Master Key Encryption on a Firewall HA Pair
High availability firewall pair master key encryption.
To use the AES-256-GCM encryption level on a firewall high availability (HA) pair, both firewalls
must run PAN-OS 10.0 or later release so that both firewalls support AES-256-GCM. If
either firewall in the HA pair runs an earlier version than PAN-OS 10.0, you can’t use
AES-256-GCM. When both firewalls are on PAN-OS 10.0 or later release, both firewalls can
decode AES-256-CBC or AES-256-GCM encryption keys, so they can use either encryption
level. However, both firewalls should use the same encryption level to avoid the
possibility of becoming out of sync.
Palo Alto Networks recommends using AES 256-GCM level 2 for master key
encryption.
Use AES-256-GCM encryption on both firewalls
in the HA pair. Whether you use AES-256-GCM or AES-256-CBC, use
the same algorithm on both firewalls.
You do not need to disable HA to change the encryption level
on a firewall in an HA pair in which both firewalls run PAN-OS 10.0.
