Wednesday, 24 May 2017

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later:

  • SSLv3 Ciphers Supported (No change from PAN-OS 7.0)
Non-FIPS mode
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA

FIPS mode
SSLv3 is disabled in FIPS mode

  • TLS 1.0 & TLS 1.1 Ciphers Supported (bold items are new starting from PAN-OS 7.1):
Non-FIPS
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA (in openssl, it is EDH-RSA-DES-CBC3-SHA)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

  • TLS 1.2 Ciphers Supported (bold items are new starting from PAN-OS 7.1):
Non-FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
 (From PAN-OS 8.0)

FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
 (From PAN-OS 8.0)


Supported curves
   NID_sect163k1
   NID_sect163r1
   NID_sect163r2
   NID_sect193r1
   NID_sect193r2
   NID_sect233k1
   NID_sect233r1
   NID_sect239k1
   NID_sect283k1
   NID_sect283r1
   NID_sect409k1
   NID_sect409r1

Limitation:
   For ECDHE, only named curves.
   For ECDHE EC_point format, only uncompressed.


Starting from  PAN-OS 7.1 sslv3 is no longer supported for  Web GUI access. Currently supported ciphers for Web Access below:

| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong

| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong

| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...