PAN-OS 11.2 IKE and Web Certificate Cipher Suites
Focus
Focus
Compatibility Matrix

PAN-OS 11.2 IKE and Web Certificate Cipher Suites

Table of Contents

PAN-OS 11.2 IKE and Web Certificate Cipher Suites

List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 11.2 in normal operation mode.
The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web certificates that are supported on firewalls running a PAN-OS 11.2 release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode.
Feature or Function
Ciphers Supported in PAN-OS 11.2 Releases
IKE—Post-Quantum Cryptographic Suites (PQCs)
  • ML-KEM—512-bit, 768-bit, and 1024-bit keys
  • HQC—128-bit, 192-bit, and 256-bit keys
  • BIKE—bike-L1, bike-L3, & bike-L5
  • Classic McEliece—348,864-bit and 348,864f-bit
  • FrodoKEM:
    • 640-AES, 976-AES, and 1344-AES
    • 640-SHAKE, 976-SHAKE, and 1344-SHAKE
  • NTRU-Prime—sntrup761
IKE Certificate Support
  • RSA
    • Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
    • Digital signature algorithms—SHA-1, SHA-256, SHA-384, or SHA-512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
IKE—Encryption
  • 3DES
  • AES-128-CBC
  • AES-192-CBC
  • AES-256-CBC
Starting with PAN-OS 10.0.3:
  • AES-128-GCM
  • AES-256-GCM
IKE—Message Authentication
  • HMAC-MD5
  • HMAC-SHA-1
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
IKE—Key Exchange
Diffie-Hellman groups
  • Group 1 (768-bit keys)
  • Group 2 (1024-bit keys)
  • Group 5 (1536-bit keys)
  • Group 14 (2048-bit keys)
  • Group 15 (3072-bit modular exponential group)
  • Group 16 (4096-bit modular exponential group)
  • Group 19 (256-bit elliptic curve group)
  • Group 20 (384-bit elliptic curve group)
  • Group 21 (512-bit random elliptic curve group)
PAN-OS Web Certificates
  • RSA
    • Keys—2048-bit, 3072-bit, and 4096-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
  • ECDSA
    • Keys—256-bit and 384-bit keys
    • Digital signature algorithms—SHA-256, SHA-384, or SHA-512