PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
Focus
Focus
Compatibility Matrix

PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode

Table of Contents

PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode

List of cipher suites supported on firewalls running PAN-OS® 10.1 in FIPS-CC mode.
The following table lists cipher suites that are supported on firewalls running a PAN-OS® 10.1 release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details regarding the algorithm implementation.
If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites Supported in PAN-OS 10.1
Functions
Standards
Certificates
Asymmetric key generation
FFC key pair generation (key size 2048 bits)
FIPS PUB 186-4
Appliances:
#A2137
VMs:
#A2244
ECC key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#A2137
VMs:
#A2244
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#A2137
VMs:
#A2244
Cryptographic Key Generation (for IKE Peer Authentication)
RSA key generation (2048 bits or greater)
FIPS PUB 186-4
Appliances:
#A2137
VMs:
#A2244
ECDSA key pair generation (NIST curves P-256, P-384)
FIPS PUB 186-4
Appliances:
#A2137
VMs:
#A2244
Cryptographic Key Establishment
ECDSA-based key establishment
NIST SP 800-56A Revision 3
Appliances:
#A2137
VMs:
#A2244
FFC-based key establishment
NIST SP 800-56A Revision 3
Appliances:
#A2137
VMs:
#A2244
AES Data Encryption/Decryption
  • AES CTR 128/192/256
  • AES CBC 128/192/256
  • AES GCM 128/256
  • AES CCM 128
  • AES as specified in ISO 18033-3
  • CBC/CTR as specified in ISO 10116
  • GCM as specified in ISO 19772
  • NIST SP 800-38A/C/D/F
  • FIPS PUB 197
Appliances:
#A2137
VMs:
#A2244
Signature Generation and Verification
RSA Digital Signature Algorithm (rDSA) (2048 bits or greater)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSAPKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2
or
Digital Signature scheme 3
Appliances:
#A2137
VMs:
#A2244
ECDSA (NIST curves P-256, P-384, and P-521)
FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing "NIST curves" P-256, P-384, P-521 ISO/IEC 14888-3, Section 6.4
Appliances:
#A2137
VMs:
#A2244
Cryptographic hashing
SHA-1, SHA-256, SHA-384 and SHA-512 (digest sizes 160, 256, 384 and 512 bits)
ISO/IEC 10118-3:2004
FIPS PUB 180-4
Appliances:
#A2137
VMs:
#A2244
Keyed-hash message authentication
  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
ISO/IEC 9797-2:2011
FIPS PUB 198-1
Appliances:
#A2137
VMs:
#A2244
Random bit generation
CTR_DRBG (AES-256)
ISO/IEC 18031:2011
NIST SP 800-90A
Appliances:
#A2137
VMs:
#A2244