>
    PAN-OS 11.2 IKE and Web Certificate Cipher Suites
    Focus
    Download PDF
    Focus
    1. Home
    2. Compatibility Matrix
    3. Supported Cipher Suites
    4. Cipher Suites Supported in PAN-OS 11.2
    5. PAN-OS 11.2 IKE and Web Certificate Cipher Suites
    Download PDF
    Compatibility Matrix

    PAN-OS 11.2 IKE and Web Certificate Cipher Suites

    Table of Contents

    PAN-OS 11.2 IKE and Web Certificate Cipher Suites

    List of cipher suites supported for Internet Key Exchange (IKE) and PAN-OS® web certificates on firewalls running PAN-OS 11.2 in normal operation mode.
    The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web certificates that are supported on firewalls running a PAN-OS 11.2 release in normal (non-FIPS-CC) operational mode.
    If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode.
    Feature or Function
    Ciphers Supported in PAN-OS 11.2 Releases
    IKE—Post-Quantum Cryptographic Suites (PQCs)
    • ML-KEM—512-bit, 768-bit, and 1024-bit keys
    • HQC—128-bit, 192-bit, and 256-bit keys
    • BIKE—bike-L1, bike-L3, & bike-L5
    • Classic McEliece—348,864-bit and 348,864f-bit
    • FrodoKEM:
      • 640-AES, 976-AES, and 1344-AES
      • 640-SHAKE, 976-SHAKE, and 1344-SHAKE
    • NTRU-Prime—sntrup761
    IKE Certificate Support
    • RSA
      • Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
      • Digital signature algorithms—SHA-1, SHA-256, SHA-384, or SHA-512
    • ECDSA
      • Keys—256-bit and 384-bit keys
      • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
    IKE—Encryption
    • 3DES
    • AES-128-CBC
    • AES-192-CBC
    • AES-256-CBC
    Starting with PAN-OS 10.0.3:
    • AES-128-GCM
    • AES-256-GCM
    IKE—Message Authentication
    • HMAC-MD5
    • HMAC-SHA-1
    • HMAC-SHA-256
    • HMAC-SHA-384
    • HMAC-SHA-512
    IKE—Key Exchange
    Diffie-Hellman groups
    • Group 1 (768-bit keys)
    • Group 2 (1024-bit keys)
    • Group 5 (1536-bit keys)
    • Group 14 (2048-bit keys)
    • Group 15 (3072-bit modular exponential group)
    • Group 16 (4096-bit modular exponential group)
    • Group 19 (256-bit elliptic curve group)
    • Group 20 (384-bit elliptic curve group)
    • Group 21 (512-bit random elliptic curve group)
    PAN-OS Web Certificates
    • RSA
      • Keys—2048-bit, 3072-bit, and 4096-bit keys
      • Digital signature algorithms—SHA-256, SHA-384, or SHA-512
    • ECDSA
      • Keys—256-bit and 384-bit keys
      • Digital signature algorithms—SHA-256, SHA-384, or SHA-512

    © 2024 Palo Alto Networks, Inc. All rights reserved.