To use the AES-256-GCM encryption level on a firewall high availability (HA) pair, both firewalls
must run PAN-OS 10.0 or later release so that both firewalls support AES-256-GCM. If
either firewall in the HA pair runs an earlier version than PAN-OS 10.0, you can’t use
AES-256-GCM. When both firewalls are on PAN-OS 10.0 or later, both firewalls can decode
AES-256-CBC or AES-256-GCM encryption keys, so they can use either encryption level.
However, both firewalls should use the same encryption level to avoid the possibility of
becoming out of sync.