Network Security
PAN-OS 10.1 and Later & Prisma Access (Panorama Managed)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Define IKE Crypto Profiles (PAN-OS 10.1 and Later & )
PAN-OS
10.1 and Later & )
- Create a new IKE profile.
- Selectand selectNetworkNetwork ProfilesIKE CryptoAdd.
- Enter aNamefor the new profile.
- Specify the Diffie-Hellman (DH) Group for key exchange and the Authentication and Encryption algorithms.ClickAddin the corresponding sections (DH Group, Authentication, and Encryption) and select from the menus.If you aren’t certain what the VPN peers support, add multiple groups or algorithms in the order of most-to-least secure; the peers negotiate the strongest supported group or algorithm to establish the tunnel.
- DH Group—
- (PAN-OS 10.2.0 and later releases)group21(on IKEv2 only mode)
- group20
- (PAN-OS 10.2.0 and later releases)group16(on IKEv2 only mode)
- (PAN-OS 10.2.0 and later releases)group15(on IKEv2 only mode)
- group19
- group14
- group5
- group2
- group1
- Authentication—
- sha512
- sha384
- sha256
- sha1
- md5
- (PAN-OS 10.0.3 and later releases)non-auth
If you select an AES-GCM algorithm for encryption, you must select the Authentication settingnon-author the commit will fail. The hash is automatically selected based on the DH Group selected. DH Group 19 and below usessha256; DH Group 20 usessha384. - Encryption—
- (PAN-OS 10.0.3 and later releases)aes-256-gcm(requires IKEv2; DH Group should be set togroup20)
- (PAN-OS 10.0.3 and later releases)aes-128-gcm(requires IKEv2 and DH Group set togroup19)
- aes-256-cbc
- aes-192-cbc
- aes-128-cbc
- 3des
- (PAN-OS 10.1.0 and earlier releases)des
Choose the strongest authentication and encryption algorithms that the peer can support. For the authentication algorithm, use SHA-256 or higher (SHA-384 or higher preferred for long-lived transactions). Don’t use SHA-1 or MD5. For the encryption algorithm, use AES; DES and 3DES are weak and vulnerable. AES with Galois/Counter Mode (AES-GCM) provides the strongest security and has built-in authentication, so you must set Authentication tonon-authif you selectaes-256-gcmoraes-128-gcmencryption. - Specify the duration for which the key is valid and the reauthentication interval.For details, see SA Key Lifetime and Re-Authentication Interval.
- In theKey Lifetimefields, specify the period (in seconds, minutes, hours, or days) for which the key is valid (range is 3 minutes to 365 days; default is 8 hours). When the key expires, the firewall renegotiates a new key. A lifetime is the period between each renegotiation.
- For theIKEv2 Authentication Multiple, specify a value (range is 0-50; default is 0) that is multiplied by theKey Lifetimeto determine the authentication count. The default value of zero disables the reauthentication feature.
- Commit your IKE Crypto profile.ClickOKand clickCommit.
- Attach the IKE Crypto profile to the IKE Gateway configuration.