To use the AES-256-GCM encryption level on a firewall
high availability (HA) pair, both firewalls must run PAN-OS 10.0
so that both firewalls support AES-256-GCM. If either firewall in
the HA pair runs an earlier version than PAN-OS 10.0, you can’t
use AES-256-GCM. When both firewalls are on PAN-OS 10.0, both firewalls
can decode AES-256-CBC or AES-256-GCM encryption keys, so they can use
the either encryption level. However, both firewalls should use
the same encryption level to avoid the possibility of becoming out
of sync.