.0
so that both firewalls support AES-256-GCM. If either firewall in
the HA pair runs an earlier version than PAN-OS 10.0, you can’t
use AES-256-GCM. When both firewalls are on PAN-OS 10.0, both firewalls
can decode AES-256-CBC or AES-256-GCM encryption keys, so they can use
the either encryption level. However, both firewalls should use
the same encryption level to avoid the possibility of becoming out
Use AES-256-GCM encryption on both firewalls
in the HA pair. Whether you use AES-256-GCM or AES-256-CBC, use
the same algorithm on both firewalls.
You do not need to disable HA to change the encryption level
on a firewall in an HA pair in which both firewalls run PAN-OS 10.0.