PAN-OS 11.1 IPSec Cipher Suites

Table of Contents

PAN-OS 11.1 IKE and Web Certificate Cipher Suites

PAN-OS 11.1 IPSec Cipher Suites

List of cipher suites supported for IPSec on firewalls running PAN-OS® 11.1 in normal operation mode.

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-OS® 11.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode.

IPSec—Encryption
IPSec—Message Authentication
IPSec—Key Exchange

Feature or Function	Ciphers Supported in PAN-OS 11.1 Releases
IPSec—Encryption	NULL 3DES AES-128-CBC AES-192-CBC AES-256-CBC AES-128-CCM AES-128-GCM AES-256-GCM
IPSec—Message Authentication	NONE HMAC-MD5 HMAC-SHA-1 HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-512
IPSec—Key Exchange	Diffie-Hellman groups with or without perfect forward secrecy (PFS): No PFS—This option specifies that the firewall reuses the same key for IKE phase 1 and phase 2 instead of renewing the key for phase 2. Group 1 (768-bit keys) with PFS enabled Group 2 (1024-bit keys) with PFS enabled Group 5 (1536-bit keys) with PFS enabled Group 14 (2048-bit keys) with PFS enabled Group 15 (3072-bit modular exponential group) Group 16 (4096-bit modular exponential group) Group 19 (256-bit elliptic curve group) with PFS enabled Group 20 (384-bit elliptic curve group) with PFS enabled Group 21 (512-bit random elliptic curve group)

PAN-OS 11.1 GlobalProtect Cipher Suites

PAN-OS 11.1 IKE and Web Certificate Cipher Suites

Compatability Matrix

PAN-OS 11.1 IPSec Cipher Suites

Compatability Matrix

PAN-OS 11.1 IPSec Cipher Suites

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Best Practices

Experts Corner