The default encryption algorithm that the master key uses to encrypt data is AES-256-CBC—the same
algorithm that the master key used prior to PAN-OS 10.0. AES-256-CBC is the default
encryption level because when you manage firewalls with Panorama, the managed firewalls
may be on different PAN-OS releases, and firewalls on PAN-OS releases earlier than
PAN-OS 10.0 do not support AES-256-GCM. This is why Panorama must use the lowest level
of encryption that its managed devices can use. For example, if some managed devices run
PAN-OS 10.0 and some run earlier versions, Panorama must use AES-256-CBC. However, if
all managed devices run PAN-OS 10.0 or later, then Panorama and all of its managed
devices can use AES-256-GCM.
When you change the encryption algorithm to AES-256-GCM, devices
use it instead of AES-256-CBC to encrypt sensitive data. When you
change from one algorithm to another, you can also specify whether
to: