The default encryption algorithm that the master key uses to
encrypt data is AES-256-CBC—the same algorithm that the master key
used prior to PAN-OS 10.0. AES-256-CBC is the default encryption
level because when you manage firewalls with Panorama, the managed
firewalls may be on different PAN-OS releases, and firewalls on
PAN-OS releases earlier than PAN-OS 10.0 do not support AES-256-GCM.
This is why Panorama must use the lowest level of encryption that its
managed devices can use. For example, if some managed devices run
PAN-OS 10.0 and some run earlier versions, Panorama must use AES-256-CBC.
However, if all managed devices run PAN-OS 10.0 or later, then Panorama
and all of its managed devices can use AES-256-GCM.
When you change the encryption algorithm to AES-256-GCM, devices
use it instead of AES-256-CBC to encrypt sensitive data. When you
change from one algorithm to another, you can also specify whether
to: