To use the AES-256-GCM encryption level on a firewall high availability (HA) pair, both firewalls must run PAN-OS 10.0 so that both firewalls support AES-256-GCM. If either firewall in the HA pair runs an earlier version than PAN-OS 10.0, you can’t use AES-256-GCM. When both firewalls are on PAN-OS 10.0, both firewalls can decode AES-256-CBC or AES-256-GCM encryption keys, so they can use the either encryption level. However, both firewalls should use the same encryption level to avoid the possibility of becoming out of sync.

You do not need to disable HA to change the encryption level on a firewall in an HA pair in which both firewalls run PAN-OS 10.0.