Following is a list of supported ciphers for PAN-OS 7.1 and later:
- SSLv3 Ciphers Supported (No change from PAN-OS 7.0)
Non-FIPS mode
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
FIPS mode
SSLv3 is disabled in FIPS mode
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
FIPS mode
SSLv3 is disabled in FIPS mode
- TLS 1.0 & TLS 1.1 Ciphers Supported (bold items are new starting from PAN-OS 7.1):
Non-FIPS
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA (in openssl, it is EDH-RSA-DES-CBC3-SHA)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA (in openssl, it is EDH-RSA-DES-CBC3-SHA)
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
- TLS 1.2 Ciphers Supported (bold items are new starting from PAN-OS 7.1):
Non-FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 (From PAN-OS 8.0)
FIPS mode
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 (From PAN-OS 8.0)
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 (From PAN-OS 8.0)
Supported curves
NID_sect163k1
NID_sect163r1
NID_sect163r2
NID_sect193r1
NID_sect193r2
NID_sect233k1
NID_sect233r1
NID_sect239k1
NID_sect283k1
NID_sect283r1
NID_sect409k1
NID_sect409r1
Limitation:
For ECDHE, only named curves.
For ECDHE EC_point format, only uncompressed.
NID_sect163k1
NID_sect163r1
NID_sect163r2
NID_sect193r1
NID_sect193r2
NID_sect233k1
NID_sect233r1
NID_sect239k1
NID_sect283k1
NID_sect283r1
NID_sect409k1
NID_sect409r1
Limitation:
For ECDHE, only named curves.
For ECDHE EC_point format, only uncompressed.
Starting from PAN-OS 7.1 sslv3 is no longer supported for Web GUI access. Currently supported ciphers for Web Access below:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
No comments:
Post a Comment