Palo Alto Networks Compatibility

Matrix

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2016-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
July 7, 2023

Palo Alto Networks Compatibility Matrix 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Supported OS Releases by Model................................................................. 9
Palo Alto Networks Next-Generation Firewalls................................................................ 10
Palo Alto Networks Appliances............................................................................................. 13
WildFire Appliance Analysis Environment Support...............................................14
Palo Alto Networks PA-7000 Series Cards........................................................................ 16
Palo Alto Networks PA-5450 Cards.....................................................................................18
HA Port and Processor Support............................................................................................19

VM-Series Firewalls.........................................................................................25
VM-Series Firewall Hypervisor Support.............................................................................. 26
Private Cloud Deployments........................................................................................ 26
Public Cloud Deployments.......................................................................................... 33
VM-Series Firewall for VMware Cloud on AWS....................................................34
PacketMMAP and DPDK Drivers on VM-Series Firewalls............................................. 35
SR-IOV Access Mode................................................................................................... 35
PacketMMAP Driver Versions....................................................................................35
DPDK Driver Versions..................................................................................................37
Partner Interoperability for VM-Series Firewalls...............................................................38
Palo Alto Networks Certified Integrations.............................................................. 38
Partner-Qualified Integrations.................................................................................... 44
VM-Series Plugin....................................................................................................................... 48
VM-Series Plugin 4.0.x................................................................................................. 48
VM-Series Plugin 3.0.x................................................................................................. 48
VM-Series Plugin 2.1.x................................................................................................. 49
VM-Series Plugin 2.0.x................................................................................................. 50
VM-Series Plugin 1.0.x................................................................................................. 51
AWS Regions..............................................................................................................................54
Azure Regions............................................................................................................................ 56
Google Cloud Regions..............................................................................................................57
Alibaba Cloud Regions............................................................................................................. 58
VM-Series Firewall Amazon Machine Images (AMI).........................................................59
PAN-OS Images for AWS GovCloud........................................................................ 59

CN-Series Firewalls......................................................................................... 61
CN-Series Supported Environments.....................................................................................62
CN-Series Firewall Image and File Compatibility.............................................................. 67

Panorama............................................................................................................69
Panorama Plugins...................................................................................................................... 70

Palo Alto Networks Compatibility Matrix 3 ©2023 Palo Alto Networks, Inc.
Table of Contents

Cisco ACI..........................................................................................................................70
Cisco TrustSec................................................................................................................ 74
Panorama CloudConnector Plugin (Formerly, AIOps Plugin for
Panorama)........................................................................................................................ 76
Cloud Services................................................................................................................ 77
Enterprise Data Loss Prevention (DLP)....................................................................77
Panorama Interconnect................................................................................................ 80
IPS Signature Converter...............................................................................................81
Kubernetes.......................................................................................................................83
Clustering Plugin............................................................................................................ 84
Nutanix............................................................................................................................. 85
OpenConfig (Firewall Only).........................................................................................85
Panorama Software Firewall License Plugin........................................................... 86
Public Cloud—AWS, Azure, and GCP....................................................................... 87
SD-WAN.......................................................................................................................... 92
VMware NSX.................................................................................................................. 96
VMware vCenter......................................................................................................... 100
Zero Touch Provisioning (ZTP)................................................................................ 101
Compatible Plugin Versions for PAN-OS 10.2................................................................ 103
Panorama Management Compatibility.............................................................................. 108
Panorama Hypervisor Support............................................................................................ 110
Device Certificate for a Palo Alto Networks Cloud Service.........................................113

MFA Vendor Support................................................................................... 115

MFA Vendor Support............................................................................................................ 116

Supported Cipher Suites..............................................................................117

Cloud Identity Engine Cipher Suites.................................................................................. 118
Cipher Suites Supported in PAN-OS 11.0........................................................................119
PAN-OS 11.0 GlobalProtect Cipher Suites...........................................................119
PAN-OS 11.0 IPSec Cipher Suites.......................................................................... 121
PAN-OS 11.0 IKE and Web Certificate Cipher Suites....................................... 122
PAN-OS 11.0 Decryption Cipher Suites................................................................124
PAN-OS 11.0 Administrative Session Cipher Suites.......................................... 126
PAN-OS 11.0 HA1 SSH Cipher Suites...................................................................128
PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites.....................128
PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode................................129
Cipher Suites Supported in PAN-OS 10.2........................................................................132
PAN-OS 10.2 GlobalProtect Cipher Suites...........................................................132
PAN-OS 10.2 IPSec Cipher Suites.......................................................................... 134
PAN-OS 10.2 IKE and Web Certificate Cipher Suites....................................... 135

Palo Alto Networks Compatibility Matrix 4 ©2023 Palo Alto Networks, Inc.
Table of Contents

PAN-OS 10.2 Decryption Cipher Suites................................................................137

PAN-OS 10.2 Administrative Session Cipher Suites.......................................... 139
PAN-OS 10.2 HA1 SSH Cipher Suites...................................................................141
PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites.....................141
PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode................................142
Cipher Suites Supported in PAN-OS 10.1........................................................................145
PAN-OS 10.1 GlobalProtect Cipher Suites...........................................................145
PAN-OS 10.1 IPSec Cipher Suites.......................................................................... 147
PAN-OS 10.1 IKE and Web Certificate Cipher Suites....................................... 148
PAN-OS 10.1 Decryption Cipher Suites................................................................149
PAN-OS 10.1 Administrative Session Cipher Suites.......................................... 152
PAN-OS 10.1 HA1 SSH Cipher Suites...................................................................153
PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites.....................154
PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode................................154
Cipher Suites Supported in PAN-OS 9.1.......................................................................... 158
PAN-OS 9.1 GlobalProtect Cipher Suites............................................................. 158
PAN-OS 9.1 IPSec Cipher Suites............................................................................ 160
PAN-OS 9.1 IKE and Web Certificate Cipher Suites..........................................161
PAN-OS 9.1 Decryption Cipher Suites.................................................................. 162
PAN-OS 9.1 Administrative Session Cipher Suites.............................................164
PAN-OS 9.1 HA1 SSH Cipher Suites..................................................................... 166
PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites....................... 167
PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode.................................. 167
Cipher Suites Supported in PAN-OS 8.1.......................................................................... 170
PAN-OS 8.1 GlobalProtect Cipher Suites............................................................. 170
PAN-OS 8.1 IPSec Cipher Suites............................................................................ 172
PAN-OS 8.1 IKE and Web Certificate Cipher Suites..........................................173
PAN-OS 8.1 Decryption Cipher Suites.................................................................. 174
PAN-OS 8.1 Administrative Session Cipher Suites.............................................176
PAN-OS 8.1 HA1 SSH Cipher Suites..................................................................... 178
PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites....................... 179
PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode.................................. 179

GlobalProtect..................................................................................................183
Where Can I Install the GlobalProtect App?....................................................................184
Apple macOS................................................................................................................ 184
Microsoft Windows.................................................................................................... 185
Linux................................................................................................................................186
Apple iOS and iPadOS............................................................................................... 190
Google Android............................................................................................................191
Google Chrome............................................................................................................192

Palo Alto Networks Compatibility Matrix 5 ©2023 Palo Alto Networks, Inc.
Table of Contents

Internet of Things (IoT)..............................................................................................193

Hypervisors................................................................................................................... 193
Third-Party VPN Client Support......................................................................................... 194
What Third-Party VPN Clients are Supported?................................................... 194
What GlobalProtect Features Do Third-Party Clients Support?......................194
How Many Third-Party Clients Does Each Firewall Model Support?............. 195
What Features Does GlobalProtect Support?................................................................. 198
What Features Does GlobalProtect Support for IoT?................................................... 210
What GlobalProtect Features Do Third-Party Mobile Device Management Systems
Support?.................................................................................................................................... 213

Prisma Access.................................................................................................215
What Features Does Prisma Access Support?................................................................ 216
Prisma Access Feature Support...............................................................................216
Management................................................................................................................. 217
Remote Networks....................................................................................................... 218
Service Connections................................................................................................... 219
Mobile Users—GlobalProtect....................................................................................220
Mobile Users—Explicit Proxy....................................................................................222
Security Services..........................................................................................................222
Network Services........................................................................................................ 224
Identity Services.......................................................................................................... 226
Policy Objects...............................................................................................................228
Logs................................................................................................................................. 231
Reports........................................................................................................................... 231
Integration with Other Palo Alto Networks Products........................................233
Multitenancy Unsupported Features and Functionality.................................... 233
Prisma Access and Panorama Version Compatibility.....................................................235
Minimum Required Panorama Software Versions.............................................. 235
End-of-Support (EoS) Dates for Panorama Software Version Compatibility
with Prisma Access..................................................................................................... 238
Supported IKE Cryptographic Parameters........................................................................240

User-ID Agent................................................................................................ 243

Where Can I Install the User-ID Agent?........................................................................... 244
Which Servers Can the User-ID Agent Monitor?........................................................... 245
Where Can I Install the User-ID Credential Service?.....................................................247

Terminal Server (TS) Agent.........................................................................249

Where Can I Install the Terminal Server (TS) Agent?.................................................... 250
How Many TS Agents Does My Firewall Support?........................................................252

Palo Alto Networks Compatibility Matrix 6 ©2023 Palo Alto Networks, Inc.
Table of Contents

Cortex Data Lake...........................................................................................255

Cortex Data Lake Software Compatibility........................................................................256

Cortex XDR..................................................................................................... 259

Where Can I Install the Cortex XDR Agent?................................................................... 260
Cortex XDR Supported Kernel Module Versions by Distribution...............................261
Cortex XDR and Traps Compatibility with Third-Party Security Products................262

Endpoint Security Manager (ESM)............................................................ 263

Where Can I Install the Endpoint Security Manager (ESM)?........................................264
Where Can I Install the Cortex XDR Agent?................................................................... 265

IPv6 Support by Feature............................................................................. 267

IPv6 Support by Feature.......................................................................................................268

Mobile Network Infrastructure Feature Support.................................. 273

PAN-OS Releases by Model that Support GTP, SCTP, and 5G Security................... 274
3GPP Technical Standard References............................................................................... 275
3GPP TS References for GTP Security.................................................................. 275
3GPP TS References for 5G Security.................................................................... 275
3GPP TS References for 5G Multi-Edge Security............................................... 276
3GPP TS References for UE-to-IP Address Correlation with PFCP in 4G..... 276

Palo Alto Networks Compatibility Matrix 7 ©2023 Palo Alto Networks, Inc.
Table of Contents

Palo Alto Networks Compatibility Matrix 8 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model
Use the tables throughout this Palo Alto Networks Compatibility Matrix to determine support for
Palo Alto Networks Next-Generation Firewalls, appliances, and agents. Additionally, refer to the
product comparison tool for detailed information about Palo Alto Networks firewalls by model,
including specifications for throughput, maximum number of sessions, rules, objects, tunnels, and
zones.
For supported operating systems on firewalls and appliances and for high-availability (HA) port
and processor support on firewalls, review the following topics:
• Palo Alto Networks Next-Generation Firewalls
• Palo Alto Networks Appliances
• WildFire Appliance Analysis Environment Support
• Palo Alto Networks PA-7000 Series Firewall Cards
• HA Port and Processor Support

9
Supported OS Releases by Model

Palo Alto Networks Next-Generation Firewalls

The following table shows the PAN-OS® releases supported for each of the Palo Alto Networks
Next-Generation Firewall hardware, and VM-Series, and CN-Series models. You can also review
PAN-OS support for PA-7000 Series cards and PA-5450 firewall cards as well as for Palo Alto
Networks appliances.

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Firewall Model 8.1* 9.1 10.0** 10.1 10.2 11.0

Hardware Firewalls

PA-200 Firewall √ — — — — —
(EoS***)

PA-220 Firewall — √ √ √ √ —

PA-220R Firewall — √ √ √ √ —

PA-410 Firewall — — — √ √ √
10.1.2 &
later

PA-415 and — — — — — √
PA-445 Firewalls

PA-440, PA-450, — — — √ √ √
and PA-460
Firewalls

PA-500 Firewall √ — — — — —
(EoS***)

PA-800 Series — √ √ √ √ √
Firewalls

PA-1400 Series — — — — — √
Firewalls

PA-3000 Series — √ — — — —
Firewalls (EoS***)

PA-3200 Series — √ √ √ √ √
Firewalls

Palo Alto Networks Compatibility Matrix 10 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Firewall Model 8.1* 9.1 10.0** 10.1 10.2 11.0

PA-3400 Series — — — — √ √
Firewalls

PA-5000 Series √ — — — — —
Firewalls (EoS***)

PA-5200 Series — √ √ √ √ √
Firewalls

PA-5410, — — — — √ √
PA-5420, and
PA-5430 Firewalls

PA-5440 Firewalls — — — — — √

PA-5450 Firewall — — — √ √ √

PA-7000 Series — √ √** √ √ √

Firewalls (**)

VM-Series Firewalls

Flexible vCPU — — — √ √ √
Firewalls
(Up to 32 cores)

Flexible vCPU — — — — √ √
Firewalls
(Up to 64 cores)

VM-50 Firewall — √ — √ √ √

VM-100 Firewall — √ — √ √ √

VM-200 Firewall — √ — √ √ √

VM-300 Firewall — √ — √ √ √

VM-500 Firewall — √ — √ √ √

VM-700 Firewall — √ — √ √ √

VM-1000-HV — √ — √ √ √
Firewall

Palo Alto Networks Compatibility Matrix 11 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Firewall Model 8.1* 9.1 10.0** 10.1 10.2 11.0

CN-Series Firewall

CN-Series Small — — — √ √ √
CN-MGMT Mem:
2GB
CN-NGFW Mem:
2 to 2.5GB

CN-Series — — — √ √ √
Medium
CN-MGMT Mem:
2GB
CN-NGFW Mem:
6GB

CN-Series Large — — — √ √ √
CN-MGMT Mem:
4GB
CN-NGFW Mem:
48GB

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls (and the
M-100 appliance) and only until each reaches its hardware end-of-life (EoL) date.
** PAN-OS 10.0 releases are supported only for two PA-7000 cards (PA-7000-20G-NPC and
PA-7000-20GQ-NPC) in PA-7000 Series firewall after July 16, 2022, and will be supported until
the hardware EoL for these cards on January 31, 2024.
*** You should also review the hardware EoL information for more specific information about
firewalls and appliances that have reached end-of-sale (EoS) status.

Palo Alto Networks Compatibility Matrix 12 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Appliances

The following table shows PAN-OS® release support for each Palo Alto Networks (non-firewall)
appliance. You can also review PAN-OS release support for Palo Alto Networks Next-Generation
Firewalls.

Palo Alto Networks Release Release Release Release Release Release

Appliance 6.2 8.1* 9.1** 10.1 10.2 11.0

GP-100 Appliance √ — — — — —
(EoS***)

Panorama Virtual — — √ √ √ √
Appliance

M-100 Appliance — √ √** — — —

(EoS***)

M-200 Appliance — — √ √ √ √

M-300 Appliance — — — — √ √

M-500 Appliance — — √ √ — —
(EoS***)

M-600 Appliance — — √ √ √ √

M-700 Appliance — — — — √ √

WF-500 — — √ √ √ √
Appliance(****)
10.2.2 &
later

WF-500-B — — — — √ √
Appliance(****)
10.2.2 &
later

* PAN-OS 8.1 is supported only on the M-100 appliance (and PA-200, PA-500, and PA-5000
Series firewalls) and only until each reaches its hardware end-of-life (EoL) date.
** PAN-OS 9.1 releases support M-100 appliances only after you upgrade the M-100 appliance to
32GB of memory (from the default of 16GB).
*** For more specific information about firewalls and appliances that have reached end-of-sale
(EoS) status, review our hardware EoL web page.

Palo Alto Networks Compatibility Matrix 13 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

**** WildFire appliances have optional guest VM images that provides support for additional
analysis environments. For information about which VMs are available for a specific WildFire
releases, refer to WildFire Appliance Analysis Environment Support.

WildFire Appliance Analysis Environment Support

The following WildFire guest VM images (analysis environments) are supported in PAN-OS
(WildFire) releases. To upgrade the WildFire appliance, refer to: Upgrade a WildFire Appliance

Verify that you download and install the correct WildFire VM image for your WildFire
appliance. Installing a WildFire VM image that is not supported by the WildFire (PAN-
OS) release running on your appliance will produce error messages and will be unable to
process samples or detect malware.

WildFire Analysis WildFire WildFire Appliance Guest VM Filename Minimum

Environment VM ID Compatible
PAN-OS
Version

Windows XP (Adobe vm-3 WFWinXpAddon3_m-1.0.1.xpaddon3 10.2.2 and

Reader 11, Flash 11, later
Office 2010)
WFWinXpAddon3_m-1.0.0.xpaddon3* 10.1 and
earlier

Windows 7 x64 SP1 vm-5 WFWin7_64Addon1_m-1.0.1.7_64addon1 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)
WFWin7_64Addon1_m-1.0.0.7_64addon1 10.1 and
earlier

WFWin7_64Base_m-1.0.0.7_64base 10.1 and

earlier
This is a required base
VM image package for
the proper function of
the Windows 7 analysis
environment.

Windows XP (Internet vm-6** WFWinXpGf_m-1.0.0.xpgf 10.1 and

Explorer 8, Flash 11, earlier
Elink analysis support)
WFWinXpGf_m-1.0.1.xpgf 10.2.2 and
later

Windows 10 x64 vm-7 WFWin10Base_m-1.0.1.10base 10.2.2 and

(Adobe Reader 11, Flash later
11, Office 2010)

Palo Alto Networks Compatibility Matrix 14 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

WildFire Analysis WildFire WildFire Appliance Guest VM Filename Minimum

Environment VM ID Compatible
PAN-OS
Version

WFWin10Base_m-1.0.0-c2.10base 10.1 and

earlier

• * This WildFire guest VM image comes preinstalled and is not available on the Palo Alto
Networks Support Portal for download.
• ** This WildFire analysis environment is not selectable through the WildFire appliance
CLI.

Palo Alto Networks Compatibility Matrix 15 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks PA-7000 Series Cards

The following table shows the PAN-OS® releases supported for each of the system cards and for
each of the networking and data plane cards supported on PA-7000 Series firewalls. You can also
review PAN-OS support for each Palo Alto Networks Next-Generation Firewall and for all other
Palo Alto Networks appliances.

PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Cards 9.1 10.0 10.1 10.2 11.0

Networking and Data Plane Cards

PAN-PA-7000-20G-NPC √ √* — — —
(*until Jan.
31, 2024)

PAN-PA-7000-20GQ-NPC √ √* — — —
(*until Jan.
31, 2024)

PAN-PA-7000-20GXM- √ √ √ — —
NPC

PAN-PA-7000-20GQXM- √ √ √ — —
NPC

PAN-PA-7000-100G-NPC- √ √ √ √ √
A

PAN-PA-7000-DPC-A — √ √ √ √

System Cards

PAN-PA-7050-SMC √ √ √* — —
(*until Feb.
28, 2026)

PAN-PA-7050-SMC (v2) √ √ √* — —
(*until Feb.
28, 2026)

PAN-PA-7050-SMC-B √ √ √ √ √

PAN-PA-7080-SMC √ √ √* — —

Palo Alto Networks Compatibility Matrix 16 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

PA-7000 Series Firewall PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

Cards 9.1 10.0 10.1 10.2 11.0
(*until Feb.
28, 2026)

PAN-PA-7080-SMC (v2) √ √ √* — —
(*until Feb.
28, 2026)

PAN-PA-7080-SMC-B √ √ √ √ √

PAN-PA-7000-LPC √ √ √* — —
(*until Feb.
28, 2026)

PAN-PA-7000-LFC-A √ √ √ √ √

Palo Alto Networks Compatibility Matrix 17 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks PA-5450 Cards

The following table shows the PAN-OS® releases supported for each of the system, network, and
data processing cards available for the PA-5450 firewall. You can also review PAN-OS support
for each Palo Alto Networks Next-Generation Firewall, each of our other Palo Alto Networks
appliances, and for the data processing cards available for the PA-7000 Series firewalls.

PA-5450 Firewall Cards PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0

Networking and Data Processing Cards

PAN-PA-5400-NC-A √ √ √

PAN-PA-5400-DPC-A √ √ √

System Cards

PAN-PA-5400-BC-A √ √ √

PAN-PA-5400-MPC-A √ √ √

Palo Alto Networks Compatibility Matrix 18 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

HA Port and Processor Support

The following table identifies which Palo Alto Networks Next-Generation Firewall (NGFW) can
support the HA ports and processor functionality you require in your network.
Additionally, some firewall models and PA-7000 Series firewall cards include an offload processor
—a Content Engine (CE) for accelerating signature matches or a Crypto Accelerator (CA) for
accelerating SSL processing; some firewalls support either one but none can support both
simultaneously.

Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor

Firewalls

PA-200 — — — — — — —
(EoS)*

PA-220 — — — — — — —

PA-220R — — — — — — —

PA-410 — — — — — — —

PA-415 — — — — — — —

PA-440 — — — — — — —

PA-445 — — — — — — —

PA-450 — — — — — — —

PA-460 — — — — — — —

PA-500 √ — — — — — —
(EoS)*

PA-820 — — — — √ √ —

PA-850 — — — — √ √ —

PA-1410 — — — — √ — √
(x2)

Palo Alto Networks Compatibility Matrix 19 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor

PA-1420 — — — — √ — √
(x2)

PA-3020 √ — √ — √ √ —
(EoS) (CE)

PA-3050 √ √ √ — √ √ —
(EoS) (CE)

PA-3060 √ √ √ — √ √ —
(EoS) (CE)

PA-3220 √ √ — — √ — √
(x2)

PA-3250 √ √ √ — √ — √
(CE) (x2)

PA-3260 √ √ √ — √ — √
(CE) (x2)

PA-3410 √ √ — — √ — √
(x2)

PA-3420 √ √ — — √ — √
(x2)

PA-3430 √ √ — — √ — √
(x2)

PA-3440 √ √ — — √ — √
(x2)

PA-5020 √ √ √ — √ √ —
(EoS)* (CE)

PA-5050 √ √ √ — √ √ —

Palo Alto Networks Compatibility Matrix 20 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor
(EoS)* (CE)

PA-5060 √ √ √ — √ √ —
(EoS)* (CE)

PA-5220 √ √ √ √ √ — √
(CE or (x2)
CA)

PA-5250 √ √ √ √ √ — √
(CE or (x2)
CA)

PA-5260 √ √ √ √ √ — √
(CE or (x2)
CA)

PA-5280 √ √ √ √ √ — √
(CE or (x2)
CA)

PA-5410 — — — — √ — √
(x2)

PA-5420 — — — — √ — √
(x2)

PA-5430 — — — — √ — √
(x2)

PA-5440 — — — — √ — √
(x2)

PA-5450 √ √ √ √ √ — √
(CE or (x2) (x2)
CA)

PA-7050 √ √ √ √ √ — √

Palo Alto Networks Compatibility Matrix 21 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor
(CE or (x2) (x2)
CA)

PA-7080 √ √ √ √ √ — √
(CE or (x2) (x2)
CA)

PA-7000 Series Firewall Cards

PA-7050-SMC √ — — √ √ — √
(EoS) (x2) (x2)

PA-7080-SMC √ — — √ √ — √
(EoS) (x2) (x2)

PA-7050-SMC-B √ — — √ √ — √
(x2) (x2)

PA-7080-SMC-B √ — — √ √ — √
(x2) (x2)

PA-7000-20G-NPC — √ √ — — — —
(EoS) (CE x2)

PA-7000-20GQ- — √ √ — — — —
NPC
(CE x2)
(EoS)

PA-7000-20GXM- — √ √ — — — —
NPC
(CE x2)
(EoS)

PA-7000-20GQXM- — √ √ — — — —
NPC
(CE x2)
(EoS)

PA-7000-100G- — √ √ — — — —
NPC-A
(CE or
CA)

Palo Alto Networks Compatibility Matrix 22 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Separate Network Offload First HA1 HA2 HSCI
Firewall Model Mgmt Processor Processor Packet Port Port Port
Plane Processor
Processor

PA-7000-DPC-A — — √ — — — —
(CA x2)

* These firewalls are supported only on PAN-OS 8.1 and only until each reaches its hardware end-
of-life (EoL) date. You can also review the hardware EoL information for more specific information
about firewalls and appliances that have reached end-of-sale (EoS) status.

Palo Alto Networks Compatibility Matrix 23 ©2023 Palo Alto Networks, Inc.
Supported OS Releases by Model

Palo Alto Networks Compatibility Matrix 24 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls
The hypervisors and the public cloud regions in which you can deploy the VM-Series firewalls:
• VM-Series Firewall Hypervisor Support
• PacketMMAP and DPDK Drivers on VM-Series Firewalls
• Partner Interoperability for VM-Series Firewalls
• VM-Series Plugin
• AWS and AWS Gov Cloud Regions
• Azure Regions
• Google Cloud Regions
• Alibaba Cloud Regions
• AWS CFT Amazon Machine Images (AMI) List

For for the best instance types for optimal VM-Series capacity and performance, see the
VM-Series Capacity & Performance document.

25
VM-Series Firewalls

VM-Series Firewall Hypervisor Support

Palo Alto Networks offers hypervisor version support on the VM-Series firewall for both the
following deployments:
• Private Cloud Deployments
• Public Cloud Deployments

Private Cloud Deployments

The following Private Clouds require a PAN-OS for VM-Series base image from the Palo Alto
Networks Support Portal:
• VM-Series for VMware vSphere Hypervisor (ESXi)
• VM-Series for VMware NSX-V
• VM-Series for VMware NSX-T
• VM-Series for KVM
• VM-Series for Nutanix
• VM-Series for Hyper-V
• VM-Series for OpenStack
• Cisco ACI: Hardware and VM-Series Firewalls in Cisco ACI
In the compatibility matrices below, the PAN-OS Version Support column displays the range of
versions and the (Minimum) version in parentheses. For example, if the PAN-OS Version column
displays PAN-OS 9.1.x (9.1.3), it indicates that the integration supports PAN-OS 9.1 releases
beginning with PAN-OS 9.1.3.
Further I/O Enhancement support is detailed in PacketMMAP and DPDK Drivers on VM-Series
Firewalls.

VM-Series for VMware vSphere Hypervisor (ESXi)

This ESXi version support list does not include NSX. For NSX, see VM-Series for VMware NSX-V
or VM-Series for VMware NSX-T.
You can download base images from the Palo Alto Networks Support Portal.

Access mode with SR-IOV on VMware ESXi is supported on PAN-OS 9.1.5 and later PAN-
OS 9.1 versions and PAN-OS 10.1 and later PAN-OS versions—both with VM-Series
plugin 2.0.5 and later
. See Enable VLAN Access Mode for ESXi for more information.

Palo Alto Networks Compatibility Matrix 26 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Version VMware VMware I/O Base Image

Support ESXi Version Virtual Machine Enhancement
Support Hardware Support
(Minimum)
Version

PAN-OS 9.1.x (9.1.0) 6.5, 6.7 vmx-10 SR-IOV, PA-VM-

DPDK ESX-9.1.0.ova

PAN-OS 9.1.x (9.1.0) 6.7, 7.0 vmx-10 SR-IOV, PA-VM-

DPDK ESX-9.1.0.ova
PAN-OS 10.1.x
(10.1.0) PA-VM-
ESX-10.1.0.ova

PAN-OS 10.2.x 6.7, 7.0, 8.0 vmx-10 SR-IOV, PA-VM-

(10.2.0) DPDK ESX-10.2.0.ova
PAN-OS 11.0.x PA-VM-
(11.0.0) ESX-11.0.0.ova

VM-Series for VMware NSX-V

vSphere with VMware NSX is available on all VM-Series firewalls except the VM-50 and VM-700
firewalls.
The vSphere with VMware NSX and Panorama combinations listed here are approved by Palo
Alto Networks. For versions of PAN-OS certified by VMware, see the VMware Compatibility
Guide.
Panorama 9.1 and later versions require the VMware NSX plugin. For more plugin version
information, see Panorama Plugins for VMware NSX.
You can download base images from the Palo Alto Networks Support Portal.
VMware having already announced EoS for NSX-V, Palo Alto Networks will continue to support
the VM-Series on NSX-V running PAN-OS 10.0.x, and lesser, managed by Panorama 10.1.x or
10.2.x.
• No VM-Series for VMware NSX-V base images for PAN-OS 10.1.x or 10.2.x will be made
available
• You cannot upgrade the VM-Series firewall for NSX-V to 10.1.x or 10.2.x
• Panorama 10.1.x, 10.2.x supports 9.1.x base images until EOL date
See the Palo Alto Networks End-of-Life Summary for more information about the PAN-OS EoL
schedule.

Palo Alto Networks Compatibility Matrix 27 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

SupportedPAN-OS Version PanoramaVMware vSphere VMware Minimum Base I/O

PanoramaSupport Plugin NSX-V Virtual Image Enhancement
Versions for NSX Manager Machine Support
Hardware
Version

• 9.1.x 9.1.0 to 9.1.6 3.2.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

• 10.1.x to to • 6.7 NSX-9.1.0.zip
latest 6.4.7
4.0.x

• 9.1.x 9.1.7 to latest 3.2.0 6.4.8 • 6.5 vmx-10 PA-VM- LRO

• 10.1.x 9.1.x to and • 6.7 NSX-9.1.9.zip
latest later
4.0.x • 7.0

10.2.x 9.1.0 to 9.1.6 5.0.0 6.4.1 • 6.5 vmx-10 PA-VM- LRO

and to • 6.7 NSX-9.1.0.zip
later 6.4.7

10.2.x 9.1.7 to latest 5.0.0 6.4.8 • 6.5 vmx-10 PA-VM- LRO

9.1.x and and • 6.7 NSX-9.1.9.zip
later later
• 7.0

VM-Series for VMware NSX-T

You can download base images from the Palo Alto Networks Support Portal.
The VMware NSX-T and Panorama combinations listed here are approved by Palo Alto Networks.
For versions of PAN-OS certified by VMware, see the VMware Compatibility Guide.

VMware NSX 4.0.x Service Deployments, for partner Service Virtual Machines (SVM), may
experience traffic redirect known issues. Please contact VMware NSX Technical Support
for details

Panorama Panorama VMware VMware PAN-OS Latest Base Image

Version Plugin for NSX-T Virtual Version
Support NSX Version Machine Support
Support Hardware (Minimum)
Version

10.2.x 5.0.0 and 3.2.x, vmx-10 PAN-OS PA-VM-

later 4.0.x, 10.1.x NST-10.2.4-
4.1.x (10.1.0) vmwaresigned.zip
PAN-OS PA-VM-
10.2.x NST-10.1.9-h1-
(10.2.4) vmwaresigned.zip

Palo Alto Networks Compatibility Matrix 28 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Panorama Panorama VMware VMware PAN-OS Latest Base Image

Version Plugin for NSX-T Virtual Version
Support NSX Version Machine Support
Support Hardware (Minimum)
Version

10.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

4.0.x 3.0.x, 10.1.x NST-10.1.9-h1-
3.1.x, (10.1.0) vmwaresigned.zip
3.2.x
PA-VM-NST-9.1.9-
vmwaresigned.zip

4.0.x 4.0.x vmx-10 PAN-OS PA-VM-

10.1.x NST-10.1.9-h1-
(10.1.9-h1) vmwaresigned.zip

9.1.x 3.2.0 to 2.5.x, vmx-10 PAN-OS PA-VM-

4.0.x 3.0.x, 9.1.x (9.1.0) NST-9.1.9.zip
3.1.x

VM-Series for KVM

You can download base images from the Palo Alto Networks Support Portal.

PAN-OS Version VM-Series for KVM I/O Enhancement Support PAN-OS for VM-
Support (Minimum) Version Support Series KVM Base
(Minimum) Images

PAN-OS 9.1.x CentOS/Red Hat • DPDK with SR-IOV PA-VM-

(9.1.0) Enterprise Linux: • DPDK with Virtio KVM-9.1.x.qcow2
• 7.x.x (7.6.x)
• 8.x.x (8.0.x)

PAN-OS 10.1.x CentOS/Red Hat • DPDK with SR-IOV PA-VM-

(10.1.0) Enterprise Linux: • DPDK with Virtio KVM-10.1.x.qcow2
PAN-OS 10.2.x • 7.x.x (7.6.x) PA-VM-
(10.2.0) • 8.x.x (8.0.x) KVM-10.2.x.qcow2
PAN-OS 11.0.x • 9.0.x (9.0.x) PA-VM-
(11.0.0) KVM-11.0.0.qcow2

PAN-OS 10.2.x CentOS/Red Hat • DPDK with SR-IOV PA-VM-

(10.2.0) Enterprise Linux KVM-10.2.x.qcow2
• DPDK with Virtio
9.1.x (9.1.x)
PAN-OS 11.0.x PA-VM-
(11.0.0) KVM-11.0.0.qcow2

Palo Alto Networks Compatibility Matrix 29 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Version VM-Series for KVM I/O Enhancement Support PAN-OS for VM-
Support (Minimum) Version Support Series KVM Base
(Minimum) Images

PAN-OS 9.1.x Ubuntu 18.04 • DPDK with SR-IOV PA-VM-

(9.1.0) • DPDK with Virtio KVM-9.1.x.qcow2
PAN-OS 10.1.x PA-VM-
(10.1.0) KVM-10.1.x.qcow2

PAN-OS 10.1.x Ubuntu 20.04 • DPDK with SR-IOV PA-VM-

(10.1.0) • DPDK with Virtio KVM-10.1.x.qcow2

PAN-OS 10.2.x Ubuntu 22.04 • DPDK with SR-IOV PA-VM-

(10.2.0) • DPDK with Virtio KVM-10.2.x.qcow2
PAN-OS 11.0.x PA-VM-
(11.0.0) KVM-11.0.0.qcow2

PAN-OS 10.1.x SUSE Enterprise • MacVTap PA-VM-

(10.1.0) Server 15 with KVM-10.1.x.qcow2
• Virtio
QEMU 3.1.1

VM-Series for Nutanix

You can download base images from the Palo Alto Networks Support Portal.

The VM-Series firewall for Nutanix uses the VM-Series firewall for KVM base image
(qcow2).

PAN-OS Version VM-Series for I/O Enhancement Support VM-Series for KVM
Support (Minimum) Nutanix Version Base Image
Support (Minimum)

PAN-OS 9.1.x Nutanix AOS DPDK supported PA-VM-

(9.1.0) Version 5.10, 5.15 KVM-9.1.0.qcow2
PAN-OS 10.1.x Nutanix PA-VM-
(10.1.0) AHV Release KVM-10.1.x.qcow2
20170830.185
Layer 3
deployments,
and virtual wire
deployments with
Service Chaining.

PAN-OS 10.1.x Nutanix AOS DPDK supported PA-VM-

(10.1.0) Version 5.20 KVM-10.1.x.qcow2

Palo Alto Networks Compatibility Matrix 30 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Version VM-Series for I/O Enhancement Support VM-Series for KVM
Support (Minimum) Nutanix Version Base Image
Support (Minimum)
PAN-OS 10.2.x Nutanix PA-VM-
(10.2.0) AHV Release KVM-10.2.x.qcow2
20201105.2030
Layer 3
deployments,
and virtual wire
deployments with
Service Chaining.

PAN-OS 10.1.x Nutanix AOS 6.5 L3 mode only PA-VM-

(10.1.0) version 6.0.5 in VPC KVM-10.1.x.qcow2
mode
Layer 3
deployments,
and virtual wire
deployments with
Service Chaining.

VM-Series for Hyper-V

You can download base images from the Palo Alto Networks Support Portal.

PAN-OS Version VM-Series for Hyper-V I/O Enhancement Base Image

Support Version Support Support
(Minimum) (Minimum)

PAN-OS 9.1.x (9.1.0) • Windows Server 2012 • Packet MMAP PA-VM-

R2 with Hyper-V role supported HPV-9.1.0.vhdx
or Hyper-V 2012 R2 • DPDK not
• Windows Server 2016 supported
with Hyper-V role or
Hyper-V 2016
• Windows Server 2019
with Hyper-V role or
Hyper-V 2019

PAN-OS 10.1.x • Windows Server 2012 • DPDK with SR- PA-VM-

(10.1.0) R2 with Hyper-V role IOV supported HPV-10.1.0.vhdx
or Hyper-V 2012 R2 • Packet MMAP
PAN-OS 10.2.x PA-VM-
(10.2.0) • Windows Server 2016 with Virtio HPV-10.2.0.vhdx
with Hyper-V role or supported
PAN-OS 11.0.x Hyper-V 2016 PA-VM-
(11.0.0) • Packet MMAP HPV-11.0.0.vhdx
with SR-IOV

Palo Alto Networks Compatibility Matrix 31 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Version VM-Series for Hyper-V I/O Enhancement Base Image

Support Version Support Support
(Minimum) (Minimum)
• Windows Server 2019 supported
with Hyper-V role or
Hyper-V 2019

VM-Series for OpenStack

You can download base images from the Palo Alto Networks Support Portal.

PAN-OS Version VM-Series for I/O Enhancement Base Image

Support (Minimum) OpenStack Version Support
Support (Minimum)

PAN-OS 9.1.x (9.1.5) Redhat OpenStack • DPDK with PA-VM-KVM-9.1.5.qcow2

Queens 13 Virtio
PAN-OS 10.1.x PA-VM-KVM-10.1.0.qcow2
(10.1.0) • DPDK with
SR-IOV
• Packet
MMAP with
Virtio
• Packet
MMAP with
SR-IOV

PAN-OS 10.1.x Redhat OpenStack • DPDK with PA-VM-KVM-10.1.3.qcow2

(10.1.3) Train 16 Virtio
• DPDK with
SR-IOV
• Packet
MMAP with
Virtio
• Packet
MMAP with
SR-IOV

Cisco ACI: Hardware and VM-Series Firewalls in Cisco ACI

See Cisco ACI for supported PAN-OS, Panorama, and Cisco ACI plugin versions.
You can download base images from the Palo Alto Networks Support Portal.

Palo Alto Networks Compatibility Matrix 32 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Public Cloud Deployments

Palo Alto Networks supports the following public cloud deployments:
• Public Cloud Deployments Available from a Marketplace—AWS, Azure, GCP, and Oracle
• Public Cloud Deployments Requiring a Base Image—Alibaba, Oracle, vCloud Air
• VM-Series Firewall for VMware Cloud on AWS

Public Cloud Deployments Available from a Marketplace—AWS, Azure, GCP, and

Oracle

Public Cloud Deployment PAN-OS Version I/O Enhancement Support

Support (Minimum)

VM-Series on AWS PAN-OS 9.1.x (9.1.0)

List of supported AWS PAN-OS 10.1.x (10.1.0)
Regions.
PAN-OS 10.2.x (10.2.0)
Support for AWS Outposts
PAN-OS 11.0.x (11.0.0)
on PAN-OS 9.1 and later.

VM-Series on Azure PAN-OS 9.1.x (9.1.0) DPDK is supported in PAN-OS 9.1

and later PAN-OS releases.
List of supported Azure PAN-OS 10.1.x (10.1.0)
Regions.
PAN-OS 10.2.x (10.2.0)
PAN-OS 11.0.x (11.0.0)
Azure Stack Edge:
PAN-OS 10.1.x (10.1.5)

VM-Series on Google PAN-OS 9.1.x (9.1.0) DPDK is supported and enabled by

CloudList of supported default.
PAN-OS 10.1.x (10.1.0)
Google Cloud Regions
PAN-OS 10.2.x (10.2.0)
PAN-OS 11.0.x (11.0.0)

VM-Series on Oracle Cloud PAN-OS 9.1.x (9.1.0) • DPDK is supported and enabled
Infrastructure by default.
PAN-OS 10.1.x (10.1.0)
• SR-IOV and MMAP mode is
PAN-OS 10.2.x (10.2.0) supported with jumbo and non-
PAN-OS 11.0.x (11.0.0) jumbo frames on PAN-OS 9.1.x
and PAN-OS 10.1.x and later
Oracle Gov Cloud: with VM-Series plugin 2.1.0 and
later.
PAN-OS 9.1.x (9.1.3)
PAN-OS 10.1.x (10.1.2)
PAN-OS 10.2.x (10.2.0)

Palo Alto Networks Compatibility Matrix 33 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Public Cloud Deployment PAN-OS Version I/O Enhancement Support

Support (Minimum)
PAN-OS 11.0.x (11.0.0)

VM-Series on IBM Cloud PAN-OS 10.1.x (10.1.0) —

Further I/O Enhancement support is detailed in PacketMMAP and DPDK Drivers on VM-Series
Firewalls.
To view the hypervisor support for Panorama versions, see Panorama Hypervisor Support. To
view the Panorama plugin requirements for public clouds, see Public Cloud-AWS, Azure, GCP.

Public Cloud Deployments Requiring a Base Image—Alibaba, Oracle, vCloud Air

The following Public Clouds require a PAN-OS for VM-Series base image from the Palo Alto
Networks Support Portal.

Public Cloud PAN-OS Version I/O Enhancement Base Image

Deployment Support (Minimum) Support

VM-Series on PAN-OS 9.1.x (9.1.0) DPDK and Packet PA-VM-KVM-9.1.0.qcow2

Alibaba Cloud MMAP are
supported. DPDK is
enabled by default.

Further I/O Enhancement support is detailed in PacketMMAP and DPDK Drivers on VM-Series
Firewalls.

VM-Series Firewall for VMware Cloud on AWS

You can deploy the VM-Series firewall on VMware Cloud on AWS. Refer to the Set Up a VM-
Series Firewall on an ESXi Server for information on deploying the VM-Series firewall. Refer to
VM-Series for VMware vSphere Hypervisor (ESXi) for supported VMware ESXi versions.

The VM-Series firewall on VMware NSX-V and NSX-T is not supported on VMware Cloud
on AWS.

PAN-OS Version Support I/0 Enhancement Documentation

Support

PAN-OS 9.1.x (9.1.0) DPDK and SR-IOV • VMware Cloud on AWS

Documentation
• VM-Series Firewall on
VMware ESXi

Palo Alto Networks Compatibility Matrix 34 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PacketMMAP and DPDK Drivers on VM-Series Firewalls

The VM-Series firewall supports the PacketMMAP and Data Plane Development Kit (DPDK)
drivers listed in the tables below. VM-Series firewalls use their own drivers to communicate with
the drivers on the host. You should install host-driver versions that are equal to or later than the
driver versions on your VM-Series firewall.
To choose host drivers for SR-IOV:
• KVM—On your KVM host, install a physical function (PF) driver version that is equal to or later
than the virtual function (VF) native driver version listed below.
• ESXi—Refer to the VMware Compatibility Matrix and install the latest driver for the firmware
version (PF=i40e, VF=i40evf).
For more on communication between VF drivers on the VM-Series firewall, and PF drivers on the
host (the hypervisor), see PacketMMAP and DPDK Drivers on VM-Series Firewalls in the VM-
Series Deployment Guide.
• SR-IOV Access Mode
• PacketMMAP Driver Versions
• DPDK Driver Versions

SR-IOV Access Mode

VM-Series firewalls support SR-IOV Access Mode on KVM and ESXi hypervisors. To enable single
root I/O virtualization (SR-IOV) access mode, you can include the bootstrap parameter plugin-
op-commands=sriov-access-mode-on in the initcfg.txt file.
• KVM—Requires PAN-OS 9.1.5 or a later PAN-OS release with VM-Series plugin 2.0.1 or a later
plugin version.
• ESXi—Requires PAN-OS 9.1.5 or a later PAN-OS 9.1 release or PAN-OS 10.1 or a later PAN-
OS release—with VM-Series plugin 2.0.5 or a later plugin version.

PacketMMAP Driver Versions

VM-Series firewalls use their virtual function (VF) drivers to communicate with the host's physical
function (PF) drivers during SR-IOV. For example, i40e is a PF driver and i40evf is a VF driver.

PAN-OS Driver Filename Virtual Firewall Comment

Version Native Drivers
(Linux Version)

11.0 bnx2x 1.713.36-0

i40e 2.14.13

iavf 4.0.2

Palo Alto Networks Compatibility Matrix 35 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Driver Filename Virtual Firewall Comment

Version Native Drivers
(Linux Version)

igb 5.6.0

igbvf 2.4.0

ixgbe 5.1.0 The minimum version for multiple

queues is 4.2.5
ixgbevf 4.1.0

mlnx-en 4.9

10.2 bnx2x 1.712.30-0

i40e 2.13.10

iavf 3.2.3 i40evf renamed to iavf; still compatible

with i40en host driver.

igb 5.4.0

igbvf 2.4.0

ixgbe 5.1.0 The minimum version for multiple

queues is 4.2.5
ixgbevf 4.1.0

mlnx-en 4.9

10.1 bnx2x 1.712.30-0

i40e 2.13.10

iavf 3.2.3 i40evf renamed to iavf; still compatible

with i40en host driver.

igb 5.4.0

igbvf 2.4.0

ixgbe 5.1.0 The minimum version for multiple

queues is 4.2.5
ixgbevf 4.1.0

mlnx-en 4.9

Palo Alto Networks Compatibility Matrix 36 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

PAN-OS Driver Filename Virtual Firewall Comment

Version Native Drivers
(Linux Version)

9.1 bnx2x 1.713.36-0

i40e 2.3.2

i40evf 3.2.2 Compatible with i40en host driver.

igb 5.4.0

igbvf 2.4.0

ixgbe 5.1.0 The minimum version for multiple

queues is 4.2.5
ixgbevf 4.1.0

DPDK Driver Versions

When the firewall is in DPDK mode, it uses DPDK drivers. Please check the official DPDK release
notes for more information.
By default DPDK is enabled on VM-Series firewalls as stated below. If the VM-Series firewall
detects an unsupported driver, the firewall reverts to PacketMMap mode.

Hypervisor Virtual NIC Drivers

Driver

KVM virtio ixgbe, ixgbevf, i40e, i40evf, and mlnx-en (PAN-OS 10.1 and later)

ESXi VMXNET3 ixgbe, ixgbevf, i40e, i40evf

See VM-Series for KVM and VM-Series for VMWare vSphere Hypervisor (ESXi) for
PAN-OS versions that support DPDK, DPDK with SR-IOV, or DPDK with Virtio.

PAN-OS Version DPDK Version Comment

11.0 20.11.1

10.2 20.11.1

10.1 19.11.3

9.1 18.11

Palo Alto Networks Compatibility Matrix 37 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Partner Interoperability for VM-Series Firewalls

Palo Alto Networks offers two tiers of support for third-party partner platforms for the VM-
Series next-generation firewall—Palo Alto Networks Certified and Partner-Qualified. The VM-
Series firewall provides the same security features and functionality regardless of support tier; the
difference lies in what types of issues Palo Alto Networks is able to help you resolve.
• Partner Qualified—Palo Alto Networks Customer Support assists you with any issue directly
related to the VM-Series firewall. VM-Series issues are defined as issues that occur after a
packet enters the firewall. This does not include issues related to a partner platform.
VM-Series issues include:
• PAN-OS configuration
• VM-Series upgrades
• VM-Series licensing
• VM-Series documentation
• Palo Alto Networks Certified—Palo Alto Networks customer support assists with all VM-Series
firewall issues as well as issues related to the partner platform. Platform issues are defined as
issues that involve a packet outside of the VM-Series firewall, such as arriving or leaving the
firewall or hypervisor or an issue with the hardware configuration.
Platform issues include:
• Network interfaces not recognized by the VM-Series firewall
• VM-Series firewall not booting
• Platform configuration
• Bootstrapping of the VM-Series firewall
• Connections to other networking devices
• High availability (HA)
• I/O Acceleration (DPDK, SR-IOV, and PCI passthrough)
For a complete list of the partner platforms supported in each tier, review the integration
information:
• Palo Alto Networks Certified Integrations
• Partner-Qualified Integrations

Palo Alto Networks Certified Integrations

The following topic shows the Palo Alto Networks certified partner products with which VM-
Series firewalls interoperate. Refer to the tables for details about hardware platforms and
software versions on which you can deploy the VM-Series firewall.

The partner software version and the PAN-OS® version columns display the range of
versions and the minimum version in parentheses. For example, where the PAN-OS
Version column displays PAN-OS 10.1.x (10.1.4), it indicates that the integration supports
PAN-OS 10.1 releases beginning with PAN-OS 10.1.4.

Palo Alto Networks Compatibility Matrix 38 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

• Ciena
• Cisco Cloud Services Platform
• Cisco Enterprise Computer System (ENCS)
• Citrix SD-WAN
• Juniper NFX Network Services Platform
• NSX SD-WAN by VeloCloud
• Nuage Networks
• Versa Networks
• Vyatta

Ciena
The following table shows the Ciena products with which VM-Series firewalls interoperate.

Hardware Hypervisor
SAOS SAOS PAN-OS Deployment Documentation
Supported Tested Version Modes
Software Software Supported
(Minimum)
Version Version
(Minimum) (Minimum)

3906mvi KVM 18.x.x 18.06.x 9.1.x Layer 3 Ciena

and (18.06.00) (18.06.00) (9.1.0) mode on documentation
3926mvi the VM-50,
VM-100, and
VM-300
VirtIO and
DPDK mode.

Cisco Cloud Services Platform

The following table shows the Cisco Cloud Services Platform (CSP) products with which VM-
Series firewalls interoperate.

Hardware CSP
Hypervisor CSP Tested PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum)
(Minimum)

CSP5400 KVM 2.x.x 2.4.x 9.1.x Layer 2, Layer3, Set Up the

Series (2.4.0) (2.4.0) (9.1.0) Virtual wire VM-Series
deployments Firewall on
CSP2100
on all VM- Cisco CSP
Series
(PAN-OS 9.1)

Palo Alto Networks Compatibility Matrix 39 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Hardware CSP
Hypervisor CSP Tested PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum)
(Minimum)
Series models
CSP5400 4.6.x (4.6) 4.6.x 10.1.x Set Up the
except VM-50
Series (4.6.1- (10.1.0) VM-Series
FC1) VM-Series Firewall on
Firewalls Cisco CSP
in an HA (PAN-OS
configuration 10.1)
SR-IOV, Packet
MMAP, and
DPDK mode

Cisco Enterprise Computer System (ENCS)

The following table shows the Cisco Enterprise Computer System (ENCS) products with which
VM-Series firewalls interoperate.

Hardware NFVIS
Hypervisor Tested PAN-OS Deployment Documentation
Supported Version Modes
NFVIS
Software Supported
Software (Minimum)
Version
Version
(Minimum)
(Minimum)

Cisco KVM 3.x.x (3.8) 3.10.x 9.1.x • Layer 2, VM-Series on

5400 (3.10.1) (9.1.0) Layer3, Cisco ENCS
4.6.x
Series Virtual wire
(4.6.1- 3.12.x
deployments
FC1) (3.12.1)
• Firewalls in
4.6.x HA
(4.6.1-
FC1) • Virtio with
DPDK mode
4.6.x (4.6) 4.6.x 10.1.x enabled by
(4.6.1- (10.1.0) default
FC1)

Citrix SD-WAN
The following table shows the Citrix SD-WAN products with which VM-Series firewalls
interoperate.

Palo Alto Networks Compatibility Matrix 40 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Supported
Hardware Hypervisor Tested PAN-OS Deployment Documentation
Software Version Modes
Software
Version Supported
Version (Minimum)
(Minimum)
(Minimum)

Citrix KVM 11.x.x 11.0.x 9.1.x Virtual wire • Citrix SD-

SD- (11.0.1) (11.0.1) (9.1.0) deployments WAN
WAN Deployment
VirtIO with
1100 Guide
packet MMAP
Appliance • Citrix SD-
mode support
only; so you WAN
must disable Solution
DPDK with op- Brief
cmd-dpdk-
pkt-io=off
in the init-
cfg.txt
file used for
bootstrapping
or use the
CLI command
set system
setting
dpdk-pkt-io
off

9.1.x Virtual wire

(9.1.0)
DPDK Mode

Juniper NFX Network Services Platform

The following table shows the Juniper NFX Network Services Platform products with which VM-
Series firewalls interoperate.

Hardware Hypervisor
Junos Software PAN-OS Deployment Modes Documentation
Version Version Supported
(Minimum) (Minimum)

NFX 250 KVM 15.1X53-D470.x 9.1.x (9.1.0) Layer 2, Layer 3, Juniper NFX
Virtual Wire documentation
(15.1X53-
D470.5) DPDK mode

Palo Alto Networks Compatibility Matrix 41 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

NSX SD-WAN by VeloCloud

The following table shows the NSX SD-WAN by VeloCloud products with which VM-Series
firewalls interoperate.

Hardware VCE
Hypervisor Tested VCE PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum)
(Minimum)

Edge KVM 3.x.x 3.3.x 9.1.x Virtual wire NSX SD-WAN

520v (3.2.0) (3.3.1) (9.1.0) deployments by VeloCloud
documentation
Edge 840 DPDK

Nuage Networks
The following table shows the Nuage Networks products with which VM-Series firewalls
interoperate.

Hardware VSP
Hypervisor Tested VSP PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum) (Minimum)

Nuage — 5.x.x 5.3.x TBD Virtual wire Nuage

NSG-X (5.3.3U3) (5.3.3U3) deployments Networks
series on VM-50 documentation
and VM-100
models
VirtIO with
packet MMAP
mode support
only
DPDK must
be disabled: If
you bootstrap,
include op-
cmd-dpdk-
pkt-io=off
in the init-
cfg.txt file,
or, on the VM
Series firewall,
use the CLI
command

Palo Alto Networks Compatibility Matrix 42 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Hardware VSP
Hypervisor Tested VSP PAN-OS Deployment Documentation
Supported Software Version Modes
Software Version Supported
Version (Minimum)
(Minimum) (Minimum)
set system
setting
dpdk-pkt-
io off

Versa Networks
The following table shows the Versa Networks products with which VM-Series firewalls
interoperate.

Hardware Hypervisor
Supported Tested PAN-OS Deployment Documentation
Versa Versa Version Modes
FlexVNF FlexVNF Supported
(Minimum)
Software Software
Version Version
(Minimum) (Minimum)

Versa KVM 21.x.x 21.1.x 9.1.x (9.1.0) Virtual Versa

930 (Dell (21.1.2) (21.1.2) wire, L3 Documentation
VEP4600) deployments
with DPDK

Vyatta
The following table shows the Vyatta products with which VM-Series firewalls interoperate.

Platform Hypervisor
Vyatta PAN-OS Deployment Modes Documentation
Software Version Supported
Version
(Minimum)

AT&T KVM 19.x 9.1.x (9.1.0) Virtual wire, L2, L3 —

vRouter (1903f) deployments with
5600 DPDK
VM-50, VM-100, and
VM-300

Palo Alto Networks Compatibility Matrix 43 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Partner-Qualified Integrations
The following section shows the partner-qualified products with which VM-Series firewalls
interoperate. Refer to the tables for details about hardware platforms and software versions on
which you can deploy VM-Series firewalls.

The partner software version and PAN-OS® version columns display the range of versions
and the minimum version in parentheses. For example, where the PAN-OS Version column
displays PAN-OS 10.1.x (10.1.4), it indicates that the integration supports PAN-OS 10.1
releases beginning with PAN-OS 10.1.4.

• ADVA
• Aryaka
• Corsa
• Megaport
• SEL
• Siemens
• ZPE
• Zededa

ADVA
The following table shows the ADVA products with which VM-Series firewalls interoperate.

Hardware Supported PAN-OS Version I/O Acceleration Documentation

ADVA Ensemble
Connector
Version

FSP 150- 19.1.1.33 10.0.x (10.0.4) DPDK mode ADVA

XG304u with SR-IOV Documentation

Aryaka
The following table shows the Aryaka products with which VM-Series firewalls interoperate.

Hardware Supported PAN-OS Version I/O Acceleration Documentation

Aryaka Software
Versions

2600 • 4.6.x 10.1.x (10.1.0) • DPDK and Aryaka

Virtio Documentation
3000 • 4.8.x
• Virtio and
10000 Packet
MMAP mode

Palo Alto Networks Compatibility Matrix 44 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Hardware Supported PAN-OS Version I/O Acceleration Documentation

Aryaka Software
Versions

2600 3.6.x 10.0.x (10.0.0) • DPDK and

Virtio
3000 9.1.x (9.1.0)
• Virtio and
Packet
MMAP mode

• 3.0.x 9.1.x (9.1.0) Virtio and

• 3.2.x Packet MMAP
mode

Corsa
The following table shows the Corsa products with which VM-Series firewalls interoperate.

Hardware Supported PAN-OS Version I/O Acceleration Documentation

Software Version

Corsa Security 2.x.x 10.1.x (10.1.4) SR-IOV with Corsa

Platform Packet MMAP Documentation

1.x.x 9.1.x (9.1.0) SR-IOV with

Packet MMAP

Megaport
The following table shows the Megaport products with which VM-Series firewalls interoperate.

Hardware Hypervisor Mode PAN-OS I/O Documentation

Version Acceleration

Megaport KVM MVE 10.2.x SR-IOV Megaport

Virtual Edge provides (10.2.0) Documentation
Virtual Cross
• 2vCPU/8GB
Connect
• 4vCPU/16GB (VXC) private
• 8vCPU/32GB network
paths
• 12vCPU/48GB provisioned
as a layer-2
802.1q
VLANs.

Palo Alto Networks Compatibility Matrix 45 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

SEL
The following table shows the SEL products with which VM-Series firewalls interoperate.

Hardware Supported PAN-OS I/O Documentation

Software Version Acceleration
Version

SEL-3350 AlmaLinux 10.2.x None SEL Documentation

8.6
(10.2.0)
RHEL 8.5

SEL-3355 AlmaLinux 10.2.x SR-IOV

8.6 supported
(10.2.0)
on
RHEL 8.5
SEL-3355
onboard
ports

Siemens
The following table shows the Siemens products with which VM-Series firewalls interoperate.

Hardware Supported PAN-OS I/O Documentation

Software Version Acceleration
Version

RUGGEDCOM Ubuntu 10.1.x L3 mode Siemens Support

APE 1808 20.04 KVM Virtio with
(10.1.0) Siemens Technology Partners
DPDK
9.1.x (9.1.4) RUGGEDCOM ROX II v.2.14
CLI Configuration Manual
RUGGEDCOM ROX II v.2.14
WebUI Configuration Manual
RUGGEDCOM APE1808
Configuration Manual

ZPE
The following table shows the ZPE products with which VM-Series firewalls interoperate.

Palo Alto Networks Compatibility Matrix 46 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Hardware Supported PAN-OS Version I/O Acceleration Documentation

Nodegrid
Software Version

Gate SR 4.1.x 9.1.x (9.1.0) Virtio with ZPE

DPDK Documentation
NSR

Zededa
The following table shows the Zededa products with which VM-Series firewalls interoperate.

Bootstrapping is not supported for the VM-Series firewall deployed on Zededa.

EVE Version PAN-OS Version Mode I/O Acceleration Documentation

8.5.4 11.0.x (11.0.0) L3 Mode only VirtIO Zededa

Documentation
IPv4 only

Palo Alto Networks Compatibility Matrix 47 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Plugin
The VM-Series plugin is built in to the VM-Series firewalls. You can configure this plugin directly
on the VM-Series firewall or install it on a Panorama™ M-Series or virtual appliance.
To manage the VM-Series plugin configuration on your managed firewalls from Panorama, you
must manually install the VM-Series plugin on Panorama. Refer to Panorama Plugins. You can also
compare VM-Series Plugin and Panorama Plugins.
The following table briefly describes the features introduced in each version of the VM-Series
plugin. For additional information about each version, refer to the VM-Series plugin release notes.

VM-Series Plugin 4.0.x

VM-Series plugin 4.0 versions are compatible with PAN-OS 11.0 releases. The following table
describes new features or changes introduced in each plugin version and the VM-Series PAN-OS
base image that includes each version of the plugin.

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

4.0.3 11.0.2 Includes fixes to known issues.

4.0.2 11.0.2 Includes fixes to known issues.

4.0.1 11.0.1 Includes fixes to known issues.

4.0.0 11.0.0 Introduces support for Advanced Routing on the VM-Series

firewall.

VM-Series Plugin 3.0.x

VM-Series plugin 3.0 versions are compatible with PAN-OS 10.2 releases. The following table
describes new features or changes introduced in each plugin version and the VM-Series PAN-OS
base image that includes each version of the plugin.

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

3.0.5 10.2.5 Addresses known issues.

3.0.4 10.2.4 Addresses known issues.

3.0.3 10.2.3 Addresses known issues and introduces two new features—
Configuring OCI CloudWatch monitoring and Publishing custom
metrics in the OCI console.

Palo Alto Networks Compatibility Matrix 48 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

3.0.2 10.2.2 Addresses known issues.

3.0.1 10.2.1 Introduces one new feature—PAYG License Support for VM-
Series on AWS, OCI, GCP and Azure.

3.0.0 10.2.0 Addresses known issues.

VM-Series Plugin 2.1.x

VM-Series plugin 2.1 versions are compatible with PAN-OS 10.1 releases. The following table
describes new features or changes introduced in each plugin version and the VM-Series PAN-OS
base image that includes each version of the plugin.

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

2.1.13 10.1.10 Introduces fixes for issues.

2.1.12 — Introduces fixes for issues.

2.1.11 — Introduces two new features—Full Bootstrap Support for the

VM-Series on OCI and HA Support for the VM-Series on OCI in
FIPS mode.

2.1.10 10.1.9-h1 Introduces fixes for issues.

2.1.9 10.1.9 Introduces fixes for issues.

2.1.8 — Addresses known issues and introduces two new features—

Configuring OCI CloudWatch monitoring and Publishing custom
metrics in the OCI console.

2.1.7 10.1.7 Introduces fixes for issues.

2.1.6 10.1.6 Introduces fixes for issues.

2.1.5 10.1.5 Introduces fixes for issues.

2.1.4 10.1.4 Introduces one new feature—Limit the number of vCPUs

licensed and used by a VM-Series firewall.

2.1.3 10.1.3 Addresses a known issue.

Palo Alto Networks Compatibility Matrix 49 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

2.1.2 10.1.2 Introduces two new features—Bootstrapping support for

NUMA Performance Optimization and Azure Stack API
Endpoint Access.

2.1.1 10.1.1 Introduces two new features—NUMA Performance

Optimization and Six-Core Support for Intelligent Traffic
Offload.

2.1.0 10.1.0 Default VM-Series plugin for PAN-OS 10.1.0.

VM-Series Plugin 2.0.x

VM-Series plugin 2.0 versions are compatible only with PAN-OS 9.1. The following table
describes new features or changes introduced in each plugin version and the VM-Series PAN-OS
base image that includes each version of the plugin.

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

2.0.7 9.1.10 Introduces management interface swap support for the VM-
Series on VMware ESXi and KVM and addresses known issues.
10.0.6*

2.0.6 9.1.9 Addresses a known issue.

10.0.5*

2.0.5 — Addresses known issues and adds 1500 MTU for Google Cloud
Platform and SR-IOV access mode on ESXi with PAN-OS 9.1.5
and later or 10.0.1 and later.

2.0.4 10.0.4* Addresses known issues and adds licensing support for future
PAN-OS releases.

2.0.3 10.0.3* • Introduces custom image creation for the VM-Series firewall
on Microsoft Azure.
• Introduces Pay-As-You-Go license support for the VM-
Series on Oracle Cloud Infrastructure.
• Introduces enhancements for the VM-Series firewall on
Alibaba Cloud.
• Addresses known issues.

Palo Alto Networks Compatibility Matrix 50 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Included in New Features or Changes

Plugin PAN-OS Base
Version Image

2.0.2 9.1.6 • Introduces shared storage on AWS, Azure and GCP.

Supports subdirectories within cloud storage, enabling you
9.1.7
to store multiple bootstrap files in one storage bucket.
9.1.8 • Introduces support for secure bootstrap on AWS.
10.0.2* • Change in default behavior: VM-Series plugin now uses
HTTPS to communicate with the AWS CloudWatch
endpoint.
• Addresses known issues.

2.0.1 10.0.1* • Introduces AWS active-passive high availability using a

secondary IP address.
• Change in default behavior: In new VM-Series deployments
on AWS, the default Packet IO mode is DPDK.
• Introduces bootstrapping with user data on AWS, Azure, and
GCP.
• Introduces bootstrapping VLAN access mode on SR-IOV for
VM-Series firewall on KVM only. Requires PAN-OS 9.1.5 and
later, or 10.0.1 and later.
• Addresses known issues.

2.0.0 10.0.0* Addresses known issues.

*PAN-OS 10.0 reached end-of-life (EoL) status on July 16, 2022.

VM-Series Plugin 1.0.x

VM-Series plugin 1.0 versions are compatible with PAN-OS 9.0 and PAN-OS 9.1 releases. The
following table describes new features or changes introduced in each plugin versions and the VM-
Series PAN-OS base image that includes each version of the plugin.

VM-Series Included in New Features or Changes

Plugin Version PAN-OS Base
Image

1.0.13 9.0.14 Addresses known issues.

9.0.13
9.0.12
9.0.11

1.0.12 9.1.4 • Additional PAN-OS custom metrics for AWS, Azure, and
GCP public clouds (panSessionConnectionsPerSecond,

Palo Alto Networks Compatibility Matrix 51 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Included in New Features or Changes

Plugin Version PAN-OS Base
Image
9.1.5 panSessionThroughputKbps, and
panSessionThroughputPps).
• New system startup updates, system health periodic
updates, and live health failure updates for AWS
CloudWatch.
• Addresses known issues.

1.0.11 9.0.8 Introduces Deeper Visibility with AWS CloudWatch

Enhancement and addresses known issues.
9.0.9
9.0.10
9.1.2
9.1.3

1.0.10 — Addresses known issues on AWS.

1.0.9 — Introduces support for Oracle Cloud Infrastructure

marketplace deployment and high availability for the VM-
Series firewall, and addresses known issues. PAN-OS 9.1.1 is
required to use these OCI features.

1.0.8 9.1.0 Addresses known issues.

9.1.1 Default VM-Series plugin version for PAN-OS 9.1.

1.0.7 — Addresses known issues, including bug fixes and support for
high availability (HA) on Azure Government for the VM-Series
on Azure.
Earliest version on which you can enable (HA) on Azure
Government for the VM-Series on Azure.

1.0.6 — Introduces support for the VM-Series firewall on NSX-T

(North-South) and addresses known issues.

1.0.5 — Introduces the PAN-OS accelerated feature releases (images

with .xfr in the filename*) for only VM-Series firewalls to
enable support for new features and bug fixes; also addresses
known issues.
PAN-OS 9.0.4 requires plugin 1.0.5 or later.

*All PAN-OS 9.0-xfr releases are end-of-life (EoL)

as of September 19, 2020.

Palo Alto Networks Compatibility Matrix 52 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Included in New Features or Changes

Plugin Version PAN-OS Base
Image

1.0.4 — Addresses known issues.

1.0.3 — Addresses known issues.

If you want to enable management interface swap

on GCP or AWS platforms and you are running
PAN-OS 9.0.2, you must install VM-Series plugin
1.0.3 or later.

1.0.2 — Addresses known issues.

1.0.0 — Enables publishing metrics for supported public clouds: AWS,

Azure, and Google Cloud Platform.
Default VM-Series plugin version for PAN-OS 9.0.

Palo Alto Networks Compatibility Matrix 53 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

AWS Regions
The AWS regions—public, GovCloud, and AWS Outposts—in which you can deploy the VM-Series
firewall from the AWS Marketplace.

AWS Regions Region ID

US East (N. Virginia) us-east-1

US East (Ohio) us-east-2

US West (N.California) us-west-1

US West (Oregon) us-west-2

Asia Pacific (Hong Kong) ap-east-1

Asia Pacific (Singapore) ap-southeast-1

Asia Pacific (Sydney) ap-southeast-2

Asia Pacific (Tokyo) ap-northeast-1

Asia Pacific (Seoul) ap-northeast-2

Asia Pacific (Osaka-Local) ap-northeast-3

Available in BYOL as a Shared AMI. You can find
the AMI for the VM-Series firewall on the EC2
console (Instances > Launch Instance > Community
AMIs) using the AMI ID (ami-0d326a4c332ce4726)
or by searching for Palo Alto Networks.

Asia Pacific (Mumbai) ap-south-1

Asia Pacific (Beijing) cn-north-1

Asia Pacific (Ningxia) cn-northwest-1

Canada Central ca-canada-1

EU (Frankfurt) eu-central-1

EU (Ireland) eu-west-1

EU (London) eu-west-2

Palo Alto Networks Compatibility Matrix 54 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

AWS Regions Region ID

EU (Paris) eu-west-3

EU (Stockholm) eu-north-1

South America (Sao Paulo) sa-east-1

Middle East (Bahrain) me-south-1

Africa (Cape Town) af-south-1

AWS Gov Cloud (US) us-gov-west

us-gov-east

AWS Outposts On all regions listed above, where AWS

Outposts is supported.

Palo Alto Networks Compatibility Matrix 55 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Azure Regions
The VM-Series firewall is available on the Azure public and the Azure Government Marketplace.

Locations VM-Series Next- VM-Series Next- VM-Series Next-

Generation Firewall Generation Firewall Generation Firewall
Bundle 1* Bundle 2* (BYOL and ELA)**

All geographies (except

China)

Azure China — — Only BYOL for

PAN-OS 8.1

Azure Government (US)

Azure DoD

Refer to Azure geography for the list of regions.

Palo Alto Networks Compatibility Matrix 56 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Google Cloud Regions

You can deploy the VM-Series firewall with any supported PAN-OS® release in all Google Cloud
Platform regions.

Palo Alto Networks Compatibility Matrix 57 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

Alibaba Cloud Regions

You can deploy the VM-Series firewall with PAN-OS® 8.1.3 and later PAN-OS 8.1 releases (where
supported) or later supported PAN-OS releases in all Alibaba Cloud regions.

Palo Alto Networks Compatibility Matrix 58 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

VM-Series Firewall Amazon Machine Images (AMI)

The two most recent versions—2.0 and 2.1—of the CFT for auto scaling the VM-Series firewall on
AWS and the VM-Series Auto Scale Template are supported on all supported PAN-OS releases.
Please use the AWS CLI to find the AMI IDs for automating your deployment of VM-Series
firewalls. (For convenience, we captured the list of PAN-OS Images for AWS GovCloud.)

PAN-OS Images for AWS GovCloud

Because AWS GovCloud had restricted access owing to specific U.S. regulatory requirements, the
AMI IDs for the VM-Series firewall on AWS GovCloud are listed below for your convenience.

AMI IDs for VM-Series Firewalls on AWS GovCloud

Bring Your Own License (BYOL)

us-gov-west-1 Cloned AMI ID us-gov-east-1 Cloned AMI ID

PAN-OS 10.1.3 ami-0b0fb1dc91f1a5b9a ami-0d1efc973806198d3

PAN-OS 10.1.1 ami-02f7ea8be900f9955 ami-0eeeec392d066b8ae

PAN-OS 9.1.9 ami-01686e0ff6dccff8c ami-067d99132a54489a7

PAN-OS 9.1.8 ami-013219291e2bfe323 ami-07df5511d166c456e

PAN-OS 9.1.3 ami-019045558d9d46abe

Pay-as-You-Go (PAYG) Bundle 1

us-gov-west-1 Cloned AMI ID us-gov-east-1 Cloned AMI ID

PAN-OS 10.1.3 ami-004b1a1777dcdfd9f ami-016368ea5efba04e1

PAN-OS 10.1.1 ami-084ed91c50f9b4d96 ami-057662646115fdce4

PAN-OS 10.1.0 ami-0a5f5b771f7f8e5d3 ami-07ac1c7c5ce547d69

PAN-OS 9.1.15 ami-0e91c03870e1cd93c ami-03437a1f70f52e166

PAN-OS 9.1.12-h3 ami-0b5bc9e573a08b041 ami-06749834defebd4e0

PAN-OS 9.1.10- ami-0099471b6d15fbddb ami-07797e48453a0682f

c15

PAN-OS 9.1.10 ami-0709b58e478cab702 ami-0a098d4a886576dad

Palo Alto Networks Compatibility Matrix 59 ©2023 Palo Alto Networks, Inc.
VM-Series Firewalls

AMI IDs for VM-Series Firewalls on AWS GovCloud

PAN-OS PAN-OS ami-011be089674af6421

9.1.3

Pay-as-You-Go (PAYG) Bundle 2

us-gov-west-1 Cloned AMI ID us-gov-east-1 Cloned AMI ID

PAN-OS 10.1.3 ami-0fb205aaef8ce2043 ami-0cb03b7f09207667b

PAN-OS 10.1.1 ami-0828cee4fb427a163 ami-0997795d86a05ede0

PAN-OS 10.1.0 ami-099a18de4da9ae98f ami-0debf73b0bb9c2dbe

PAN-OS 9.1.15 ami-0a3050b051091a0eb ami-0d67ea2069394aaba

PAN-OS 9.1.12-h3 ami-004abe9b7a57eed38 ami-068bf7a0c5746f727

PAN-OS 9.1.10- ami-0a192fdfa754d6c40 ami-01df4c86af829b978

c15

PAN-OS 9.1.10 ami-0fc65b7bb5280ec09 ami-050f8775e829afef7

PAN-OS 9.1.3 ami-06695afbfbca39f61

Palo Alto Networks Compatibility Matrix 60 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls
The CN-Series firewall is supported only in certain environments and is compatible with or
requires a specific set of files to do so.
• CN-Series Supported Environments
• CN-Series Firewall Image and File Compatibility

61
CN-Series Firewalls

CN-Series Supported Environments

You can deploy the CN-Series firewall in the following environments.

Product Version
PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0

Container Docker Docker Docker

runtime
CRI-O CRI-O CRI-O
Containerd Containerd Containerd

Kubernetes 1.17 through 1.27 1.17 through 1.27 1.17 through 1.27
version

Cloud • AWS EKS (1.17 • AWS EKS (1.17 • AWS EKS (1.17
provider through 1.27 for CN- through 1.27 for CN- through 1.27 for CN-
managed Series as a daemonset Series as a daemonset Series as a daemonset
Kubernetes and CN-Series as and CN-Series as and CN-Series as
a Service mode of a Service mode of a Service mode of
deployment. ) deployment. ) deployment. )

Palo Alto Networks Compatibility Matrix 62 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

Product Version
PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
• EKS on AWS Outpost • AWS EKS (1.17 • AWS EKS (1.17
(1.17 through 1.22) through 1.22 for CN- through 1.22 for CN-
Series as a CNF mode Series as a CNF mode
CN- of deployment.) of deployment.)
Series • EKS on AWS Outpost • EKS on AWS Outpost
for EKS (1.17 through 1.22) (1.17 through 1.22)
on AWS
Outpost CN- CN-
does not Series Series
support for EKS for EKS
SR- on AWS on AWS
IOV or Outpost Outpost
Multus. does not does
• Azure AKS (1.17 support not
through 1.27) SR- support
IOV or SR-
In Azure Multus. IOV or
AKS, • Azure AKS (1.17 Multus.
the through 1.27) • Azure AKS (1.17
PAN-OS through 1.27)
10.1.10h1 In Azure
is the AKS, In Azure
minimum the AKS,
required PAN-OS the
version 10.2.4h3 PAN-OS
to is the 11.0.2
support minimum is the
kubernetes required minimum
1.25 version required
and to version
above. support to
• AliCloud ACK (1.26) kubernetes support
• GCP GKE (1.17 1.25 kubernetes
through 1.27) and 1.25
above. and
above.

Palo Alto Networks Compatibility Matrix 63 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

Product Version
PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
• GCP GKE (1.17 • GCP GKE (1.17
through 1.27) through 1.27)
• OCI OKE (1.23)
In GCP
GKE,
the
PAN-OS
10.2.4h3
is the
minimum
required
version
to
support
kubernetes
1.25
and
above.
• Google Anthos 1.12.3
• OCI OKE (1.23)

Customer On the public cloud or On the public cloud or On the public cloud or
managed on-premises data center. on-premises data center. on-premises data center.
Kubernetes
Make sure that the Make sure that the Make sure that the
Kubernetes version, CNI Kubernetes version, CNI Kubernetes version, CNI
Types, and Host VM OS Types, and Host VM OS Types, and Host VM OS
versions are included in versions are included in versions are included in
this table. this table. this table.
VMware TKG+ version VMware TKG+ version VMware TKG+ version
1.1.2 1.1.2 1.1.2
• Infrastructure • Infrastructure • Infrastructure
Platform—vSphere Platform—vSphere Platform—vSphere
7.0 7.0 7.0
• Kubernetes Host VM • Kubernetes Host VM • Kubernetes Host VM
OS—Photon OS OS—Photon OS OS—Photon OS

Kubernetes Operating System: Operating System: Operating System:

Host VM
• Ubuntu 16.04 • Ubuntu 16.04 • Ubuntu 16.04
• Ubuntu 18.04 • Ubuntu 18.04 • Ubuntu 18.04
• Ubuntu-22.04 • Ubuntu-22.04 • Ubuntu-22.04
• RHEL/Centos 7.3 and • RHEL/Centos 7.3 and • RHEL/Centos 7.3 and
later later later

Palo Alto Networks Compatibility Matrix 64 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

Product Version
PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
• CoreOS 21XX, 22XX • CoreOS 21XX, 22XX • CoreOS 21XX, 22XX
• Container-Optimized • Container-Optimized • Container-Optimized
OS OS OS

Linux Kernel Netfilter: Linux kernel version: Linux kernel version:

Iptables
• 4.18 or later (K8s • 4.18 or later (K8s
Service Mode only) Service Mode only)
• 5.4 or later required • 5.4 or later required
to enable AF_XDP to enable AF_XDP
mode. See Editable mode. See Editable
Parameters in CN- Parameters in CN-
Series Deployment Series Deployment
YAML Files for more YAML Files for more
information. information.

Linux kernel version: Linux kernel Netfilter: Linux kernel Netfilter:

Iptables Iptables
• 4.18 or later (K8s
Service Mode only)
• 5.4 or later required
to enable AF_XDP
mode. See Editable
Parameters in CN-
Series Deployment
YAML Files for more
information.

CNI Plugins CNI Spec 0.3 and later: CNI Spec 0.3 and later: CNI Spec 0.3 and later:
• AWS-VPC • AWS-VPC • AWS-VPC
• Azure • Azure • Azure
• Calico • Calico • Calico
• Flannel • Flannel • Flannel
• Weave • Weave • Weave
• For AliCloud, Terway • For Openshift, • For Openshift,
• For Openshift, OpenshiftSDN OpenshiftSDN
OpenshiftSDN • The following are • The following are
• The following are supported on the CN- supported on the CN-
supported on the CN-

Palo Alto Networks Compatibility Matrix 65 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

Product Version
PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
Series firewall as a Series firewall as a Series firewall as a
DaemonSet. DaemonSet. DaemonSet.
• Multus • Multus • Multus
• Bridge • Bridge • Bridge
• SR-IOV • SR-IOV • SR-IOV
• Macvlan • Macvlan • Macvlan

OpenShift CN-Series as a • Version 4.2, 4.4, 4.5, • Version 4.2, 4.4, 4.5,
DaemonSet: 4.6, 4.7, 4.8, 4.9, 4.10, 4.6, 4.7, 4.8, 4.9, 4.10,
4.11, 4.12, and 4.13 4.11, 4.12, and 4.13
4.2, 4.4, 4.5, 4.6, 4.7, 4.8,
4.9, 4.10, 4.11, 4.12, and
OpenShift OpenShift
4.13
4.7 is 4.7 is
qualified qualified
CN-Series as a K8s
on the on the
Service:
CN- CN-
(PAN-OS 10.1.2 and Series Series
later) as a as a
DaemonSet DaemonSet
4.7, 4.8, 4.9, 4.10, 4.11,
only. only.
4.12, and 4.13
• OpenShift on AWS The
The PAN-OS
PAN-OS The 11.0.2
10.1.10h1 PAN-OS is the
is the 10.2.4h3 minimum
minimum is the required
required minimum version
version to required to
support version to support
4.12 and support 4.12
above. 4.12 and and
above. above.
• OpenShift on AWS

Palo Alto Networks Compatibility Matrix 66 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

CN-Series Firewall Image and File Compatibility

Deploying the CN-Series firewall requires a number of different of files. To help ensure a
successful deployment, check the following information to make sure you download the correct
combination of files for your CN-Series firewall deployment.

PAN-OS Version YAML Version CNI Version mgmt-init Version

PAN-OS 11.0.x 3.0.x 3.0.x 3.0.x

PAN-OS 10.2.x
PAN-OS 10.1.x

Palo Alto Networks Compatibility Matrix 67 ©2023 Palo Alto Networks, Inc.
CN-Series Firewalls

Palo Alto Networks Compatibility Matrix 68 ©2023 Palo Alto Networks, Inc.
Panorama
This section includes information about Panorama™ and compatible versions for devices that
Panorama can manage, as well as about plugins that are available for Panorama.
• Plugins
• Compatible Plugin Versions for PAN-OS 10.2
• Panorama Management Compatibility
• Panorama Hypervisor Support
• Device Certificate for a Palo Alto Networks Cloud Service

69
Panorama

Panorama Plugins
The following tables describe the features and functionality introduced with the Panorama™
extensible plugin architecture.
• Cisco ACI
• Cisco TrustSec
• Panorama CloudConnector Plugin (Formerly, AIOps Plugin for Panorama)
• Cloud Services
• Enterprise Data Loss Prevention (DLP)
• Panorama Interconnect
• IPS Signature Converter
• Kubernetes
• Clustering Plugin
• Nutanix
• OpenConfig (Firewall Only)
• Panorama Software Firewall License Plugin
• Public Cloud—AWS, Azure, and GCP
• SD-WAN
• VMware NSX
• VMware vCenter
• Zero Touch Provisioning (ZTP)
For more information on Panorama plugin versions, refer to the VM-Series and Panorama Plugins
Release Notes.

Cisco ACI
The following table shows the features introduced in each version of the Panorama™ plugin for
Cisco ACI. The plugin uses device groups on Panorama to push the configuration to the managed
firewalls.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)

3.0.0 • 6.0.x 10.2(10.2.4) Latest Introduces

enhancements to

Palo Alto Networks Compatibility Matrix 70 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)
increase reliability and
• 5.2.x 10.2(10.2.0)
robustness.
• 5.1.x

2.0.3 • 6.0.x 10.1 (10.1.9) Latest Introduces a fix for a

known issue.
• 5.2.x 10.1 (10.1.0)
• 5.1.x 10.0 (10.0.0)

Palo Alto Networks Compatibility Matrix 71 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)
• 5.0.x 9.1 (9.1.0) You can
• 4.2.x do a new
9.0 (9.0.0)
deployment
• 4.1.x of Cisco
• 4.0.x ACI
2.0.3 on
• 3.2
Panorama
9.0 or
later. You
can also
upgrade
from
Cisco ACI
2.0.x to
Cisco ACI
2.0.3.
However,
if you
need to
upgrade
from
Cisco ACI
1.0.0 or
Cisco ACI
1.0.1,
you will
need to
upgrade
your
Panorama
to 10.0
or later,
and then
upgrade
the ACI
plugin to
2.0.3.

2.0.2 • 5.1.x 10.1 (10.1.0) Latest Introduces Cisco ACI

• 5.0.x 5.1 support and fixes
10.0 (10.0.0)
for known issues.
• 4.2.x 9.1 (9.1.0)
• 4.1.x

Palo Alto Networks Compatibility Matrix 72 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)
• 4.0.x 9.0 (9.0.0) You can
• 3.2 do a new
deployment
of Cisco
ACI
2.0.2 on
Panorama
9.0 or
later. You
can also
upgrade
from
Cisco ACI
2.0.x to
Cisco ACI
2.0.2.
However,
if you
need to
upgrade
from
Cisco ACI
1.0.0 or
Cisco ACI
1.0.1,
you will
need to
upgrade
your
Panorama
to 10.0
or later,
and then
upgrade
the ACI
plugin to
2.0.2.

2.0.1 • 5.0.x 10.1 (10.1.0) Latest Introduces fixes for

• 4.2.x known issues.
10.0 (10.0.0)
• 4.1.x 9.1 (9.1.0)
• 4.0.x 9.0 (9.0.0)

Palo Alto Networks Compatibility Matrix 73 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Supported Cisco Panorama Maximum Features

ACI Version PAN-OS Panorama
Version PAN-OS
Version
(Minimum)
• 3.2

2.0.0 • 5.0.x 10.1 (10.1.0) Latest Introduces the

• 4.2.x Panorama Plugin for
10.0 (10.0.0)
Cisco ACI Dashboard
• 4.1.x 9.1 (9.1.0) and two new
• 4.0.x monitored attributes—
9.0 (9.0.0)
L2 external endpoint
• 3.2
groups and subnets
under bridge domains.

1.0.1 • 5.0.x 8.1 (8.1.6) 9.1 Introduces support for

• 4.0.x multiple IP addresses
per endpoint and Cisco
• 3.2 ACI 4.0 and later.
• 3.1
• 2.3(1e)

1.0.0 • 5.0.x 8.1 (8.1.6) 9.1 Enables support for

• 3.2 Endpoint Monitoring
from Panorama.
• 3.1 Configure the
• 2.3(1e) Panorama plugin for
Cisco ACI to monitor
endpoints so that
you can consistently
enforce security policy
that automatically
adapts to changes
within your ACI
deployment.

Cisco TrustSec
The following table shows the features introduced in each version of Panorama™ plugin for Cisco
TrustSec.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Palo Alto Networks Compatibility Matrix 74 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Minimum Panorama Qualified Cisco ISE Features

PAN-OS Version Versions

2.0.0 10.2.0 • ISE 3.1 Introduces support for

• ISE 2.7 Panorama 10.2.x.
Introduces support for
security group tags
(SGT). Use these tags
as match criteria for
placing IP addresses
in dynamic address
groups.

1.0.3 9.0.0 • ISE 3.1 Introduces a fix for one

• ISE 2.7 issue.

1.0.2 9.0.0 • ISE 2.4 Introduces the

• ISE2.6 PubSub monitoring
mode, which parses
notifications directly
from the server. The
plugin enables PubSub
mode when v1.0.2 is
running on Panorama
10.0.0 and later. If
v1.0.2 is running on
a Panorama version
earlier than 10.0.0, the
monitoring mode is
Bulk Sync.

1.0.1 • Lowers the minimum

monitoring interval
from 30 seconds to
10 seconds.
• Combined Logs for
the Panorama Plugin
for Cisco TrustSec.

1.0.0 Enables support for

endpoint monitoring
from Panorama.
Configure the
Panorama plugin for
Cisco TrustSec to
monitor endpoints
so that you can
consistently enforce

Palo Alto Networks Compatibility Matrix 75 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Minimum Panorama Qualified Cisco ISE Features

PAN-OS Version Versions
security policy that
automatically adapts
to changes within your
TrustSec environment.

Panorama CloudConnector Plugin (Formerly, AIOps Plugin for

Panorama)
The following table shows the features introduced in each version of the plugin for AIOps.

Plugin Version Panorama PAN-OS Maximum New Features or Changes

Version Panorama PAN-OS
Version
(Minimum)

2.0.1 10.2 (10.2.3) Latest Introduces enhancements

for Cloud NGFW for AWS
integration with Panorama.

2.0.0 10.2 (10.2.3) Latest Enables you to use the

Panorama AWS plugin
5.0.0 to author and push
device group based policies
to Cloud NGFW for AWS
resources.

1.1.0 10.2 (10.2.3) Latest Enables the policy analyzer

feature that helps you to
check if a new security
rule meets your intended
purpose and that it does
not duplicate, shadow, or
conflict with your existing
rules (pre-commit). You can
also check for duplication
and other anomalies across
your current Security policy
rulebase (post-commit).

1.0.0 10.2 (10.2.1) Latest Enables you to proactively

enforce best practice checks
by validating your commits
and letting you know if a
policy needs work before
pushing it to your Panorama.

Palo Alto Networks Compatibility Matrix 76 ©2023 Palo Alto Networks, Inc.
Panorama

Cloud Services
You use the Cloud Services plugin to activate Panorama Managed Prisma Access and to retrieve
logs from Panorama-managed firewalls using Cortex Data Lake. Review the following table to see
the minimum Panorama and plugin versions for your deployment type.

Deployment Type Panorama and Plugin requirements

Panorama Managed Dependent on plugin version. Review the minimum required

Prisma Access Panorama software versions required for the plugin you are running.
To find the plugin version you are running, select Panorama > Cloud
Services > Configuration > Service Setup and find the plugin version
in the Plugin Alert area.

Cortex Data Lake Cortex Data Lake Software Compatibility has the minimum
log retrieval from Panorama and plugin requirements.
Panorama-managed
firewalls only

Enterprise Data Loss Prevention (DLP)

The following table shows the features introduced in each version of the Panorama™ plugin for
Enterprise Data Loss Prevention (DLP).

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin PAN-OS Version Maximum PAN-OS Cloud Services Features

Version Version Plugin
(Minimum)
(Minimum)

4.0.1 11.0.2 Latest Cloud Enterprise Data Loss

Services 4.0 Prevention (E-DLP) now
Preferred supports creating a file
type include or exclude
list for data filtering
profiles configured for
file-based inspection.
This allows you to select
one of two modes:
• Inclusion Mode—
Allow only specified
file types be scanned
by Enterprise DLP.
• Exclusion Mode—
Allow all supported
files to be scanned

Palo Alto Networks Compatibility Matrix 77 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin PAN-OS Version Maximum PAN-OS Cloud Services Features

Version Version Plugin
(Minimum)
(Minimum)
by Enterprise DLP by
default but excluding
the file types you
specify.
Exclusion Mode
includes True File
Type Support and
does not rely on
file extensions to
determine file types.

4.0.0 11.0.0 11.0.1 Cloud You must upgrade to

Services 4.0 Enterprise DLP 4.0
Preferred plugin to upgrade
to PAN-OS 11.0.
Additionally, you must
download the Enterprise
DLP 4.0 plugin before
you attempt to install
PAN-OS 11.0.

3.0.5 10.2.4-h3 Latest 10.2 Release Cloud Minor bug and

Services performance fixes.
3.1.0-h50
(PAN-OS
10.2.2-h1 and
later releases)

3.0.4 10.2.4 10.2.4-h3 Cloud Enterprise DLP

Services now supports new
3.1.0-h50 applications, expanded
download support and
(PAN-OS
large file inspection
10.2.2-h1 and
for many existing
later releases)
applications, and
FedRAMP High
compliance.

3.0.3 10.2.3-h4 10.2.4 Prisma Enterprise DLP now

Access 3.1.0- supports upload
h50 inspection of files up to
100MB in size for the
(PAN-OS
Box Web App and Web
10.2.2-h1 and
Browsing applications.
later releases)

Palo Alto Networks Compatibility Matrix 78 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin PAN-OS Version Maximum PAN-OS Cloud Services Features

Version Version Plugin
(Minimum)
(Minimum)

3.0.2 10.2.3 Latest 10.2.3-h4 Cloud Enterprise DLP now

Services supports inspection of
3.1.0-h50 file and non-file based
HTTP/2 traffic.
(PAN-OS
10.2.2-h1 and
later releases)

3.0.1 10.2.1 10.2.3 Cloud The Panorama plugin for

Services Enterprise DLP supports
3.1.0-h50 creating a data filtering
profile to scan non-
(PAN-OS
file based traffic for
10.2.2-h1 and
sensitive data.
later releases)

3.0.0 10.2.0 10.2.1 Not Upgrade to the

Supported Enterprise DLP plugin
to increase reliability.
Enterprise DLP plugin
3.0 is required to
upgrade to PAN-OS
10.2 and is supported
only on PAN-OS 10.2
and later releases.

1.0.7 10.0.5 Latest 10.1 Release Cloud Minor bug and

Services 2.2 performance fixes.

1.0.6 10.0.5 Latest 10.1 Release Cloud Minor bug and

Services 2.2 performance fixes.

1.0.5 10.0.5 Latest 10.1 Release Cloud Minor bug and

Services 2.2 performance fixes.

1.0.4 10.0.5 Latest 10.1 Release Cloud Minor bug and

Services 2.2 performance fixes.

1.0.3 10.0.5 Latest 10.1 Release Cloud The Panorama plugin

Services 2.2 for DLP supports the
integration of Enterprise
DLP with Prisma Access.

1.0.2 10.0.5 Latest 10.1 Release Not No new features were

Supported added for this release.

Palo Alto Networks Compatibility Matrix 79 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin PAN-OS Version Maximum PAN-OS Cloud Services Features

Version Version Plugin
(Minimum)
(Minimum)

1.0.1 10.0.2 Latest 10.1 Release Not Enables support for

Supported Enterprise DLP from
Panorama. Configure
the Panorama plugin
for Enterprise DLP
to protect against
unauthorized access,
misuse, extraction, and
sharing of sensitive
information and
effectively filter network
traffic to block or
generate an alert before
sensitive information
leaves the network.

Panorama Interconnect
The following table shows the features introduced in each version of the Panorama™
Interconnect plugin.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Minimum PAN-OS Maximum PAN-OS New Features or

Version Version Changes

2.0.0 10.2.4 (PAN-OS Latest 10.2 version You must upgrade to

10.2 release) (PAN-OS 10.2 Panorama Interconnect
release) 2.0.0 plugin to upgrade
to PAN-OS 10.2.

1.1.0 10.0.0 Latest 10.1 version Enables you to

selectively push device
groups, template
stacks, and some
common Panorama
configurations from the
Panorama Controller
to the Panorama
Nodes to avoid
pushing extraneous
configurations to
Panorama Nodes to

Palo Alto Networks Compatibility Matrix 80 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Minimum PAN-OS Maximum PAN-OS New Features or

Version Version Changes
minimize configuration
bloat and operational
delays across your
Panorama Interconnect
deployment.

1.0.2 8.1.3 Latest 10.1 version Minor bug and

performance fixes.

1.0.1 8.1.3 Latest 10.1 version Minor bug and

performance fixes.

1.0.0 8.1.3 Latest 10.1 version First plugin introduced

to support a two-tier
Panorama deployment
for a horizontal scale-
out architecture.

IPS Signature Converter

The following table shows the features introduced in each version of the Panorama™ IPS
Signature Converter plugin.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Minimum PAN-OS Features

Version

2.0.2 10.2 Supports SMTP and FTP protocols.

2.0.1 10.2 Supports HTTP sticky buffers.

Now converts Snort rules that have
commas separating content patterns
and their associated suboption.

2.0.0 10.2 Uses Python 3 for compatibility with

PAN-OS 10.2.

1.0.6 10.0 Supports SMTP and FTP protocols.

1.0.5 10.0 Supports HTTP sticky buffers.

Palo Alto Networks Compatibility Matrix 81 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Minimum PAN-OS Features

Version
Now converts Snort rules that have
commas separating content patterns
and their associated suboption.

1.0.4 10.0 No significant changes in

functionality.

1.0.3 10.0 Converts rules into SSL custom

signatures if their port is 443.
Converts server-to-client HTTP
rules without content modifiers into
custom signatures with the http-
rsp-status-line and http-rsp-
headers contexts.
Converts Suricata TLS rules into
TLS custom signatures and supports
additional TLS and file data sticky
buffers.

1.0.2 10.0 Converts rules that use the smb

protocol or port 445.
Supports HTTP sticky buffer
keywords in Suricata rules.
Converts HTTP rules into HTTP
custom signatures if either the port
in the rule is HTTP-_PORTS or the
protocol is http.

1.0.1 10.0 Identifies whether newly converted

signatures are already included as part
of your Palo Alto Networks Threat
Prevention subscription.

1.0.0 10.0 Enables support for third-party IPS

signature conversion from Panorama.
Use the Panorama IPS Signature
Converter plugin to gain immediate
protection against newly discovered
threats by converting third-party IPS
rules into Palo Alto Networks custom
threat signatures and distributing
them to your Panorama-managed
firewalls.

Palo Alto Networks Compatibility Matrix 82 ©2023 Palo Alto Networks, Inc.
Panorama

Kubernetes
The following table displays the features introduced in each version of the Panorama™
Kubernetes plugin.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Minimum Panorama Maximum Panorama Features

PAN-OS Version PAN-OS Version

4.0.0 11.0 Latest Introduces new

features like CN-Series
Hyperscale Security
Fabric, (HSF), Tag Length
Enhancement, Shared
DAG Support, and
Nested DAG Support.

3.0.1 10.2 Latest Introduces support for

shared dynamic address
groups.

3.0.0 10.2 Latest Introduces Retrieving

IPv6 Addresses for
Multus CNI Setup, Tag
Pruning, Service Account
Validation, and advanced
Dashboard features.

2.0.2 10.1 10.1.x K8s plugin 2.0.2 creates

a new template on
Panorama called K8S-
Network-Setup-V1-125.
This template creates
250 vwire interfaces and
125 vwires.

2.0.1 10.1 10.1.x Introduces fixes for

known issues.

2.0.0 10.1 10.1.x Introduces Core-Based

Licensing, Multiple
Interface Support, and
Custom Certificate
Chaining.

Palo Alto Networks Compatibility Matrix 83 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Minimum Panorama Maximum Panorama Features

PAN-OS Version PAN-OS Version

1.0.5 10.0 10.1.x Introduces fixes for

known issues.

1.0.4 10.0 10.1.x Introduces fixes for

known issues.

1.0.3 10.0 10.1.x Introduces fixes for

known issues.

1.0.2 10.0 10.1.x Introduces fixes for

known issues.

1.0.1 10.0 10.1.x Introduces the ability

to disable the creation
of service objects on
Panorama, and support
for offline licensing of
CN-Series firewalls with
Panorama.

1.0.0 10.0 10.1.x Manages licenses for the

CN-Series firewall and
enables you to monitor
clusters and leverage
Kubernetes labels that
you use to organize
Kubernetes objects. The
plugin communicates
with the API server and
retrieves metadata,
which gives you visibility
into applications running
within a cluster.

Clustering Plugin
The following table shows the features introduced in Panorama Clustering plugin.

Plugin Version Panorama PAN-OS Maximum Panorama Features

Version PAN-OS Version

(Minimum)

1.0.0 11.0 Latest Provides the visibility to

the Hyper Scale Security

Palo Alto Networks Compatibility Matrix 84 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama PAN-OS Maximum Panorama Features

Version PAN-OS Version

(Minimum)
Fabric (HSF) clusters in
CN-Series.

Nutanix
The following table shows the features introduced in each version of the Panorama™ plugin for
Nutanix.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Panorama PAN-OS Maximum Panorama Features

Version PAN-OS Version
(Minimum)

2.0.1 10.2 (10.2.0) Latest Introduces fixes for

known issues.

2.0.0 10.2 (10.2.0) Latest Introduces

enhancements to
increase reliability and
robustness.

1.0.0 9.0 (9.0.4) Latest Enables support for

VM Monitoring from
Panorama. Configure
the Panorama plugin
for Nutanix to monitor
VM workloads so that
you can consistently
enforce security policy
that automatically adapts
to changes within your
Nutanix environment.

OpenConfig (Firewall Only)

The following table shows the features introduced in each version of the OpenConfig plugin.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Palo Alto Networks Compatibility Matrix 85 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version New Features or Changes

(Minimum)

1.2.0 10.1 Enables support for protobuf and

unbundling.

1.1.0 10.1 Enables support for these standard

OpenConfig models:
• openconfig-ha
• openconfig-zones
• openconfig-network-instances
• openconfig-routing-policy
• openconfig-ospfv2

1.0.0 10.1 Enables support for the OpenConfig

plugin on PAN-OS firewalls so that
you can use standard OpenConfig
models to automate configuration
and stream telemetry.

Panorama Software Firewall License Plugin

The following table shows the features introduced in each version of the Panorama™ Software
Firewall License plugin.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Panorama PAN- Maximum Minimum VM- Features

OS Version Panorama PAN- Series Plugin
OS Version Version
(Minimum)

1.1.1 10.0 (10.0.4) Latest 2.0.4 Introduces fixes for

known issues.

1.1.0 10.0 (10.0.4) Latest 2.0.4 Introduces fixes for

known issues.

1.0.0 10.0 (10.0.4) Latest 2.0.4 The Panorama

Software Firewall
License plugin
allows you to
automatically license
a VM-Series firewall

Palo Alto Networks Compatibility Matrix 86 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama PAN- Maximum Minimum VM- Features

OS Version Panorama PAN- Series Plugin
OS Version Version
(Minimum)
when it connects to
Panorama.

Public Cloud—AWS, Azure, and GCP

The following table shows the features introduced in each version of the Panorama™ plugin for
Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The plugins use
device groups and templates on Panorama to push the configuration to the managed firewalls.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Public Cloud AWS Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version (Minimum)

AWS 5.1.1 10.2 (10.2.3) Latest 3.0.0 Introduces

enhancements for
Cloud NGFW for
AWS integration
with Panorama.

5.0.1 10.2 (10.2.3) Latest 3.0.0 Introduces

enhancements for
Cloud NGFW for
AWS integration
with Panorama.

5.0.0 10.2 (10.2.3) Latest 3.0.0 Introduces

support for
Panorama
integration with
Cloud NGFW for
AWS.

4.1.0 10.2 Latest 3.0.0 Introduces

support for nested
dynamic address
groups and tag
pruning.

4.0.0 10.2 Latest 3.0.0 Introduces

enhancements to

Palo Alto Networks Compatibility Matrix 87 ©2023 Palo Alto Networks, Inc.
Panorama

Public Cloud AWS Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version (Minimum)
increase reliability
and robustness.

3.0.3 10.0 (10.0.5) 10.1.x 2.0.6 Introduces shared

dynamic address
groups support
and bug fixes.

3.0.2 10.0 (10.0.5) 10.1.x 2.0.6 Introduces proxy

support and bug
fixes.

3.0.1 10.0 (10.0.5) 10.1.x 2.0.6 Introduces

enhancements and
bug fixes.

3.0.0 10.0 (10.0.5) 10.1.x 2.0.6 Introduces

Panorama
Orchestration and
new monitoring
parameters.

2.0.2 10.1 (10.1.0) 10.1.x 2.0.2 Introduces fixes

for known issues.
10.0 (10.0.0) 10.1.x 2.0.0

9.1 (9.1.2) 10.1.x 1.0.8

9.0 (9.0.6) 10.1.x 1.0.4

2.0.1 9.1 (9.1.2) 10.1.x 1.0.4 Introduces a fix

for a known issue.
9.0 (9.0.6) 10.1.x

2.0.0 9.1 (9.1.2) 10.1.x 1.0.8 Enables support

for:
9.0 (9.0.6) 10.1.x 1.0.4
• VM Monitoring
• Secure
Kubernetes
Services in an
EKS Cluster

Palo Alto Networks Compatibility Matrix 88 ©2023 Palo Alto Networks, Inc.
Panorama

Public Cloud AWS Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version (Minimum)

1.0.1 9.0 (9.0.0) 9.0.x N/A Introduces fixes

for known issues.
8.1 (8.1.3)

1.0.0 9.0 (9.0.0) 9.0.x N/A Enables support

for VM Monitoring
8.1 (8.1.3)
to monitor the
virtual machine
inventory within
your AWS VPCs
so that you can
consistently
enforce Security
policy that
automatically
adapts to changes
within your AWS
deployment.

Public Cloud Azure Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version
(Minimum)

Azure 5.1.0 10.2.4 Latest 4.0.0 Introduces tag

pruning feature
to increase the
scalability and the
number of tags
collected by the
Azure plugin

5.0.0 10.2.4 Latest 4.0.0 Introduces

support for
Panorama
integration with
Cloud NGFW for
Azure.

4.2.0 10.2.3 Latest 3.0.1 Introduces

support for Azure
Workspace-

Palo Alto Networks Compatibility Matrix 89 ©2023 Palo Alto Networks, Inc.
Panorama

Public Cloud Azure Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version
(Minimum)
based Application
Insights.

4.1.0 10.2 Latest 3.0.1 Increased the

number of front-
end applications
per VM-Series
for Azure
deployment.

4.0.0 10.2 Latest 3.0.1 Introduces

enhancements to
increase reliability
and robustness.

3.2.0 10.0 (10.0.1) 10.1.x 2.0.1 Introduces proxy

support and fix for
10.1 (10.1.0) 10.1.x 2.1.0 a known issue.

3.1.0 10.0 (10.0.1) 10.1.x 2.0.1 Introduces fixes

for a known issue.
10.1 (10.1.0) 10.1.x 2.1.0

3.0.1 10.0 (10.0.1) 10.1.x 2.0.1 Introduces fixes

for known issues.
10.1 (10.1.0) 10.1.x 2.1.0

3.0.0 10.0 (10.0.1) 10.1.x 2.0.1 Introduces

Panorama
10.1 (10.1.0) 10.1.x 2.1.0 Orchestration.

2.0.3 9.0 (9.0.6) 10.1.x 1.0.4 Introduces a fix

for a known issue.
9.1 (9.1.2) 10.1.x 1.0.8

10.0 (10.0.0) 10.1.x 2.0.0

10.1 (10.1.0) 10.1.x 2.1.0

2.0.2 8.1 (8.1.11) 10.1.x 1.0.4 Introduces fixes

for known issues.
9.0 (9.0.5)

Palo Alto Networks Compatibility Matrix 90 ©2023 Palo Alto Networks, Inc.
Panorama

Public Cloud Azure Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version
(Minimum)

2.0.1 8.1 (8.1.11) 10.1.x 1.0.4 Introduces fixes

for known issues.
9.0 (9.0.5)

2.0.0 8.1 (8.1.8) 10.1.x N/A Enables support

for:
• Auto Scaling—
Template v1.0
• Azure
Kubernetes
Service (AKS)
Cluster—
Template v1.0

9.0 (9.0.3) 10.1.x 1.0.4 Enables support

for:
• Auto Scaling—
Template v1.0
• Azure
Kubernetes
Service (AKS)
Cluster—
Template v1.0

1.0.0 8.1 (8.1.3) 9.0.x N/A Enables

support for
9.0 (9.0.0)
VM Monitoring
from Panorama.
Configure the
Panorama plugin
for Azure to
monitor the virtual
machine inventory
within your Azure
subscription.

Palo Alto Networks Compatibility Matrix 91 ©2023 Palo Alto Networks, Inc.
Panorama

Public Cloud GCP Plugin Panorama Maximum VM-Series Features

Platform Version PAN-OS Panorama Plugin
Version PAN-OS Version
(Minimum) Version

GCP 3.0.0 10.2 Latest 3.0.0 Introduces

enhancements
to increase
reliability and
robustness.

2.0.0 9.0 (9.0.4) Latest 1.0.4 Enables you to

monitor and
(Upgrade
secure VMs or
from 1.0.0 to
GKE clusters
2.0.0 is not
deployed in
supported.)
GCP.
• Deploy
auto scaling
for VM
instance
groups
or GKE
clusters
using auto
scaling
templates
for both
firewall and
application
deployments.
• VM
Monitoring
for GCP
assets.

SD-WAN
The following table shows the features introduced in each version of the Panorama™ plugin for
SD-WAN.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Palo Alto Networks Compatibility Matrix 92 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version Maximum PAN-OS Features

(Minimum) Version

3.1.2 11.0.2 (11.0.2) Latest Bug and performance

fixes.

3.1.1 11.0.2 (11.0.2) Latest SD-WAN IPv6 Basic

Connectivity

3.0.1-h6 11.0.1 (11.0.1) Latest Bug and performance

fixes.

3.1.0-h6 11.0.0 (11.0.1) Latest Enables Advanced

Routing Engine support.

3.0.5 10.2.5 (10.2.5) Latest Bug and performance

fixes.

3.0.4 10.2.4 (10.2.4) Latest Bug and performance

fixes.

3.0.3 10.2.1 (10.2.1) Latest Bug and performance

fixes.

3.0.2 10.2.1 (10.2.1) Latest Bug and performance

fixes.

3.0.1 10.2.1 (10.2.1) Latest Copy ToS Header

Support.

3.0.0 10.2 (10.2.0) Latest Upgrade to the SD-

WAN plugin to increase
reliability. SD-WAN
plugin 3.0 is required to
upgrade to PAN-OS 10.2
and is supported only on
PAN-OS 10.2 and later
releases.

2.2.4 10.1.10 (10.1.10) Latest Bug and performance

fixes.

2.2.3 10.1.9 (10.1.9) Latest Bug and performance

fixes.

2.2.2 10.1.5-h1 (10.1.5- Latest Bug and performance

h1) fixes.

Palo Alto Networks Compatibility Matrix 93 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version Maximum PAN-OS Features

(Minimum) Version

2.2.1 10.1.5-h1 (10.1.5- Latest Copy ToS Header

h1) support.

2.2.0 10.1.4 (10.1.4) Latest Prisma Access Hub

support.

2.1.1 10.0 (10.0.4) Latest Minor bug and

performance fixes.

2.1.0 10.0 (10.0.4) Latest SD-WAN supports

Aggregated Ethernet
(AE) interfaces with or
without subinterfaces
for link redundancy.
AE interfaces allow
you to tag for different
ISP services to achieve
end-to-end traffic
segmentation. SD-WAN
also supports Layer 3
subinterfaces for end-to-
end traffic segmentation.

2.0.3 10.0 (10.0.3) Latest Minor bug and

performance fixes.

2.0.2 10.0 (10.0.3) Latest Includes support so you

can control whether
Auto VPN configuration
enables or disables the
Remove Private AS
setting for all BGP peer
groups on a branch or
hub.

2.0.1 10.0 (10.0.3) Latest Includes support for full

mesh VPN cluster with
DDNS service, auto-
VPN configuration with
branch behind NAT, and
Direct Internet Access
(DIA) AnyPath.

2.0.0 10.0 (10.0.2) Latest Maintain high-quality

application experience
by leveraging Forward

Palo Alto Networks Compatibility Matrix 94 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version Maximum PAN-OS Features

(Minimum) Version
Error Correction (FEC)
and packet duplication
and by accurately
measuring SaaS and
Cloud applications when
you have an SD-WAN
firewall with Direct
Internet Access (DIA)
links.

1.0.6 9.1 (9.1.4) Latest Minor bug and

performance fixes.

1.0.5 9.1 (9.1.4) Latest Minor bug and

performance fixes.

1.0.4 9.1 (9.1.4) Latest In an SD-WAN VPN

cluster that has more
than one hub, you must
assign a priority to each
hub, which determines
the primary hub and
hub failover order.
Panorama maps the
priority to a BGP local
preference and pushes
the local preference
to the branches in the
cluster.

1.0.3 9.1 (9.1.3) 10.0.0 When the SD-WAN hub

is behind a NAT device,
the plugin supports an
upstream NAT IP address
or FQDN for Auto VPN
configuration to use as a
tunnel endpoint.

1.0.2 9.1 (9.1.2-h1) 9.1.3 Improves ease of use,

such as an automatic
Security policy rule to
allow BGP between
branches and hubs,
ability to refresh the
IKE preshared key for
VPN cluster members,
specifying VPN tunnel

Palo Alto Networks Compatibility Matrix 95 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version Maximum PAN-OS Features

(Minimum) Version
IP address ranges, and
more.

1.0.1 9.1 (9.1.1) 9.1.2 Improves monitoring

experience and search
filtering, and adds an
option to display HA
peers consecutively.

1.0.0 9.1 (9.1.0) 9.1.2 Enables support for SD-

WAN from Panorama.
Configure the Panorama
plugin for SD-WAN to
provide intelligent and
dynamic path selection
on top of the industry-
leading security that
PAN-OS software
already delivers. Provide
the optimal end user
experience by leveraging
multiple ISP links to
ensure application
performance and scale
capacity.

VMware NSX
The following table shows the features introduced in each version of the VM-Series firewall
VMware NSX plugin. For additional information about each plugin, see the release notes on the
Customer Support Portal.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)

5.0.1 • NSX-V: • NSX-V: Latest • NSX-V: 8.1 Introduces

10.2.0 10.2.x (10.2.x) (8.1.0) support for
(10.2.2) • NSX-T N/S: • NSX-T N/S: PAN-OS and
Latest 10.2.x 9.0 (9.0.4) Panorama
(10.2.x) 10.2.x.

Palo Alto Networks Compatibility Matrix 96 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)
• NSX-T N/ • NSX-T E/W: • NSX-T E/W:
S: 10.2.0 Latest 10.2.x 9.1 (9.1.0)
(10.2.2) (10.2.x)
• NSX-T E/
W: 10.2.0
(10.2.2)

5.0.0 • NSX-V: • NSX-V: Latest • NSX-V: 8.1 Introduces

10.2.0 10.2.x (10.2.x) (8.1.0) support for
(10.2.2) • NSX-T N/S: • NSX-T N/S: PAN-OS and
• NSX-T N/ Latest 10.2.x 9.0 (9.0.4) Panorama
S: 10.2.0 (10.2.x) 10.2.x.
• NSX-T E/W:
(10.2.2) • NSX-T E/W: 9.1 (9.1.0)
• NSX-T E/ Latest 10.2.x
W: 10.2.0 (10.2.x)
(10.2.2)

4.0.3 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) fixes for known
(10.0.4) • NSX-T N/S: • NSX-T N/S: issues.
• NSX-T N/ 10.1.x (10.1.x) 9.0 (9.0.4)
S: 10.0.0 • NSX-T E/W: • NSX-T E/W:
(10.0.4) 10.1.x (10.1.x) 9.1 (9.1.0)
• NSX-T E/
W: 10.0.0
(10.0.4)

4.0.2 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) fixes for known
(10.0.4) • NSX-T N/S: • NSX-T N/S: issues.
• NSX-T N/ 10.1.x (10.1.x) 9.0 (9.0.4)
S: 10.0.0 • NSX-T E/W: • NSX-T E/W:
(10.0.4) 10.1.x (10.1.x) 9.1 (9.1.0)
• NSX-T E/
W: 10.0.0
(10.0.4)

4.0.1 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) fixes for known
(10.0.4) • NSX-T N/S: • NSX-T N/S: issues.
10.1.x (10.1.x) 9.0 (9.0.4)

Palo Alto Networks Compatibility Matrix 97 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)
• NSX-T N/ • NSX-T E/W: • NSX-T E/W:
S: 10.0.0 10.1.x (10.1.x) 9.1 (9.1.0)
(10.0.4)
• NSX-T E/
W: 10.0.0
(10.0.4)

4.0.0 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) Security-Centric
(10.0.4) • NSX-T N/S: • NSX-T N/S: Deployment
• NSX-T N/ 10.1.x (10.1.x) 9.0 (9.0.4) Workflow (East-
S: 10.0.0 West) for the
• NSX-T E/W: • NSX-T E/W: VM-Series on
(10.0.4) 10.1.x (10.1.x) 9.1 (9.1.0) VMware NSX-T.
• NSX-T E/
W: 10.0.0
(10.0.4)

3.2.4 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) fixes for known
(10.0.4) • NSX-T N/S: • NSX-T N/S: issues.
• NSX-T N/ 10.1.x (10.1.x) 9.0 (9.0.4)
S: 10.0.0 • NSX-T E/W: • NSX-T E/W:
(10.0.4) 10.1.x (10.1.x) 9.1 (9.1.0)
• NSX-T E/
W: 10.0.0
(10.0.4)

3.2.3 • NSX-V: • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

10.0.0 (10.1.x) (8.1.0) fixes for known
(10.0.4) • NSX-T N/S: • NSX-T N/S: issues.
• NSX-T N/ 10.1.x (10.1.x) 9.0 (9.0.4)
S: 10.0.0 • NSX-T E/W: • NSX-T E/W:
(10.0.4) 10.1.x (10.1.x) 9.1 (9.1.0)
• NSX-T E/
W: 10.0.0
(10.0.4)

3.2.1 • NSX-V: 9.0 • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

(9.0.8) (10.1.x) (8.1.0) fixes for known
• NSX-T N/S: • NSX-T N/S: • NSX-T N/S: issues.
9.0 (9.0.8) 10.1.x (10.1.x) 9.0 (9.0.4)

Palo Alto Networks Compatibility Matrix 98 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)
• NSX-T E/W: • NSX-T E/W: • NSX-T E/W:
9.1 (9.1.0) 10.1.x (10.1.x) 9.1 (9.1.0)

3.2.0 • NSX-V: 9.0 • NSX-V: 10.1.x • NSX-V: 8.1 Introduces

(9.0.8) (10.1.x) (8.1.0) Security Policy
• NSX-T N/S: • NSX-T N/S: • NSX-T N/S: Extension
9.0 (9.0.8) Latest 10.1.x 9.0 (9.0.4) Between NSX-
(10.1.x) V and NSX-
• NSX-T E/W: • NSX-T E/W: T and Device
9.1 (9.1.0) • NSX-T E/W: 9.1 (9.1.0) Certificate
Latest 10.1.x Support on the
(10.1.x) VM-Series for
NSX.
The following
VM-Series
firewall for
NSX OVFs
require that you
enable device
certificates.
• 10.0.1 or later
• 9.1.5 or later
• 9.0.11 or later
• 8.1.17 or later

3.1.0 9.1 (9.1.0) • NSX-V: Latest • NSX-V: 8.1 Introduces

10.0.x (8.1.0) the VM-Series
• NSX-T N/S: • NSX-T N/S: firewall on
Latest (10.2.x) 9.0 (9.0.4) VMware NSX-
T for East-
• NSX-T E/W: • NSX-T E/W: West traffic
Latest (10.2.x) 9.1 (9.1.0) protection.

2.0.6 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces

fixes for known
issues.

2.0.5 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces

Proxy Bypass
Support and Curl
Call Timeout
features.

Palo Alto Networks Compatibility Matrix 99 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama Panorama Managed VM- New Features or

Version Version Series PAN- Changes
(Minimum) (Maximum) OS Version
(Minimum)

2.0.4 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces the

Automated
Full Dynamic
Address Group
Sync feature.

2.0.3 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces

fixes for known
issues.

2.0.2 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces

fixes for known
issues.

2.0.1 8.1 (8.1.0) 9.0.x 8.1 (8.1.0) Introduces

fixes for known
issues. Minimum
required plugin
version for
Panorama 8.1.

VMware vCenter
The following table shows the features introduced in each version of the Panorama™ plugin for
VMware vCenter.

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version Panorama PAN-OS Maximum Panorama Features

Version (Minimum) PAN-OS Version

2.1.0 10.2 (10.2.0) Latest Introduces fixes for

known issues.

2.0.0 10.2 (10.2.0) Latest Introduces

enhancements to
increase reliability and
robustness.

1.0.0 9.0 (9.0.2) Latest Enables support for

VM Monitoring from
Panorama. Configure

Palo Alto Networks Compatibility Matrix 100 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version Panorama PAN-OS Maximum Panorama Features

Version (Minimum) PAN-OS Version

the Panorama plugin

for VMware vCenter to
monitor VM workloads
so that you can
consistently enforce
security policy that
automatically adapts
to changes within your
vCenter environment.

Zero Touch Provisioning (ZTP)

The following table shows the features introduced in each version of the Panorama™ plugin for
Zero Touch Provisioning (ZTP).

End-of-life (EoL) software versions are included in this table. Review the Software End-of-
Life Summary website to check whether we are still supporting your software version.

Plugin Version PAN-OS Version Maximum PAN-OS Features

Minimum Version

2.0.3 10.2.4 (PAN-OS Latest Minor bug and

10.2 release) performance fixes.
11.0.1 (PAN-OS
11.0 release)

2.0.2 10.2.0 Latest Minor bug and

performance fixes.

2.0.1 10.2.0 Latest Minor bug and

performance fixes.

2.0.0 10.2.0 Latest Upgrade to the ZTP

plugin to increase
reliability. ZTP plugin 2.0
is required to upgrade
to PAN-OS 10.2 and
is supported only on
PAN-OS 10.2 and later
releases.

1.0.2 10.0.3 Latest Minor bug and

performance fixes.

Palo Alto Networks Compatibility Matrix 101 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Version PAN-OS Version Maximum PAN-OS Features

Minimum Version

1.0.1 10.0.3 Latest Minor bug and

performance fixes.

1.0.0 9.1.4 Latest Enables support for

ZTP from Panorama.
Configure the Panorama
plugin for ZTP to simplify
and streamline initial
firewall deployment
by automating the
new managed firewall
on-boarding without
the need for network
administrators to
manually provision the
firewall.

Palo Alto Networks Compatibility Matrix 102 ©2023 Palo Alto Networks, Inc.
Panorama

Compatible Plugin Versions for PAN-OS 10.2

To increase reliability and robustness, we enhanced PAN-OS® software starting in PAN-OS® 10.2
with upgraded Panorama™ plugins and by installing the VM-Series plugin by default. However,
we did not introduce support for all plugins with the initial release of PAN-OS 10.2.0. Use the
following table to determine the minimum plugin versions for use with PAN-OS 10.2 software
and, where applicable, the first PAN-OS 10.2 version that supports each plugin. (If no PAN-OS
10.2 version is specified, then the minimum version of the plugin is supported in all PAN-OS 10.2
versions.)

For more information about plugins compatible with PAN-OS 10.2—and all other
supported PAN-OS releases, refer to the Panorama Plugins page.

Plugin Name Minimum Compatible Plugin Version with PAN-OS 10.2

AWS plugin 4.0.0

AIOps for NGFW plugin 1.0.0

Azure plugin 4.0.0

Cloud Services plugin (for use 3.1 (Compatible with PAN-OS 10.2.1 and later)
with Cortex Data Lake only)

Cloud Services plugin (for use • 3.2 (compatible with PAN-OS 10.2.3 and later PAN-OS
with Panorama Managed Prisma 10.2 versions)
Access)
• 3.1 starting with version 3.1.0-h50 (compatible with
PAN-OS 10.2.2-h1 and later PAN-OS 10.2 versions)
IMPORTANT: Review the PAN-OS and Prisma
Access Known Issues that are applicable to Panorama
deployments running PAN-OS 10.2.2 with Prisma Access
3.1.

Kubernetes plugin 3.0.0

SW FW Licensing plugin (VM 1.0.0

licensing plugin is not a Python-
based plugin and the previous
version is supported)

Panorama VM-Series plugin 3.0.0

SD-WAN plugin 3.0.0

IPS Signature Converter plugin 2.0.0

ZTP plugin 2.0.0

Palo Alto Networks Compatibility Matrix 103 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Name Minimum Compatible Plugin Version with PAN-OS 10.2

DLP plugin 3.0.0

OpenConfig plugin 1.1.0

GCP plugin 3.0.0

Cisco ACI plugin 3.0.0

VCenter plugin 2.0.0

Nutanix plugin 2.0.0

Cisco TrustSec plugin 2.0.0

Important considerations for upgrading your plugins

• The plugin versions listed in the above table are the only plugins compatible with PAN-
OS 10.2 and later PAN-OS 10.2 versions. If you use any other plugins, you should
not upgrade to PAN-OS 10.2 until you upgrade all of your plugins to the minimum
supported version for PAN-OS 10.2.
• Starting with PAN-OS 10.2, the VM-Series plugin is installed by default. This option
is currently available only in PAN-OS 10.2, which means that Panorama software
requires that you download a compatible version of the VM-Series plugin if you
downgrade your firewall from PAN-OS 10.2 to a PAN-OS 10.1 or earlier version.

Each upgraded Panorama plugin supports any supported PAN-OS release in addition to
PAN-OS 10.2.

Supported Migration Paths for Plugins

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version Version OS Version Version

AWS Upgrade 10.1.x 3.0.x 10.2.0 4.0.0

Palo Alto Networks Compatibility Matrix 104 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version Version OS Version Version
You
should
upgrade
AWS
plugin
2.x.x
to
3.0.x
in
PAN-
OS
10.1.x
version
before
you
upgrade
to
PAN-
OS
10.2.

Downgrade 10.2.0 4.0.0 10.1.x 3.0.x

Azure plugin Upgrade 10.1.x 3.1.x 10.2.0 4.0.0

Downgrade 10.2.0 4.0.0 10.1.x 3.2.X (yet to

be released)

Downgrading
is
not
possible
until
Azure
plugin
3.2.x
is
released.

Kubernetes Upgrade 10.1.x 2.0.x 10.2.0 3.0.0

plugin
Downgrade 10.2.0 3.0.0 10.1.x 2.0.x

Palo Alto Networks Compatibility Matrix 105 ©2023 Palo Alto Networks, Inc.
Panorama

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version Version OS Version Version
If
you
have
a
custom
certificate
size
greater
than
32k,
the
autocommit
(which
happens
after
downgrade)
will
fail.
To
avoid
this,
save
the
config
file,
add
a
dummy
value
in
the
custom
certificate
that
is
less
than
16K,
and
then
downgrade
to
2.0.x
(k8s
plugin
cannot
contact
the
API
server).
Palo Alto Networks Compatibility Matrix 106 ©2023 Palo Alto Networks, Inc.
Then
upgrade
the
Panorama

Plugin Name Upgrade/ Base PAN-OS Base Plugin Target PAN- Target Plugin
Downgrade Version Version OS Version Version

GCP plugin Upgrade 10.1.x 2.0.0 10.2.0 3.0.0

Downgrade 10.2.0 3.0.0 10.1.x 2.0.0

Cisco ACI Upgrade 10.1.x 2.0.x 10.2.0 3.0.0

plugin
Downgrade 10.2.0 3.0.0 10.1.x 2.0.x

VCenter Upgrade 10.1.x 1.0.x 10.2.0 2.0.0

plugin
Downgrade 10.2.0 2.0.0 10.1.x 1.0.x

Nutanix Upgrade 10.1.x 1.0.0 10.2.0 2.0.0

plugin
Downgrade 10.2.0 2.0.0 10.1.x 1.0.0

For more information, review how to:

Upgrade PAN-OS.
Upgrade Panorama Plugins.

Palo Alto Networks Compatibility Matrix 107 ©2023 Palo Alto Networks, Inc.
Panorama

Panorama Management Compatibility

Review the table below to understand which Palo Alto Networks Next-Generation Firewall,
Dedicated Log Collector, and WildFire® appliances a Panorama™ management server can
manage based on the installed PAN-OS version. Palo Alto Networks recommends management of
currently supported Palo Alto Networks Next-Generation Firewalls, Dedicated Log collector, and
WildFire appliance running a supported PAN-OS version.
Dedicated Log Collectors must be running the same or later PAN-OS version than managed
firewalls from which logs are forwarded. Palo Alto Networks does not support forwarding logs
from managed firewalls to a Dedicated Log Collector if the Dedicated Log Collector is running
an earlier PAN-OS version than that installed on your managed firewalls. This may lead to log
forwarding and ingestion issues.
(PAN-OS 10.1.2 and earlier PAN-OS 10.1 releases) The device registration authentication key
length is increased when you upgrade Panorama to PAN-OS 10.1.3 or later release:
• Panorama running PAN-OS 10.1.2 or earlier PAN-OS 10.1 releases— Supports onboarding
firewalls, Dedicated Log Collectors, and WildFire appliances running PAN-OS 10.1.2 or earlier
PAN-OS 10.1 release, or running PAN-OS 10.0 or earlier PAN-OS release.
• Panorama running PAN-OS 10.1.3 or later releases— Supports onboarding firewalls, Dedicated
Log Collectors, and WildFire appliances running PAN-OS 10.1.3 or later release, or running
PAN-OS 10.0 or earlier PAN-OS release.
Despite these onboarding requirements, Panorama supports managing firewalls, Dedicated Log
Collectors, and WildFire appliances running the PAN-OS versions described below.

PAN-OS software versions that are End-of-Life (EoL) are not displayed. See the Palo Alto
Networks End of Life Announcements for additional information. EoL PAN-OS versions
are supported only for End-of-Sale (EoS) firewall models until they reach EoL.
Management of End-of-Life (EoL) PAN-OS versions may result in unexpected issues,
particularly if there is a large gap between the PAN-OS version installed on Panorama and
the one installed on the firewall. For example, you may run into unexpected or unknown
issues if you attempt to manage a firewall running the EoL PAN-OS 7.1 release from a
Panorama running PAN-OS 10.2 or later release.

Panorama Version Managed Device Version

11.0 11.0
10.2
10.1
9.1
8.1 (EoS firewalls only)

10.2 10.2
10.1

Palo Alto Networks Compatibility Matrix 108 ©2023 Palo Alto Networks, Inc.
Panorama

Panorama Version Managed Device Version

9.1
8.1 (EoS firewalls only)

10.1 10.1
9.1
8.1 (EoS firewalls only)

9.1 9.1
8.1 (EoS firewalls only)

Palo Alto Networks Compatibility Matrix 109 ©2023 Palo Alto Networks, Inc.
Panorama

Panorama Hypervisor Support

Before you deploy a Panorama™ virtual appliance, verify that the hypervisor meets the minimum
version requirements to deploy Panorama.

Panorama VMware ESXi KVM Hyper-V Nutanix AHV Public Cloud/

Version Compatibility Compatibility Compatibility Compatibility Partner
Integra
Compatibility

PAN-OS 64-bit • Ubuntu • Windows Nutanix AOS • Alibaba

11.0 kernel-based 18.04 Server Version— Cloud
VMware • Ubuntu 2019 with 5.10 and • Amazon
and
ESXi 6.0, 16.04 Hyper- later AWS
PAN-OS 6.5, 6.7, or V role or
• CentOS/ Nutanix • Microsoft
10.2 7.0. The Hyper-V
RHEL 7 AHV Azure
supported 2019
Version—
version of • CentOS/ • Windows 20170830.185 • Google
the virtual RHEL 8 Server Cloud
hardware 2016 with To manage Platform
family Hyper- VM-Series
• Amazon
type (also V role or firewalls
AWS
known as Hyper-V running
GovCloud
the VMware 2016 supported
virtual versions of • Oracle
hardware AHV. See Cloud
version) on VM-Series Infrastructure
the ESXi for Nutanix. (OCI)
server is
vmx-10.
ESXi 6.0
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.

PAN-OS 64-bit • Ubuntu • Windows Nutanix AOS • Alibaba

10.1 kernel-based 18.04 Server Version— Cloud
VMware • Ubuntu 2019 with 5.10 and • Amazon
ESXi 6.0, 16.04 Hyper- later AWS
6.5, 6.7, or V role or

Palo Alto Networks Compatibility Matrix 110 ©2023 Palo Alto Networks, Inc.
Panorama

Panorama VMware ESXi KVM Hyper-V Nutanix AHV Public Cloud/

Version Compatibility Compatibility Compatibility Compatibility Partner
Integra
Compatibility
7.0. The • CentOS/ Hyper-V Nutanix • Microsoft
supported RHEL 7 2019 AHV Azure
version of • CentOS/ • Windows Version— • Google
the virtual RHEL 8 Server 20170830.185 Cloud
hardware 2016 with Platform
To manage
family Hyper- VM-Series • Amazon
type (also V role or firewalls AWS
known as Hyper-V running GovCloud
the VMware 2016 supported
virtual • Oracle
versions of
hardware Cloud
AHV. See
version) on Infrastructure
VM-Series
the ESXi (OCI)
for Nutanix.
server is
vmx-10.
ESXi 6.0
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.

PAN-OS 9.1 64-bit • Ubuntu • Windows Nutanix AOS • Amazon

kernel-based 18.04 Server Version— AWS
VMware • Ubuntu 2019 with 5.10 and • Microsoft
ESXi 6.0, 16.04 Hyper- later Azure
6.5, 6.7, or V role or
• CentOS/ Nutanix • Google
7.0. The Hyper-V
RHEL 7 AHV Cloud
supported 2019
Version— Platform
version of • CentOS/ • Windows 20170830.185
the virtual RHEL 8 Server • Amazon
hardware 2016 with To manage AWS
family Hyper- VM-Series GovCloud
type (also V role or firewalls
known as Hyper-V running
the VMware 2016 supported
virtual versions of
hardware AHV. See
version) on

Palo Alto Networks Compatibility Matrix 111 ©2023 Palo Alto Networks, Inc.
Panorama

Panorama VMware ESXi KVM Hyper-V Nutanix AHV Public Cloud/

Version Compatibility Compatibility Compatibility Compatibility Partner
Integra
Compatibility
the ESXi VM-Series
server is for Nutanix.
vmx-10.
ESXi 6.0
and later
versions
supports
one disk of
up to 8TB.
Earlier ESXi
versions
support one
disk of up to
2TB.

Palo Alto Networks Compatibility Matrix 112 ©2023 Palo Alto Networks, Inc.
Panorama

Device Certificate for a Palo Alto Networks Cloud

Service
A Palo Alto Networks cloud service is a cloud-hosted service maintained and operated by Palo
Alto Networks.
The device certificate must be installed on the firewall, Panorama, and WildFire appliance using
the cloud service that is running one of the following releases:
• PAN-OS 11.0.2 or later releases
• PAN-OS 10.2.5 or later releases
• PAN-OS 10.1.10 or late releases
• (EoL) PAN-OS 10.0.5 or later 10.0 releases
• PAN-OS 9.1.8 or later 9.1 releases
• (EoL) PAN-OS 9.0.14 or later 9.0 releases
• (EoL) PAN-OS 8.1.19 or later 8.1 releases
Review the Palo Alto Networks cloud services listed below that require you install a device
certificate to function. Panorama management of firewalls, Dedicated Log Collectors, and
WildFire appliances, and downloading content and software updates from the Palo Alto Networks
Update Server does not require a device certificate. Additionally, communication between a
firewall and the WildFire appliance does not require a device certificate.

Cloud Service Firewall Panorama

(Individual and Panorama-
Managed)

AIOps Yes Yes

App-ID Cloud Engine Yes Yes

(ACE)

Cloud Services (Prisma N/A No

Access)

Cortex Data Lake (PAN-OS 10.1 and later) Yes (PAN-OS 10.1 and later) Yes

Device Telemetry Yes Yes

Enterprise DLP Yes Yes

Inline Categorization Yes No

Requires Advanced URL
Filtering license

Palo Alto Networks Compatibility Matrix 113 ©2023 Palo Alto Networks, Inc.
Panorama

Cloud Service Firewall Panorama

(Individual and Panorama-
Managed)

Inline Cloud Analysis Yes No

Requires Advanced
Threat Protection license

Internet of Things (IoT) Yes Yes

security

ZTP No Yes

Palo Alto Networks Compatibility Matrix 114 ©2023 Palo Alto Networks, Inc.
MFA Vendor Support
• MFA Vendor Support

115
MFA Vendor Support

MFA Vendor Support

Palo Alto Networks Next-Generation Firewalls and Panorama™ appliances can integrate with
multi-factor authentication (MFA) vendors using RADIUS and SAML. Firewalls can additionally
integrate with specific MFA vendors using the API to enforce MFA through Authentication policy.

Authentication RADIUS TACACS SAML MFA Server Profile

Use Case (any + (any
(any vendor)
vendor) vendor)

Next- √ √ √ —
Generation
Firewall and
Panorama
Administrator
Web Interface

Next- √ √ — —
Generation
Firewall and
Panorama
Administrator
CLI

GlobalProtect™ √ √ √ —
Portal and
Gateway
Authentication

Authentication √ √ √ √
Policy
Vendor / Min. Content Version *
(Formerly
• RSA SecurID Access / 752
Captive Portal
Policy) • PingID / 655
• Okta Adaptive / 655
• Duo v2 / 655

* Palo Alto Networks provides support for MFA vendors through Applications content
updates, which means that if you use Panorama to push device group configurations to
firewalls, you must install the same Applications release version on managed firewalls
as you install on Panorama to avoid mismatches in vendor support.

Palo Alto Networks Compatibility Matrix 116 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites
Use this table in the Palo Alto Networks Compatibility Matrix to determine support for cipher
suites according to function and PAN-OS® software release.
• Cloud Identity Engine Cipher Suites
• Cipher Suites Supported in PAN-OS 11.0
• Cipher Suites Supported in PAN-OS 10.2
• Cipher Suites Supported in PAN-OS 10.1
• Cipher Suites Supported in PAN-OS 9.1
• Cipher Suites Supported in PAN-OS 8.1

117
Supported Cipher Suites

Cloud Identity Engine Cipher Suites

The following cipher suites are supported and required on the Cloud Identity Engine agent host
for on-premises directories.

Feature or Function Required Ciphers

Cloud Identity Engine • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

agent • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Palo Alto Networks Compatibility Matrix 118 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Cipher Suites Supported in PAN-OS 11.0

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 11.0
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites Supported
in FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 11.0 GlobalProtect Cipher Suites
• PAN-OS 11.0 IPSec Cipher Suites
• PAN-OS 11.0 IKE and Web Certificate Cipher Suites
• PAN-OS 11.0 Decryption Cipher Suites
• PAN-OS 11.0 HA1 SSH Cipher Suites
• PAN-OS 11.0 Administrative Session Cipher Suites
• PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 11.0 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 11.0 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

• GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal

• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 119 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• RSA-AES-256-GCM-SHA-384
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-256-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-128-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1

GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 120 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• EDH-RSA-3DES-SHA-1
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 11.0 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
OS® 11.0 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

• #unique_96/unique_96_Connect_42_id17C8F0X0MAW
• #unique_96/unique_96_Connect_42_id17C8F0YG02K
• #unique_96/unique_96_Connect_42_id17C8F0Z06X7

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

IPSec—Encryption • NULL
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):

Palo Alto Networks Compatibility Matrix 121 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 2 (1024-bit keys) with PFS enabled
• Group 5 (1536-bit keys) with PFS enabled
• Group 14 (2048-bit keys) with PFS enabled
• Group 15 (3072-bit modular exponential group)
• Group 16 (4096-bit modular exponential group)
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 20 (384-bit elliptic curve group) with PFS enabled
• Group 21 (512-bit random elliptic curve group)

PAN-OS 11.0 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 11.0 release in normal (non-FIPS-
CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

Palo Alto Networks Compatibility Matrix 122 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

IKE—Encryption • 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
Starting with PAN-OS 10.0.3:
• AES-128-GCM
• AES-256-GCM

IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 2 (1024-bit keys)
• Group 5 (1536-bit keys)
• Group 14 (2048-bit keys)
• Group 15 (3072-bit modular exponential group)
• Group 16 (4096-bit modular exponential group)
• Group 19 (256-bit elliptic curve group)
• Group 20 (384-bit elliptic curve group)
• Group 21 (512-bit random elliptic curve group)

PAN-OS Web • RSA

Certificates
• Keys—2048-bit, 3072-bit, and 4096-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

Palo Alto Networks Compatibility Matrix 123 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

PAN-OS 11.0 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 11.0 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

• SSH Decryption (SSHv2 only)—Encryption

• SSH Decryption (SSHv2 only)—Message Authentication
• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves
• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
• TLS 1.3 Decryption—Signature Algorithms

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys

The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 4096-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1

Palo Alto Networks Compatibility Matrix 124 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• RSA-AES-128-CBC-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• TLS_AES_256_GCM_SHA-384
• TLS_CHACHA20_POLY1305_SHA-256
• TLS_AES_128_GCM_SHA-256

SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
• DHE-RSA-AES-256-CBC-SHA-256
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
• ECDHE-RSA-AES-256-GCM-SHA-384
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ECDHE-ECDSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 125 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• ECDHE-ECDSA-AES-256-GCM-SHA-384
• ( TLS 1.3 only) TLS_AES_128_GCM_SHA-256
• ( TLS 1.3 only) TLS_AES_256_GCM_SHA-384
• ( TLS 1.3 only) TLS_CHACHA20_POLY1305_SHA-256

TLS 1.3 Decryption— • ECDSA-SECP256r1-SHA-256

Signature Algorithms • RSA-PSS-RSAE-SHA-256
• RSA-PKCS1-SHA-256
• ECDSA-SECP384r1-SHA-384
• RSA-PSS-RSAE-SHA-384
• RSA-PKCS1-SHA-386
• RSA-PSS-RSAE-SHA-512
• RSA-PKCS1-SHA-512
• RSA-PKCS1-SHA-1

PAN-OS 11.0 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 11.0 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

Administrative Sessions TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites

to Web Interface
TLSv1.3 cipher suites begin with “TLS”.

• RSA-SEED-SHA1
• RSA-CAMELLIA-128-SHA1
• RSA-CAMELLIA-256-SHA1
• RSA-AES-128-SHA1

Palo Alto Networks Compatibility Matrix 126 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

• RSA-AES-256-SHA1
• RSA-AES-256-CBC-SHA1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-256-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA1
• ECDHE-ECDSA-AES-256-SHA1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384
• TLS-AES-128-CCM-SHA256
• TLS-AES-128-GCM-SHA256
• TLS-AES-256-GCM-SHA384
• TLS-CHACHA20-POLY1305-SHA256

Administrative Sessions • AES-128-CTR

to CLI (SSH)—Encryption • AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM
• CHACHA20-POLY1305

Administrative Sessions • UMAC-64

to CLI (SSH)—Message • UMAC-128
Authentication
• HMAC-SHA1
• HMAC-SHA2-256
• HMAC-SHA-384
• HMAC-SHA2-512

Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types

Palo Alto Networks Compatibility Matrix 127 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

Administrative Sessions • curve25519-sha256

to CLI (SSH)—Key • diffie-hellman-group14-sha1
Exchange Algorithms
• diffie-hellman-group14-sha256
• diffie-hellman-group14-sha384
• diffie-hellman-group16-sha512
• diffie-hellman-group-exchange-sha256
• ecdh-sha2-nistp256
• ecdh-sha2-nistp384
• ecdh-sha2-nistp521

PAN-OS 11.0 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 11.0 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

HA1 SSH • AES 128-bit cipher with Counter Mode

• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with Counter Mode
• AES 256-bit cipher with GCM
• CHACHA20-POLY1305

PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 11.0 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 11.0 Cipher Suites
Supported in FIPS-CC Mode.

Palo Alto Networks Compatibility Matrix 128 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 11.0 Releases

PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-1
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1

PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 11.0
release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details
regarding the algorithm implementation.

If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 11.0

Functions Standards Certificates

Asymmetric key generation

ECC key pair generation (NIST curves FIPS PUB 186-4 Appliances:
P-256, P-384)
#A3453
VMs:
#A3454

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A3453
VMs:
#A3454

Cryptographic Key Generation (for IKE Peer Authentication)

Palo Alto Networks Compatibility Matrix 129 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A3453
VMs:
#A3454

ECDSA key pair generation (NIST FIPS PUB 186-4 Appliances:

curves P-256, P-384)
#A3453
VMs:
#A3454

Cryptographic Key Establishment

ECC-based key establishment SP 800-56A Revision 3 Appliances:

#A3453
VMs:
#A3454

FFC-based key establishment SP 800-56A Revision 3 Appliances:

#A3453
VMs:
#A3454

AES Data Encryption/Decryption

• AES CTR 128/192/256 • AES as specified in Appliances:

• AES CBC 128/192/256 ISO 18033-3
#A3453
• AES GCM 128/256 • CBC/CTR as specified
in ISO 10116 VMs:
• AES CCM 128 #A3454
• GCM as specified in
ISO 19772
• NIST SP 800-38A/C/
D/F
• FIPS PUB 197

Signature Generation and Verification

RSA (2048 bits or greater) FIPS PUB 186-4, “Digital Appliances:

Signature Standard
#A3453
(DSS)”, Section 5.5,

Palo Alto Networks Compatibility Matrix 130 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

using PKCS #1 v2.1 VMs:
Signature Schemes
#A3454
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
ISO/IEC 9796-2, Digital
signature scheme 2
or
Digital Signature scheme
3

ECDSA (NIST curves P-256, P-384, FIPS PUB 186-4, Appliances:

and P-521) “Digital Signature
#A3453
Standard (DSS)”, Section
6 and Appendix D, VMs:
Implementing "NIST
#A3454
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

Cryptographic hashing

SHA-1, SHA-256, SHA-384 and ISO/IEC 10118-3:2004 Appliances:

SHA-512 (digest sizes 160, 256, 384
FIPS PUB 180-4 #A3453
and 512 bits)
VMs:
#A3454

Keyed-hash message authentication

• HMAC-SHA-1 ISO/IEC 9797-2:2011 Appliances:

• HMAC-SHA-256 FIPS PUB 198-1 #A3453
• HMAC-SHA-384 VMs:
• HMAC-SHA-512 #A3454

Random bit generation

CTR_DRBG (AES-256) ISO/IEC 18031:2011 Appliances:

NIST SP 800-90A #A3453
VMs:
#A3454

Palo Alto Networks Compatibility Matrix 131 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Cipher Suites Supported in PAN-OS 10.2

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 10.2
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites Supported
in FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 10.2 GlobalProtect Cipher Suites
• PAN-OS 10.2 IPSec Cipher Suites
• PAN-OS 10.2 IKE and Web Certificate Cipher Suites
• PAN-OS 10.2 Decryption Cipher Suites
• PAN-OS 10.2 HA1 SSH Cipher Suites
• PAN-OS 10.2 Administrative Session Cipher Suites
• PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 10.2 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 10.2 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

• GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal

• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 132 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• RSA-AES-256-GCM-SHA-384
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-256-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-128-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1

GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 133 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• EDH-RSA-3DES-SHA-1
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 10.2 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
OS® 10.2 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

• IPSec—Encryption
• IPSec—Message Authentication
• IPSec—Key Exchange

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

IPSec—Encryption • NULL
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):

Palo Alto Networks Compatibility Matrix 134 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 2 (1024-bit keys) with PFS enabled
• Group 5 (1536-bit keys) with PFS enabled
• Group 14 (2048-bit keys) with PFS enabled
• Group 15 (3072-bit modular exponential group)
• Group 16 (4096-bit modular exponential group)
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 20 (384-bit elliptic curve group) with PFS enabled
• Group 21 (512-bit random elliptic curve group)

PAN-OS 10.2 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 10.2 release in normal (non-FIPS-
CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

Palo Alto Networks Compatibility Matrix 135 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

IKE—Encryption • 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
Starting with PAN-OS 10.0.3:
• AES-128-GCM
• AES-256-GCM

IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 2 (1024-bit keys)
• Group 5 (1536-bit keys)
• Group 14 (2048-bit keys)
• Group 15 (3072-bit modular exponential group)
• Group 16 (4096-bit modular exponential group)
• Group 19 (256-bit elliptic curve group)
• Group 20 (384-bit elliptic curve group)
• Group 21 (512-bit random elliptic curve group)

PAN-OS Web • RSA

Certificates
• Keys—2048-bit, 3072-bit, and 4096-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

Palo Alto Networks Compatibility Matrix 136 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

PAN-OS 10.2 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 10.2 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

• SSH Decryption (SSHv2 only)—Encryption

• SSH Decryption (SSHv2 only)—Message Authentication
• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves
• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
• TLS 1.3 Decryption—Signature Algorithms

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys

The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 4096-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1

Palo Alto Networks Compatibility Matrix 137 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• RSA-AES-128-CBC-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• TLS_AES_256_GCM_SHA-384
• TLS_CHACHA20_POLY1305_SHA-256
• TLS_AES_128_GCM_SHA-256

SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
• DHE-RSA-AES-256-CBC-SHA-256
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
• ECDHE-RSA-AES-256-GCM-SHA-384
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ECDHE-ECDSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 138 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• ECDHE-ECDSA-AES-256-GCM-SHA-384
• ( TLS 1.3 only) TLS_AES_128_GCM_SHA-256
• ( TLS 1.3 only) TLS_AES_256_GCM_SHA-384
• ( TLS 1.3 only) TLS_CHACHA20_POLY1305_SHA-256

TLS 1.3 Decryption— • ECDSA-SECP256r1-SHA-256

Signature Algorithms • RSA-PSS-RSAE-SHA-256
• RSA-PKCS1-SHA-256
• ECDSA-SECP384r1-SHA-384
• RSA-PSS-RSAE-SHA-384
• RSA-PKCS1-SHA-386
• RSA-PSS-RSAE-SHA-512
• RSA-PKCS1-SHA-512
• RSA-PKCS1-SHA-1

PAN-OS 10.2 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 10.2 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

Administrative Sessions • TLSv1.1 and TLSv1.2 cipher suites

to Web Interface • RSA-SEED-SHA1
• RSA-CAMELLIA-128-SHA1
• RSA-CAMELLIA-256-SHA1
• RSA-AES-128-SHA1
• RSA-AES-256-SHA1
• RSA-AES-256-CBC-SHA1

Palo Alto Networks Compatibility Matrix 139 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-256-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA1
• ECDHE-ECDSA-AES-256-SHA1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

Administrative Sessions • AES-128-CTR

to CLI (SSH)—Encryption • AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM
• CHACHA20-POLY1305

Administrative Sessions • UMAC-64

to CLI (SSH)—Message • UMAC-128
Authentication
• HMAC-SHA1
• HMAC-SHA2-256
• HMAC-SHA2-512

Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types

Administrative Sessions • curve25519-sha256

to CLI (SSH)—Key • diffie-hellman-group14-sha1
Exchange Algorithms
• diffie-hellman-group14-sha256
• diffie-hellman-group16-sha512
• diffie-hellman-group-exchange-sha256
• ecdh-sha2-nistp256
• ecdh-sha2-nistp384

Palo Alto Networks Compatibility Matrix 140 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• ecdh-sha2-nistp521

PAN-OS 10.2 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 10.2 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

HA1 SSH • AES 128-bit cipher with Counter Mode

• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with Counter Mode
• AES 256-bit cipher with GCM
• CHACHA20-POLY1305

PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 10.2 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.2 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-1
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 141 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.2 Releases

• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1

PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 10.2
release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details
regarding the algorithm implementation.

If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 10.2

Functions Standards Certificates

Asymmetric key generation

FFC key pair generation (key size 2048 FIPS PUB 186-4 Appliances:
bits)
#A2906
VMs:
#A2907

ECC key pair generation (NIST curves FIPS PUB 186-4 Appliances:
P-256, P-384)
#A2906
VMs:
#A2907

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A2906
VMs:
#A2907

Cryptographic Key Generation (for IKE Peer Authentication)

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A2906
VMs:
#A2907

Palo Alto Networks Compatibility Matrix 142 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

ECDSA key pair generation (NIST FIPS PUB 186-4 Appliances:

curves P-256, P-384)
#A2906
VMs:
#A2907

Cryptographic Key Establishment

ECC-based key establishment SP 800-56A Revision 3 Appliances:

#A2906
VMs:
#A2907

FFC-based key establishment SP 800-56A Revision 3 Appliances:

#A2906
VMs:
#A2907

AES Data Encryption/Decryption

• AES CTR 128/192/256 • AES as specified in Appliances:

• AES CBC 128/192/256 ISO 18033-3
#A2906
• AES GCM 128/256 • CBC/CTR as specified
in ISO 10116 VMs:
• AES CCM 128 #A2907
• GCM as specified in
ISO 19772
• NIST SP 800-38A/C/
D/F
• FIPS PUB 197

Signature Generation and Verification

RSA (2048 bits or greater) FIPS PUB 186-4, “Digital Appliances:

Signature Standard
#A2906
(DSS)”, Section 5.5,
using PKCS #1 v2.1 VMs:
Signature Schemes
#A2907
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
ISO/IEC 9796-2, Digital
signature scheme 2

Palo Alto Networks Compatibility Matrix 143 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

or
Digital Signature scheme
3

ECDSA (NIST curves P-256, P-384, FIPS PUB 186-4, Appliances:

and P-521) “Digital Signature
#A2906
Standard (DSS)”, Section
6 and Appendix D, VMs:
Implementing "NIST
#A2907
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

Cryptographic hashing

SHA-1, SHA-256, SHA-384 and ISO/IEC 10118-3:2004 Appliances:

SHA-512 (digest sizes 160, 256, 384
FIPS PUB 180-4 #A2906
and 512 bits)
VMs:
#A2907

Keyed-hash message authentication

• HMAC-SHA-1 ISO/IEC 9797-2:2011 Appliances:

• HMAC-SHA-256 FIPS PUB 198-1 #A2906
• HMAC-SHA-384 VMs:
• HMAC-SHA-512 #A2907

Random bit generation

CTR_DRBG (AES-256) ISO/IEC 18031:2011 Appliances:

NIST SP 800-90A #A2906
VMs:
#A2907

Palo Alto Networks Compatibility Matrix 144 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Cipher Suites Supported in PAN-OS 10.1

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 10.1
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites Supported
in FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 10.1 GlobalProtect Cipher Suites
• PAN-OS 10.1 IPSec Cipher Suites
• PAN-OS 10.1 IKE and Web Certificate Cipher Suites
• PAN-OS 10.1 Decryption Cipher Suites
• PAN-OS 10.1 HA1 SSH Cipher Suites
• PAN-OS 10.1 Administrative Session Cipher Suites
• PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 10.1 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 10.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

• GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal

• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 145 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• RSA-AES-256-GCM-SHA-384
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-256-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-128-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1

GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 146 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• EDH-RSA-3DES-SHA-1
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 10.1 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
OS® 10.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

• IPSec—Encryption
• IPSec—Message Authentication
• IPSec—Key Exchange

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

IPSec—Encryption • NULL
• DES
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):

Palo Alto Networks Compatibility Matrix 147 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 2 (1024-bit keys) with PFS enabled
• Group 5 (1536-bit keys) with PFS enabled
• Group 14 (2048-bit keys) with PFS enabled
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 20 (384-bit elliptic curve group) with PFS enabled

PAN-OS 10.1 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 10.1 release in normal (non-FIPS-
CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

IKE—Encryption • DES
• 3DES
• AES-128-CBC

Palo Alto Networks Compatibility Matrix 148 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• AES-192-CBC
• AES-256-CBC
Starting with PAN-OS 10.0.3:
• AES-128-GCM
• AES-256-GCM

IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 2 (1024-bit keys)
• Group 5 (1536-bit keys)
• Group 14 (2048-bit keys)
• Group 19 (256-bit elliptic curve group)
• Group 20 (384-bit elliptic curve group)

PAN-OS Web • RSA

Certificates
• Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit
keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

PAN-OS 10.1 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 10.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

• SSH Decryption (SSHv2 only)—Encryption

Palo Alto Networks Compatibility Matrix 149 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

• SSH Decryption (SSHv2 only)—Message Authentication

• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves
• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers
• TLS 1.3 Decryption—Signature Algorithms

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3 cipher suites
• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys

The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 4096-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1
• RSA-AES-128-CBC-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• TLS_AES_256_GCM_SHA-384

Palo Alto Networks Compatibility Matrix 150 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• TLS_CHACHA20_POLY1305_SHA-256
• TLS_AES_128_GCM_SHA-256

SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)
• P-521 (secp521r1)
• ( TLS 1.3 only) X25519
• ( TLS 1.3 only) X448

SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
• DHE-RSA-AES-256-CBC-SHA-256
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
• ECDHE-RSA-AES-256-GCM-SHA-384
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384
• ( TLS 1.3 only) TLS_AES_128_GCM_SHA-256
• ( TLS 1.3 only) TLS_AES_256_GCM_SHA-384
• ( TLS 1.3 only) TLS_CHACHA20_POLY1305_SHA-256

TLS 1.3 Decryption— • ECDSA-SECP256r1-SHA-256

Signature Algorithms • RSA-PSS-RSAE-SHA-256

Palo Alto Networks Compatibility Matrix 151 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• RSA-PKCS1-SHA-256
• ECDSA-SECP384r1-SHA-384
• RSA-PSS-RSAE-SHA-384
• RSA-PKCS1-SHA-386
• RSA-PSS-RSAE-SHA-512
• RSA-PKCS1-SHA-512
• RSA-PKCS1-SHA-1

PAN-OS 10.1 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 10.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

Administrative Sessions • TLSv1.1 and TLSv1.2 cipher suites

to Web Interface • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-3DES-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 152 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

• DHE-RSA-AES-256-GCM-SHA-384
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-256-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

Administrative Sessions • AES-128-CTR

to CLI (SSH)—Encryption • AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM
• CHACHA20-POLY1305

Administrative Sessions • UMAC-64

to CLI (SSH)—Message • UMAC-128
Authentication
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-512

Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types

Administrative Sessions • curve25519-SHA-256

to CLI (SSH)—Key • diffie-hellman-group14-SHA-1
Exchange Algorithms
• diffie-hellman-group14-SHA-256
• diffie-hellman-group16-SHA-512
• diffie-hellman-group-exchange-SHA-256
• ecdh-SHA-2-nistp256
• ecdh-SHA-2-nistp384
• ecdh-SHA-2-nistp521

PAN-OS 10.1 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 10.1 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.

Palo Alto Networks Compatibility Matrix 153 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

HA1 SSH • AES 128-bit cipher with Counter Mode

• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with Counter Mode
• AES 256-bit cipher with GCM
• CHACHA20-POLY1305

PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 10.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 10.1 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 10.1 Releases

PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-3DES-SHA-1
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-1
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1

PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 10.1
release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details
regarding the algorithm implementation.

Palo Alto Networks Compatibility Matrix 154 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 10.1

Functions Standards Certificates

Asymmetric key generation

FFC key pair generation (key size 2048 FIPS PUB 186-4 Appliances:
bits)
#A2137
VMs:
#A2244

ECC key pair generation (NIST curves FIPS PUB 186-4 Appliances:
P-256, P-384)
#A2137
VMs:
#A2244

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A2137
VMs:
#A2244

Cryptographic Key Generation (for IKE Peer Authentication)

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
#A2137
VMs:
#A2244

ECDSA key pair generation (NIST FIPS PUB 186-4 Appliances:

curves P-256, P-384)
#A2137
VMs:
#A2244

Cryptographic Key Establishment

ECDSA-based key establishment NIST SP 800-56A Appliances:

Revision 2
#A2137
VMs:

Palo Alto Networks Compatibility Matrix 155 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

#A2244

FFC-based key establishment NIST SP 800-56A Appliances:

Revision 2
#A2137
VMs:
#A2244

AES Data Encryption/Decryption

• AES CTR 128/192/256 • AES as specified in Appliances:

• AES CBC 128/192/256 ISO 18033-3
#A2137
• AES GCM 128/256 • CBC/CTR as specified
in ISO 10116 VMs:
• AES CCM 128 #A2244
• GCM as specified in
ISO 19772
• NIST SP 800-38A/C/
D/F
• FIPS PUB 197

Signature Generation and Verification

RSA Digital Signature Algorithm (rDSA) FIPS PUB 186-4, “Digital Appliances:
(2048 bits or greater) Signature Standard
#A2137
(DSS)”, Section 5.5,
using PKCS #1 v2.1 VMs:
Signature Schemes
#A2244
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
ISO/IEC 9796-2, Digital
signature scheme 2
or
Digital Signature scheme
3

ECDSA (NIST curves P-256, P-384, FIPS PUB 186-4, Appliances:

and P-521) “Digital Signature
#A2137
Standard (DSS)”, Section
6 and Appendix D, VMs:
Implementing "NIST
#A2244
curves" P-256, P-384,
P-521 ISO/IEC 14888-3,
Section 6.4

Palo Alto Networks Compatibility Matrix 156 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

Cryptographic hashing

SHA-1, SHA-256, SHA-384 and ISO/IEC 10118-3:2004 Appliances:

SHA-512 (digest sizes 160, 256, 384
FIPS PUB 180-4 #A2137
and 512 bits)
VMs:
#A2244

Keyed-hash message authentication

• HMAC-SHA-1 ISO/IEC 9797-2:2011 Appliances:

• HMAC-SHA-256 FIPS PUB 198-1 #A2137
• HMAC-SHA-384 VMs:
• HMAC-SHA-512 #A2244

Random bit generation

CTR_DRBG (AES-256) ISO/IEC 18031:2011 Appliances:

NIST SP 800-90A #A2137
VMs:
#A2244

Palo Alto Networks Compatibility Matrix 157 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Cipher Suites Supported in PAN-OS 9.1

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 9.1
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites Supported in
FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 9.1 GlobalProtect Cipher Suites
• PAN-OS 9.1 IPSec Cipher Suites
• PAN-OS 9.1 IKE and Web Certificate Cipher Suites
• PAN-OS 9.1 Decryption Cipher Suites
• PAN-OS 9.1 HA1 SSH Cipher Suites
• PAN-OS 9.1 Administrative Session Cipher Suites
• PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 9.1 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 9.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

• GlobalProtect App/Agent—SSL
• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 158 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• RSA-AES-256-GCM-SHA-384
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-256-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-128-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1

GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 159 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• EDH-RSA-3DES-SHA-1
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 9.1 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
OS® 9.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

• IPSec—Encryption
• IPSec—Message Authentication
• IPSec—Key Exchange

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

IPSec—Encryption • NULL
• DES
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):

Palo Alto Networks Compatibility Matrix 160 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 2 (1024-bit keys) with PFS enabled
• Group 5 (1536-bit keys) with PFS enabled
• Group 14 (2048-bit keys) with PFS enabled
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 20 (384-bit elliptic curve group) with PFS enabled

PAN-OS 9.1 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 9.1 release in normal (non-FIPS-CC)
operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

IKE—Encryption • DES
• 3DES
• AES-128-CBC

Palo Alto Networks Compatibility Matrix 161 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• AES-192-CBC
• AES-256-CBC

IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 2 (1024-bit keys)
• Group 5 (1536-bit keys)
• Group 14 (2048-bit keys)
• Group 19 (256-bit elliptic curve group)
• Group 20 (384-bit elliptic curve group)

PAN-OS Web • RSA

Certificates
• Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit
keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

PAN-OS 9.1 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 9.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

• SSH Decryption (SSHv2 only)—Encryption

• SSH Decryption (SSHv2 only)—Message Authentication
• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves

Palo Alto Networks Compatibility Matrix 162 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys

The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 4096-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1
• RSA-AES-128-CBC-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384

SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)

Palo Alto Networks Compatibility Matrix 163 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• P-521 (secp521r1)

SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
• DHE-RSA-AES-256-CBC-SHA-256
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
• ECDHE-RSA-AES-256-GCM-SHA-384
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 9.1 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 9.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms

Palo Alto Networks Compatibility Matrix 164 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

Administrative Sessions • TLSv1.1 and TLSv1.2 cipher suites

to Web Interface • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-3DES-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-256-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

Administrative Sessions • 3DES-CBC

to CLI (SSH)—Encryption • ARCFOUR128
• ARCFOUR256
• BLOWFISH-CBC
• CAST128-CBC
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM

Palo Alto Networks Compatibility Matrix 165 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

Administrative Sessions • UMAC-64

to CLI (SSH)—Message • UMAC-128
Authentication
• HMAC-MD5-96
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-512

Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types

Administrative Sessions • diffie-hellman-group1-SHA-1

to CLI (SSH)—Key • diffie-hellman-group14-SHA-1
Exchange Algorithms
• diffie-hellman-group-exchange-SHA-1
• diffie-hellman-group-exchange-SHA-256
• ecdh-SHA-2-nistp256
• ecdh-SHA-2-nistp384
• ecdh-SHA-2-nistp521

PAN-OS 9.1 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 9.1 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

HA1 SSH • AES 128-bit cipher with Cipher Block Chaining

• AES 128-bit cipher with Counter Mode
• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Cipher Block Chaining
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with Cipher Block Chaining

Palo Alto Networks Compatibility Matrix 166 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

• AES 256-bit cipher with Counter Mode
• AES 256-bit cipher with GCM

PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 9.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 9.1 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 9.1 Releases

PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-3DES-SHA-1
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-1
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1

PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 9.1
release in FIPS-CC mode. The Cryptographic Algorithm Validation Program has additional details
regarding the algorithm implementation. Also, there were no changes made to the Palo Alto
Networks crypto module between PAN-OS 9.0 and PAN-OS 9.1 so all FIPS certificates still apply
for this PAN-OS 9.1 release.

If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 9.1

Palo Alto Networks Compatibility Matrix 167 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards

Asymmetric key generation

FFC key pair generation (key size 2048 bits) FIPS PUB 186-4

ECC key pair generation (NIST curves P-256, P-384) FIPS PUB 186-4

RSA key generation (2048 bits or greater) FIPS PUB 186-4

Cryptographic Key Generation (for IKE Peer Authentication)

RSA key generation (2048 bits or greater) FIPS PUB 186-4

ECDSA key pair generation (NIST curves P-256, P-384) FIPS PUB 186-4

Cryptographic Key Establishment

ECDSA-based key establishment NIST SP 800-56A Revision 2

FFC-based key establishment NIST SP 800-56A Revision 2

AES Data Encryption/Decryption

• AES CTR 128/192/256 • AES as specified in ISO 18033-3

• AES CBC 128/192/256 • CBC/CTR as specified in ISO
• AES GCM 128/256 10116

• AES CCM 128 • GCM as specified in ISO 19772

• NIST SP 800-38A/C/D/F
• FIPS PUB 197

Signature Generation and Verification

RSA Digital Signature Algorithm (rDSA) (2048 bits or FIPS PUB 186-4, “Digital Signature
greater) Standard (DSS)”, Section 5.5,
using PKCS #1 v2.1 Signature
Schemes RSASSA-PSS and/or
RSASSAPKCS1v1_5; ISO/IEC
9796-2, Digital signature scheme 2
or
Digital Signature scheme 3

ECDSA (NIST curves P-256, P-384, and P-521) FIPS PUB 186-4, “Digital Signature
Standard (DSS)”, Section 6 and
Appendix D, Implementing "NIST

Palo Alto Networks Compatibility Matrix 168 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards
curves" P-256, P-384, ISO/IEC
14888-3, Section 6.4

Cryptographic hashing

SHA-1, SHA-256, SHA-384, and SHA-512 (digest sizes ISO/IEC 10118-3:2004

160, 256, 384, and 512 bits)
FIPS PUB 180-4

Keyed-hash message authentication

• HMAC-SHA-1 ISO/IEC 9797-2:2011

• HMAC-SHA-256 FIPS PUB 198-1
• HMAC-SHA-384
• HMAC-SHA-512

Random bit generation

CTR_DRBG (AES-256) ISO/IEC 18031:2011

NIST SP 800-90A

Palo Alto Networks Compatibility Matrix 169 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Cipher Suites Supported in PAN-OS 8.1

The following topics list cipher suites that are supported on firewalls running a PAN-OS® 8.1
release in normal (non-FIPS-CC) operational mode.
If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites Supported in
FIPS-CC Mode.
The ciphers supported in normal operation mode are grouped according to feature or
functionality in the following sections:
• PAN-OS 8.1 GlobalProtect Cipher Suites
• PAN-OS 8.1 IPSec Cipher Suites
• PAN-OS 8.1 IKE and Web Certificate Cipher Suites
• PAN-OS 8.1 Decryption Cipher Suites
• PAN-OS 8.1 HA1 SSH Cipher Suites
• PAN-OS 8.1 Administrative Session Cipher Suites
• PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites

PAN-OS 8.1 GlobalProtect Cipher Suites

The following table lists cipher suites for GlobalProtect™ supported on firewalls running a PAN-
OS® 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

• GlobalProtect App/Agent—SSL tunnels and SSL connections to gateway and portal

• GlobalProtect App/Agent—IPSec mode
• GlobalProtect Portal—Browser Access

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

GlobalProtect App/Agent—SSL tunnels • TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

and SSL connections to gateway and • RSA-SEED-SHA-1
portal
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256

Palo Alto Networks Compatibility Matrix 170 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

• RSA-AES-256-GCM-SHA-384
• DHE-RSA-SEED-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• EDH-RSA-3DES-SHA-1
• ECDHE-RSA-AES-128-SHA-1
• ECDHE-RSA-AES-256-SHA-1
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-128-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

GlobalProtect App/Agent—IPSec mode • AES-128-CBC-HMAC-SHA-1

(Keys transported through SSL session • AES-128-GCM-HMAC-SHA-1
with gateway) • AES-256-GCM-HMAC-SHA-1

GlobalProtect Portal—Browser Access • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher

suites
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-256-SHA-1
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384

Palo Alto Networks Compatibility Matrix 171 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

• EDH-RSA-3DES-SHA-1
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 8.1 IPSec Cipher Suites

The following table lists the cipher suites for IPSec that are supported on firewalls running a PAN-
OS® 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

• IPSec—Encryption
• IPSec—Message Authentication
• IPSec—Key Exchange

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

IPSec—Encryption • NULL
• DES
• 3DES
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CCM
• AES-128-GCM
• AES-256-GCM

IPSec—Message • NONE
Authentication • HMAC-MD5
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IPSec—Key Exchange Diffie-Hellman groups with or without perfect forward secrecy

(PFS):

Palo Alto Networks Compatibility Matrix 172 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

• No PFS—This option specifies that the firewall reuses the same
key for IKE phase 1 and phase 2 instead of renewing the key for
phase 2.
• Group 1 (768-bit keys) with PFS enabled
• Group 2 (1024-bit keys) with PFS enabled
• Group 5 (1536-bit keys) with PFS enabled
• Group 14 (2048-bit keys) with PFS enabled
• Group 19 (256-bit elliptic curve group) with PFS enabled
• Group 20 (384-bit elliptic curve group) with PFS enabled

PAN-OS 8.1 IKE and Web Certificate Cipher Suites

The following table lists cipher suites for Internet Key Exchange (IKE) and PAN-OS® web
certificates that are supported on firewalls running a PAN-OS 8.1 release in normal (non-FIPS-CC)
operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

• IKE Certificate Support

• IKE—Encryption
• IKE—Message Authentication
• IKE—Key Exchange
• PAN-OS Web Certificates

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

IKE Certificate Support • RSA

• Keys—512-bit, 1024-bit, 2048-bit, and 3072-bit keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

IKE—Encryption • DES
• 3DES
• AES-128-CBC

Palo Alto Networks Compatibility Matrix 173 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

• AES-192-CBC
• AES-256-CBC

IKE—Message • HMAC-MD5
Authentication • HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-384
• HMAC-SHA-512

IKE—Key Exchange Diffie-Hellman groups

• Group 1 (768-bit keys)
• Group 2 (1024-bit keys)
• Group 5 (1536-bit keys)
• Group 14 (2048-bit keys)
• Group 19 (256-bit elliptic curve group)
• Group 20 (384-bit elliptic curve group)

PAN-OS Web • RSA

Certificates
• Keys—512-bit, 1024-bit, 2048-bit, 3072-bit, and 4096-bit
keys
• Digital signature algorithms—SHA-1, SHA-256, SHA-384, or
SHA-512
• ECDSA
• Keys—256-bit and 384-bit keys
• Digital signature algorithms—SHA-256, SHA-384, or
SHA-512

PAN-OS 8.1 Decryption Cipher Suites

The following table lists cipher suites for decryption that are supported on firewalls running a
PAN-OS® 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

• SSH Decryption (SSHv2 only)—Encryption

• SSH Decryption (SSHv2 only)—Message Authentication
• SSL/TLS Decryption
• SSL/TLS Decryption—NIST-approved Elliptical Curves

Palo Alto Networks Compatibility Matrix 174 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

• SSL/TLS Decryption—Perfect Forward Secrecy (PFS) Ciphers

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

SSH Decryption (SSHv2 • AES-128-CBC

only)—Encryption • AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR

SSH Decryption • HMAC-RIPEMD

(SSHv2 only)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1

SSL/TLS Decryption • SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2 cipher suites

• RSA 512-bit, 1024-bit, 2048-bit, 3072-bit, 4096-bit, and 8192-
bit keys

The firewall can authenticate certificates up to

8192-bit RSA keys from the destination server,
however the firewall generated certificate to the
client supports only up to 2048-bit RSA keys.
• RSA-RC4-128-MD5
• RSA-RC4-128-SHA-1
• RSA-3DES-EDE-CBC-SHA-1
• RSA-AES-128-CBC-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384

SSL/TLS Decryption— • P-192 (secp192r1)

NIST-approved Elliptical • P-224 (secp224r1)
Curves
• P-256 (secp256r1)
• P-384 (secp384r1)

Palo Alto Networks Compatibility Matrix 175 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

• P-521 (secp521r1)

SSL/TLS Decryption— • DHE-RSA-3DES-EDE-CBC-SHA-1

Perfect Forward Secrecy • DHE-RSA-AES-128-CBC-SHA-1
(PFS) Ciphers
• DHE-RSA-AES-256-CBC-SHA-1
If you use • DHE-RSA-AES-128-CBC-SHA-256
the DHE or
• DHE-RSA-AES-256-CBC-SHA-256
ECDHE key
exchange • DHE-RSA-AES-128-GCM-SHA-256
algorithms • DHE-RSA-AES-256-GCM-SHA-384
to enable
PFS support • ECDHE-RSA-AES-128-CBC-SHA-1
for SSL • ECDHE-RSA-AES-256-CBC-SHA-1
decryption, • ECDHE-RSA-AES-128-CBC-SHA-256
you can use
a hardware • ECDHE-RSA-AES-256-CBC-SHA-384
security • ECDHE-RSA-AES-128-GCM-SHA-256
module
• ECDHE-RSA-AES-256-GCM-SHA-384
(HSM) to
store the • ECDHE-ECDSA-AES-128-CBC-SHA-1
private keys • ECDHE-ECDSA-AES-256-CBC-SHA-1
used for SSL
Inbound • ECDHE-ECDSA-AES-128-CBC-SHA-256
Inspection. • ECDHE-ECDSA-AES-256-CBC-SHA-384
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

PAN-OS 8.1 Administrative Session Cipher Suites

The following table lists the cipher suites for administrative sessions that are supported on
firewalls running a PAN-OS® 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

• Administrative Sessions to Web Interface

• Administrative Sessions to CLI (SSH)—Encryption
• Administrative Sessions to CLI (SSH)—Message Authentication
• Administrative Sessions to CLI (SSH)—Server Host Key Types
• Administrative Sessions to CLI (SSH)—Key Exchange Algorithms

Palo Alto Networks Compatibility Matrix 176 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

Administrative Sessions • TLSv1.1 and TLSv1.2 cipher suites

to Web Interface • RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-3DES-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-256-SHA-1
• RSA-AES-256-CBC-SHA-1
• RSA-AES-128-CBC-SHA-256
• RSA-AES-256-CBC-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-3DES-SHA-1
• DHE-RSA-AES-128-GCM-SHA-256
• DHE-RSA-AES-256-GCM-SHA-384
• ECDHE-RSA-AES-128-GCM-SHA-256
• ECDHE-RSA-AES-256-GCM-SHA-384
• ECDHE-ECDSA-AES-128-SHA-1
• ECDHE-ECDSA-AES-256-SHA-1
• ECDHE-ECDSA-AES-128-GCM-SHA-256
• ECDHE-ECDSA-AES-256-GCM-SHA-384

Administrative Sessions • 3DES

to CLI (SSH)—Encryption • ARCFOUR128
• ARCFOUR256
• BLOWFISH
• CAST128
• AES-128-CBC
• AES-192-CBC
• AES-256-CBC
• AES-128-CTR
• AES-192-CTR
• AES-256-CTR
• AES-128-GCM
• AES-256-GCM

Palo Alto Networks Compatibility Matrix 177 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

Administrative Sessions • UMAC-64

to CLI (SSH)—Message • HMAC-MD5-96
Authentication
• HMAC-MD5
• HMAC-SHA-1-96
• HMAC-RIPEMD-160
• HMAC-SHA-1
• HMAC-SHA-256
• HMAC-SHA-512

Administrative Sessions • RSA keys—2048-bit, 3072-bit, and 4096-bit keys

to CLI (SSH)—Server Host • ECDSA keys—256-bit, 384-bit, and 521-bit keys
Key Types

Administrative Sessions • diffie-hellman-group1-SHA-1

to CLI (SSH)—Key • diffie-hellman-group14-SHA-1
Exchange Algorithms
• diffie-hellman-group-exchange-SHA-1
• diffie-hellman-group-exchange-SHA-256
• ecdh-SHA-2-nistp256
• ecdh-SHA-2-nistp384
• ecdh-SHA-2-nistp521

PAN-OS 8.1 HA1 SSH Cipher Suites

The following table lists the cipher suites for HA1 control connections using SSH that are
supported on firewalls running a PAN-OS® 8.1 release in normal (non-FIPS-CC) or FIPS-CC
operational mode.

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

HA1 SSH • AES 128-bit cipher with Cipher Block Chaining

• AES 128-bit cipher with Counter Mode
• AES 128-bit cipher with GCM (Galois/Counter Mode)
• AES 192-bit cipher with Cipher Block Chaining
• AES 192-bit cipher with Counter Mode
• AES 256-bit cipher with Cipher Block Chaining
• AES 256-bit cipher with Counter Mode
• AES 256-bit cipher with GCM

Palo Alto Networks Compatibility Matrix 178 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites

The following table lists the cipher suites for PAN-OS®-to-Panorama™ connections that are
supported on firewalls running a PAN-OS 8.1 release in normal (non-FIPS-CC) operational mode.

If your firewall is running in FIPS-CC mode, see the list of PAN-OS 8.1 Cipher Suites
Supported in FIPS-CC Mode.

Feature or Function Ciphers Supported in PAN-OS 8.1 Releases

PAN-OS to Panorama • RSA-RC4-128-SHA-1

Connection • RSA-3DES-SHA-1
• RSA-SEED-SHA-1
• RSA-CAMELLIA-128-SHA-1
• RSA-CAMELLIA-256-SHA-1
• RSA-AES-128-SHA-1
• RSA-AES-128-SHA-256
• RSA-AES-256-SHA-1
• RSA-AES-256-SHA-256
• RSA-AES-128-GCM-SHA-256
• RSA-AES-256-GCM-SHA-384
• DHE-RSA-AES-128-SHA-1
• DHE-RSA-AES-256-SHA-1

PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode

The following table lists cipher suites that are supported on firewalls running a PAN-OS® 8.1
release in FIPS-CC mode.

If your firewall is running in normal (non-FIPS-CC) operational mode, see Cipher Suites
Supported in PAN-OS 8.1

Functions Standards Certificates

Asymmetric key generation

FFC key pair generation (key size 2048 FIPS PUB 186-4 Appliances:
bits)
DSA #1485
VMs:
DSA #1497

Palo Alto Networks Compatibility Matrix 179 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

ECC key pair generation (NIST curves FIPS PUB 186-4 Appliances:
P-256, P-384)
ECDSA #1570
VMs:
ECDSA #1575

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
RSA #3086
VMs:
RSA #3090

Cryptographic Key Generation (for IKE Peer Authentication)

RSA key generation (2048 bits or FIPS PUB 186-4 Appliances:

greater)
RSA #3086
VMs:
RSA #3090

ECDSA key pair generation (NIST FIPS PUB 186-4 Appliances:

curves P-256, P-384)
ECDSA #1570
VMs:
ECDSA #1575

Cryptographic Key Establishment

ECDSA-based key establishment NIST SP 800-56A Appliances:

Revision 2
CVL #2119
VMs:
CVL #2128

FFC-based key establishment NIST SP 800-56A Appliances:

Revision 2
CVL #2119
VMs:
CVL #2128

AES Data Encryption/Decryption

• AES CTR 128/192/256 • AES as specified in Appliances:

• AES CBC 128/192/256 ISO 18033-3

Palo Alto Networks Compatibility Matrix 180 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

• AES GCM 128/256 • CBC/CTR as specified AES #5890
• AES CCM 128 in ISO 10116
VMs:
• GCM as specified in
ISO 19772 AES #5902

• NIST SP 800-38A/C/
D/F
• FIPS PUB 197

Signature Generation and Verification

RSA Digital Signature Algorithm (rDSA) FIPS PUB 186-4, “Digital Appliances:
(2048 bits or greater) Signature Standard
RSA #3086
(DSS)”, Section 5.5,
using PKCS #1 v2.1 VMs:
Signature Schemes
RSA #3090
RSASSA-PSS and/or
RSASSAPKCS1v1_5;
ISO/IEC 9796-2, Digital
signature scheme 2
or
Digital Signature scheme
3

ECDSA (NIST curves P-256, P-384, FIPS PUB 186-4, Appliances:

and P-521) “Digital Signature
RSA #1570
Standard (DSS)”, Section
6 and Appendix D, VMs:
Implementing "NIST
RSA #1575
curves" P-256, P-384,
ISO/IEC 14888-3,
Section 6.4

Cryptographic hashing

SHA-1, SHA-256, SHA-384, and ISO/IEC 10118-3:2004 Appliances:

SHA-512 (digest sizes 160, 256, 384,
FIPS PUB 180-4 SHS #4641
and 512 bits)
VMs:
SHS #4658

Keyed-hash message authentication

• HMAC-SHA-1 ISO/IEC 9797-2:2011 Appliances:

• HMAC-SHA-256 FIPS PUB 198-1 HMAC #3865

Palo Alto Networks Compatibility Matrix 181 ©2023 Palo Alto Networks, Inc.
Supported Cipher Suites

Functions Standards Certificates

• HMAC-SHA-384 VMs:
• HMAC-SHA-512 HMAC #3882

Random bit generation

CTR_DRBG (AES-256) ISO/IEC 18031:2011 Appliances:

NIST SP 800-90A DRBG #2451
VMs:
DRBG #2464

Palo Alto Networks Compatibility Matrix 182 ©2023 Palo Alto Networks, Inc.
GlobalProtect
The following topics provide support information for the GlobalProtect™ app (originally referred
to as the GlobalProtect agent on Windows and Mac).
• Where Can I Install the GlobalProtect App?
• Third-Party IPSec Client Support
• What Features Does GlobalProtect Support?
• What Features Does GlobalProtect Support for IoT?
• What GlobalProtect Features Do Third-Party Mobile Device Management Systems Support?

183
GlobalProtect

Where Can I Install the GlobalProtect App?

The following sections show operating systems on which you can install each release of the
GlobalProtect™ app.

The compatibility lists that follow show compatibility with major versions for each
platform only and does specifically call out minor versions. However, support the stated
support for the major versions implicitly includes support for all minor versions for the
listed major versions.

• Apple macOS
• Microsoft Windows
• Linux
• Apple iOS and iPadOS
• Google Android
• Google Chrome
• Internet of Things (IoT)
• Hypervisors
Use the OS compatibility information to determine what version of the GlobalProtect app you
want your users to run on their endpoints.

Because the version that an end user must download and install to enable successful
connectivity to your network depends on your environment, there is no direct download
link for the GlobalProtect app on the Palo Alto Networks site. In addition, the way you
deploy the GlobalProtect app to your users depends on the OS of the endpoint.

Apple macOS
The following table shows which macOS versions support which versions of the GlobalProtect
app. For instructions on installing the GlobalProtect app on a macOS endpoint, see the installation
instructions for 5.1, 5.2, and 6.0, 6.1and 6.2.

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

macOS 10.11 √ √ — — —
(El Capitan)

macOS 10.12 √ √ — — —
(Sierra)

macOS 10.13 √ √ — — —
(High Sierra)

Palo Alto Networks Compatibility Matrix 184 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

macOS 10.14 √ √ — — —
(Mojave)
5.2.12 &
earlier

macOS 10.15 √ √ √ √ √
(Catalina)

macOS 11 √ √ √ √ √
(Big Sur)
5.1.7 & 5.2.4 & later
later (x86 & (x86-based
ARM-Based MacBooks)
MacBooks
5.2.5 &
Using
later (x86 &
Rosetta
ARM-Based
Translation)
MacBooks
Using
Rosetta
Translation)
5.2.6 &
later (x86 &
ARM-Based
MacBooks)

macOS 12 — √ √ √ √
(Monterey)
5.2.10 or
later (x86 &
ARM-Based
MacBooks)

macOS 13 — √ √ √ √
(Ventura)
5.2.12 or 6.0.3 or
later (x86 & later (x86 &
ARM-Based ARM-Based
MacBooks) MacBooks)

Microsoft Windows
The following table shows which Microsoft Windows versions support which versions of the
GlobalProtect app. For instructions on installing the GlobalProtect app on a macOS endpoint, see
the installation instructions for 5.1, 5.2 6.0, 6.1, and 6.2.

Palo Alto Networks Compatibility Matrix 185 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

Windows 7 √ — — — —
Service Pack Upgrades
1 from 5.1.10
to 5.2.x or
later are
blocked.

Windows 8 — — — — —

Windows 8.1 √ √ — — —

Windows 10 √ √ √ √ √
64-bit (x64), 64-bit (x64), 64-bit (x64),
32-bit (x86), 32-bit (x86), 32-bit (x86),
and ARM64 and ARM64 and ARM64
devices devices devices

Windows 10 √ √ √ √ √
UWP
x86 and x86 and
ARM ARM
devices devices

Windows 11 — √ √ √ √
x86 devices 64-bit (x64) 64-bit (x64) 64-bit (x64)
only on and ARM64 and ARM64 and ARM64
5.2.10 & devices devices devices
later

Linux
The following table shows compatibility between Linux versions and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a macOS endpoint, see the installation
instructions for 5.1, 5.2, 6.0, and 6.1.
Only 64-bit Linux versions are supported. 32-bit versions are not supported.

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2

CentOS √ √ — — — N/A
7.0
CLI-based CLI-based
and GUI- and GUI-
based based

Palo Alto Networks Compatibility Matrix 186 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.1
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.2
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.3
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.4
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.5
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
7.6
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

Palo Alto Networks Compatibility Matrix 187 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2

CentOS √ √ — — — N/A
7.7
CLI-based CLI-based
and GUI- and GUI-
based based
GlobalProtectGlobalProtect
app app

CentOS √ √ — — — N/A
8.0
CLI-based CLI-based
GlobalProtectGlobalProtect
app app

CentOS — — √ √ √ N/A
8.3
CLI-based Supported CLI-based
and GUI- on and GUI-
based GlobalProtect based
GlobalProtect 6.0.4 or GlobalProtect
app earlier app
versions
only
CLI-based
and GUI-
based
GlobalProtect
app

Red Hat √ √ — — — N/A

Enterprise
Releases Releases
Linux
7.0 7.0
(RHEL) 7.0
through through
through
7.7: CLI- 7.7: CLI-
8.1
based and based and
GUI-based GUI-based
GlobalProtectGlobalProtect
app app

Red Hat — — √ √ N/A N/A

Enterprise
CLI-based CLI-based
Linux
and GUI- and GUI-
(RHEL) 8.3
based based
GlobalProtect GlobalProtect
app app

Palo Alto Networks Compatibility Matrix 188 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2

Red Hat — — √ √ N/A N/A

Enterprise
CLI-based CLI-based
Linux
and GUI- and GUI-
(RHEL) 8.4
based based
GlobalProtect GlobalProtect
app app

Red Hat — — — — √ N/A

Enterprise
(Supported
Linux
on
(RHEL) 8.7
GlobalProtect
6.1.1 and
later.)

Red Hat — — — — √ N/A

Enterprise
(Supported
Linux
on
(RHEL) 9.1
GlobalProtect
6.1.1 and
later.)

Ubuntu √ √ √ — — N/A
14.04
CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI-
based based based
GlobalProtectGlobalProtectGlobalProtect
app app app
running
5.3.2 or
later

Ubuntu √ √ √ √ √ N/A
16.04 LTS
CLI-based CLI-based CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI- and GUI- and GUI-
based based based based based
GlobalProtectGlobalProtectGlobalProtect GlobalProtect GlobalProtect
app app app app app
running
5.3.2 or
later

Ubuntu √ √ √ √ √ N/A
18.04 LTS
CLI-based CLI-based CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI- and GUI- and GUI-

Palo Alto Networks Compatibility Matrix 189 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2
based based based based based
GlobalProtectGlobalProtectGlobalProtect GlobalProtect GlobalProtect
app app app app app
running
5.3.2 or
later

Ubuntu √ √ √ √ √ N/A
19.04
CLI-based CLI-based CLI-based CLI-based CLI-based
and GUI- and GUI- and GUI- and GUI- and GUI-
based based based based based
GlobalProtectGlobalProtectGlobalProtect GlobalProtect GlobalProtect
app app app app app
running
5.3.2 or
later

Ubuntu √ √ √ √ √ N/A
20.04
CLI-based CLI-based CLI-based CLI only CLI-based
GlobalProtectGlobalProtectGlobalProtect and GUI-
app only app only app based
running GlobalProtect
5.3.2 or app
later

Ubuntu — — — — √ N/A
22.04
CLI-based
and GUI-
based
GlobalProtect
app

Apple iOS and iPadOS

The following table shows compatibility between iOS versions and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a macOS endpoint, see the installation
instructions for 5.1, 5.2, and 6.0.

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

iOS 10 √ √ √ N/A N/A

(64-bit (64-bit (64-bit
devices only) devices only) devices only)

Palo Alto Networks Compatibility Matrix 190 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

iOS 11 √ √ √ N/A N/A

(64-bit (64-bit (64-bit
devices only) devices only) devices only)

iOS 12 √ √ √ N/A N/A

(64-bit (64-bit (64-bit
devices only) devices only) devices only)

iOS 13 √ √ √ N/A N/A

5.0.8 & later (64-bit (64-bit
devices only) devices only)
(64-bit
devices only)

iOS 14 — √ √ N/A N/A

(64-bit (64-bit
devices only) devices only)

iOS 15 — √ √ N/A N/A

(64-bit (64-bit
devices only devices only)
running
GlobalProtect
app 5.2.12
or later)

iOS 16 — — √ N/A N/A

(64-bit
devices only
running
GlobalProtect
app 6.0.4 or
later)

Google Android
The following table shows compatibility between Google Android versions and GlobalProtect
app versions. For instructions on installing the GlobalProtect app on a macOS endpoint, see the
installation instructions for 5.1, 5.2, and 6.0.

Palo Alto Networks Compatibility Matrix 191 ©2023 Palo Alto Networks, Inc.
GlobalProtect

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

Google √ √ √ N/A N/A

Android 6.x

Google √ √ √ N/A N/A

Android 7.x

Google √ √ √ N/A N/A

Android 8.x

Google √ √ √ N/A N/A

Android 9.x

Google √ √ √ N/A N/A

Android 10.x

Google — √ √ N/A N/A

Android 11.x

Google — √ √ N/A N/A

Android 12.x
Starting with
GlobalProtect
app version
5.2.10

Google — — √ N/A N/A

Android 13.x
6.0.3 or later

Chrome OS √ √ √ N/A N/A

Systems
Supporting
Android Apps

Google Chrome
The following table shows compatibility between Google Chrome OS systems supporting Android
apps and GlobalProtect app versions. For instructions on installing the GlobalProtect app on a
macOS endpoint, see the installation instructions for 5.1, and 5.2, and 6.0.

OS GP App 5.1 GP App 5.2 GP App 6.0 GP App 6.1 GP App 6.2

Chrome OS √ √ √ N/A N/A

Systems
Supporting
Android Apps

Palo Alto Networks Compatibility Matrix 192 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Internet of Things (IoT)

The following table shows compatibility between IoT platforms and GlobalProtect app versions.
For instructions on installing the GlobalProtect app on a macOS endpoint, see the installation
instructions for 5.1, 5.2 6.0, and 6.1. See the supported features list to see which GlobalProtect
app features are supported on IoT devices.

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2

Android √ √ — √ N/A N/A

Raspbian √ √ — √ √ N/A

Ubuntu √ √ — √ √ N/A

Windows √ √ — √ √ N/A
IoT
Enterprise

Hypervisors
The following table shows hypervisor support on each GlobalProtect app version.

OS GP App 5.1 GP App 5.2 GP App 5.3 GP App 6.0 GP App 6.1 GP App 6.2

Citrix Xen — — — √ √ √
Desktop
6.0.3 and
later

VMWare √ √ √ √ √ √
Horizon
and
Vcenter

Palo Alto Networks Compatibility Matrix 193 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Third-Party VPN Client Support

The following topics provide support information for third-party clients:
• What Third-Party VPN Clients are Supported?
• What GlobalProtect Features Do Third-Party Clients Support?
• How Many Third-Party Clients Does Each Firewall Model Support?

What Third-Party VPN Clients are Supported?

The following table lists third-party VPN client support for PAN-OS® software.

For stronger security, higher tunnel capacities, and a greater breadth of features, we
recommend that you use the GlobalProtect™ app instead of a third-party VPN client.

Third-Party IPSec Client Minimum PAN-OS Release

Version

iOS built-in IPSec client 9.1

Android built-in IPSec client 9.1

VPNC on Ubuntu Linux 10.04 and later versions and CentOS 9.1
6 and later versions

strongSwan on Ubuntu Linux and CentOS* 9.1

* To set up authentication for strongSwan Ubuntu and CentOS clients for PAN-OS 9.1 and
later releases, refer to the GlobalProtect Administrator’s Guide for your release.

Clients emulating GlobalProtect are not supported.

What GlobalProtect Features Do Third-Party Clients Support?

Third-party clients support the following GlobalProtect™ features:

Palo Alto Networks Compatibility Matrix 194 ©2023 Palo Alto Networks, Inc.
GlobalProtect

GlobalProtect Feature iOS Built-In Android Built- VPNC on strongSwan on

IPSec Client In IPSec Client Ubuntu Linux Ubuntu Linux
10.04 and and CentOS
later versions
and CentOS
6 and later
versions

Mixed Authentication √ √ √ √
Method Support for
Certificates or User
Credentials

IPSec VPN Connections √ √ √ √

IPv4 Addressing √ √ √ √

Gateway-Level IP Pools √ √ √ √

Primary Username Visiblity √ √ √ √

on GlobalProtect Gateways

How Many Third-Party Clients Does Each Firewall Model Support?

The following table lists the maximum number of third-party X-Auth IPSec clients supported by
each firewall model.

Palo Alto Networks Firewall Maximum Third-Party X-Auth IPSec Clients

Model

Hardware Firewalls

PA-7080 2,000

PA-7050 2,000

PA-5450 4,000

PA-5440 4,000

PA-5430 4,000

PA-5420 4,000

PA-5410 4,000

PA-5280 2,500

Palo Alto Networks Compatibility Matrix 195 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Palo Alto Networks Firewall Maximum Third-Party X-Auth IPSec Clients

Model

PA-5260 2,500

PA-5250 2,000

PA-5220 1,500

PA-5060* 1,000

PA-5050* 1,000

PA-5020* 1,000

PA-3440 2,000

PA-3430 2,000

PA-3420 1,500

PA-3410 1,500

PA-3260 1,500

PA-3250 1,500

PA-3220 1,000

PA-3050 1,000

PA-1420 1,400

PA-1410 1,400

PA-850 500

PA-820 500

PA-500* 500

PA-460 1,400

PA-450 1,400

PA-445 1,400

PA-440 1,400

Palo Alto Networks Compatibility Matrix 196 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Palo Alto Networks Firewall Maximum Third-Party X-Auth IPSec Clients

Model

PA-415 500

PA-410 500

PA-220R 500

PA-220** 500

VM-Series Firewalls

VM-700 1,000

VM-500 500

VM-300 500

VM-200 500

VM-100 500

VM-50 125

* These appliances are supported only on PAN-OS 8.1 and only until each reaches its hardware
end-of-life (EoL) date.
** PA-220 firewalls are supported only on PAN-OS 10.2 and earlier PAN-OS verisons.

Palo Alto Networks Compatibility Matrix 197 ©2023 Palo Alto Networks, Inc.
GlobalProtect

What Features Does GlobalProtect Support?

The following table lists the features supported on GlobalProtect™ by operating system (OS). An
entry in the table indicates the first supported release of the feature on the OS (however, you
should review the End-of-Life Summary to ensure you are using a supported release). A dash
(“—”) indicates that the feature is not supported. For recommended minimum GlobalProtect app
versions, see Where Can I Install the GlobalProtect App?.

For Chromebook and other Chrome OS devices, use Android App 5.0 or later version to
get GlobalProtect app features introduced in GlobalProtect app 5.0 and later releases.
(Refer also to the end-of-life (EoL) information for the GlobalProtect app.)

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

Authentication

Multi- — — — 4.0.0 — 4.0.0 —

Factor
Authentication
Policy

SAML 4.0.0 4.0.0 4.1.0 4.0.0 — 4.0.0 5.1

Authentication (On-
(GUI-
Demand
based
connect
GlobalProtect
method
app)
only)

SAML 6.0.0 6.0.0 6.0.0 6.0.0 — 6.0.0 6.0.0

Authentication
(On
with Cloud
Demand
Authentication
connect
Service
method
Note: only)
Requires
use of
Default
System
Browser

Default 5.2.0 5.2.0 5.2.0 5.2.0 — 5.2.0 5.2.0

System
Browser
for SAML
Authentication

Palo Alto Networks Compatibility Matrix 198 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

Expired 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 —

Active
(notifications
Directory
only)
Password
Change for 5.0.0
Remote
(full
Users
support)

Active — — — 4.1.0 — — —
Directory
Password
Change
Using the
GlobalProtect
Credential
Provider

Mixed 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Authentication
Method
Support or
Certificates
or User
Credentials

Pre-Logon — — — 4.1.0 — 4.1.0 —

Followed
by Two-
Factor
Authentication

Pre-Logon — — — 4.1.0 — 4.1.0 —

Followed
by SAML
Authentication

Single Sign-On (SSO)

SSO — — — 1.2.0 — — —
(Credential
Provider)

Kerberos — — — 3.0.0 — 4.1.0 —

SSO

Palo Alto Networks Compatibility Matrix 199 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

SAML SSO 5.1.0 5.2.0 5.1.0 5.2.0 — 5.2.0 5.2.0

SSO (Smart — — — 6.0.0 — — —

Card
Windows
Authentication)
10 or
later

VPN Connections

IPSec 1.3.0 1.3.0 3.1.1 1.0.0 — 1.0.0 4.1.0

SSL 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 1.0.0 4.1.0

SSL Tunnel 5.1.0 5.1.0 — 5.1.0 — 5.1.0 5.0.6

Enforcement (CLI)
5.1.0
(web
interface)

Clientless — (no — (no — (no — (no — (no — (no — (no

VPN client client client client client client client
required) required) required) required) required) required) required)

Connect Methods

User-logon 1.3.0 1.3.0 5.0.0 1.0.0 3.1.3 1.0.0 4.1.0

(always on)
(through (Always
extended On
support configured
for the from
GlobalProtect third-
app for party
Android) MDM)

Pre-logon — — — 1.1.0 — 1.1.0 —

(always-on)

Pre-logon — — — 3.1.0 — 3.1.0 —

(then on-
demand)

On-demand 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 1.0.0 4.1.0

Palo Alto Networks Compatibility Matrix 200 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

Connect — — — 5.2.0 — — —
Before
Logon

Conditional — — — 6.2.0 6.2.0 6.2.0 —

Connect
Method

Connection Priority

External 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.1.0

Gateway
Priority
by Source
Region

Internal 4.0.0 4.0.0 — 4.0.0 — 4.0.0 4.1.0

Gateway
(Except (Except
Selection
DHCP DHCP
by Source
options) options)
IP Address

Modes

Internal 1.3.0 1.3.0 — 1.0.0 — 1.0.0 4.1

mode

External 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 1.0.0 4.1

mode

Prisma — — — 6.2.0 6.2.0 6.2.0 —

Access
Explicit
Proxy
Connectivity
in
GlobalProtect

Networking

IPv4 1.3.0 1.3.0 3.1.1 1.0.0 3.1.3 1.0.0 4.1

Addressing

IPv6 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.1

Addressing

Palo Alto Networks Compatibility Matrix 201 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

Split Tunnel — 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.1

to Exclude
by Access
Route

Optimized — — — 4.1.0 — 4.1.0 6.1.0

Split
Domain-
Tunneling
based
for
split
GlobalProtect
tunneling
only;
application-
based
split
tunneling
not
supported

Enhanced — — — 6.2.0 6.2.0 6.2.0 —

Split
Tunneling

Split DNS — — — 5.2.0 — 5.2.0 6.1.0

Per-App 4.0.0 4.0.0

VPN

No Direct — — — 4.0.0 — 4.0.0 6.0.0

Access
to Local
Network

Endpoint — — — 6.0.0 — 6.0.0 —

Traffic
Windows macOS
Policy
10 or 11 and
Enforcement
later later

Customization

Autonomous — — — 5.2.6 — 5.2.6 —

DEM
Integration
for User
Experience
Management

Palo Alto Networks Compatibility Matrix 202 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

GlobalProtect 5.2.5 5.2.5 5.2.5 5.2.5 — 5.2.5 5.2.5

App Log
Collection
for
Troubleshooting

Configurable 5.2.4 5.2.4 5.2.4 5.2.4 5.2.4 5.2.4 5.2.4

Maximum
Transmission
Unit for
GlobalProtect
Connections

Connect — — — 5.2.0 — — —
Before
Logon

User- - - - 5.0.3 - - -
Initiated
Pre-Logon
Connection

Support for 5.0.3 5.0.7 - 5.0.3 - 5.0.3 -

Preferred
Gateways

GlobalProtect 5.0.0 5.0.0 - 5.0.0 - 5.0.0 -

Gateway
Location
Configuration

Automatic - - - 4.1.0 - 4.1.0 -

Launching
of Web
Browser
in Captive
Portal
Environment

GlobalProtect - - - 4.1.0 - - -
Tunnel
Preservation
On User
Logout

Endpoint 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Tunnel

Palo Alto Networks Compatibility Matrix 203 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP
Configurations
Based on
Source
Region or IP
Address

Portal 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Configuration
Assignment
and HIP-
Based
Access
Control
Using New
Endpoint
Attributes

HIP Report 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Redistribution

DNS 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Configuration
Assignment
Based
on Users
or User
Groups

Tunnel 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Restoration
and
Authentication
Cookie
Usage
Restrictions

Concurrent 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Support for
IPv4 and
IPv6 DNS
Servers

Support for 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

IPv6-Only
GlobalProtect
Deployments

Palo Alto Networks Compatibility Matrix 204 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

FIPS-CC — — — FIPS — FIPS 6.0.7

Validated Validated
on 5.1.4 on 5.1.4
CC CC
Certified Certified
on 5.1.5 on 5.1.5
x86 x86
platforms platforms
FIPS-CC FIPS-
available CC
on 6.0.7 available
on 6.0.7

MDM 5.0.0 5.0.0 — — — — —

Integration
for HIP-
Based
Policy
Enforcement

Captive 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Portal
Notification
Delay

Tunnel — — — 4.1.7 — 4.1.7 —

Connections
Over
Proxies

PAC — — — 6.1.0 — 6.1.0 6.1.0

deployment
via
GlobalProtect
app

End-user — — — 6.1.0 — 6.1.0 6.1.0

Notification
about
GlobalProtect
Session
Logout

GlobalProtect — — — 4.1.0 — — —
Credentials

Palo Alto Networks Compatibility Matrix 205 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP
Provier
Pre-Logon
Connection
Status

Static IP — — — 4.1.0 — — —
Address
Assignment

Multiple — — — 4.1.0 — 4.1.0 —

Portal
Support

Customizable 4.1.0 4.1.0 — 4.1.0 4.1.0 4.1.0 4.1.0

Username
and
Password
Labels

Gateway- 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.1.0

Level IP
Pools

Resilient 4.0.3 4.0.3 — 4.0.3 — 4.0.3 —

VPN

Pre-logon — — — 4.0.2 — — —
tunnel
rename
timeout

Restrict — — — 4.0.0 — 4.0.0 —

Transparent
Agent
Upgrades
to Internal
Network
Connections

Enforce — — — 3.1.0 3.1.3 3.1.0 —

GlobalProtect
(VPN
for
Lockdown
Network
configured
Access
from
third-

Palo Alto Networks Compatibility Matrix 206 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP
party
MDM)

Enforce — — — 5.1.0 — 5.1.0 —

GlobalProtect
Exclusions

Enforce — — — 5.2.0 — 5.2.0 —

GlobalProtect
Connections
with FQDN
Exclusions

Certificate — — — 3.0.0 — 3.0.0 —

selection by
OID

Deployment — — — 3.0.0 — 3.0.0 —

of SSL
Forward
Proxy CA
certificates
in the trust
store

HIP reports 1.3.0 1.3.0 3.0.0 1.0.0 3.1.3 1.0.0 4.1.0

(Host (Host
information information
only; only)
Notifications
not
supported)

Run scripts — — — 2.3.0 — 2.3.0 —

before
and after
sessions

Allow users — — — 2.2.0 — 2.2.0 4.1.0

to disable
GlobalProtect

Welcome 1.3.0 1.3.0 3.0.0 1.0.0 — 1.0.0 —

and help
pages

Palo Alto Networks Compatibility Matrix 207 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP

HIP — — — 6.2.0 6.2.0 6.2.0 —

Exceptions
for Patch
Management

HIP Process — — — 6.2.0 6.2.0 6.2.0 —

Remediation

Other

Support for 5.0.3 5.0.7 - 5.0.3 - 5.0.3 5.0.3

100 Manual
Gateways

User 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0 4.1.0

Location
Visibility on
GlobalProtect
Gateways
and Portals

Gateway 5.0.0 5.0.0 — 5.0.0 — 5.0.0 —

and Portal
Location
Visibility for
End Users

Primary 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.0.0 4.1.0

Username
Visiblity on
GlobalProtect
Gateways

Automatic — — 4.1.0 — — — —
VPN
Reconnect
for
Chromebooks

Identification 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0 5.1.0

and
Quarantine
of
Compromised
Devices

Palo Alto Networks Compatibility Matrix 208 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android iOS Chrome Windows Windows macOS Linux

10 UWP
(Deprecates
Device
Block List)

Palo Alto Networks Compatibility Matrix 209 ©2023 Palo Alto Networks, Inc.
GlobalProtect

What Features Does GlobalProtect Support for IoT?

The following table describes the features supported for GlobalProtect™ IoT by OS:

Feature Android Raspbian Ubuntu Windows IoT

Enterprise

IPSec VPN √ √ √ √

SSL VPN √ √ √ √

Pre-Logon — — — √
Connect Mode

User-Logon √ √ √ √
Connect Mode
Certificate or Certificate or Certificate or Certificate or
username and username and username and username and
password password password password

On-Demand — — — √
Connect Mode

External √ √ √ √
Gateway Priority
by Source
Region

Internal √ √ √
Gateway
Selection by
Source IP
Address

Internal Mode √ √ √ √

External Mode √ √ √ √

IPv4 Addressing √ √ √ √

IPv6 Addressing √ √ √ √

Split Tunnel √ √ √ √
Based on Access
Route

Split Tunnel — — — √
Based on
Destination

Palo Alto Networks Compatibility Matrix 210 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android Raspbian Ubuntu Windows IoT

Enterprise
Domain, Client
Process, and
Video Streaming
Application

Multiple Portal — — — √
Support

Resilient VPN √ √ √ √

Pre-Logon — — — √
Tunnel Rename
Timeout

Restrict √ — — √
Transparent
App Upgrades
to Internal
Network
Connections

Enforce √ — — √
GlobalProtect
for Network
Access

Deployment of √ √ √ √
SSL Forward
Proxy CA
Certificates in
the Trust Store

HIP Reports √ √ √ √

Run Scripts — √ √ √
Before and After
Sessions

Certificate — — √
Selection by
OID

Allow Users — — — √
to Disable
GlobalProtect

Palo Alto Networks Compatibility Matrix 211 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Feature Android Raspbian Ubuntu Windows IoT

Enterprise

Multi-Factor — — — √
Authentication
(MFA)

SAML — — — √
Authentication

Expired Active — — — √
Directory (AD)
Password
Change for
Remote Users

Active Directory — — — √
(AD) Password
Change
Using the
GlobalProtect
Credential
Provider

SSO (Credential — — — √
Provider)

Kerberos SSO — — — √

Welcome and — — — √
Help Pages

Headless-Mode √ √ √ √
Without Icon,
Pop-Up, Dialogs,
and UI

Palo Alto Networks Compatibility Matrix 212 ©2023 Palo Alto Networks, Inc.
GlobalProtect

What GlobalProtect Features Do Third-Party Mobile

Device Management Systems Support?
The following table lists the GlobalProtect™ features supported on third-party mobile device
management (MDM) systems. A dash (“—”) indicates that the feature is not supported.

Feature Workspace Microsoft MobileIron Google Jamf Pro

ONE Intune Admin
Console

GlobalProtect √ √ √ √ √
App
(macOS
Deployment
only;
requires
GlobalProtect
app 6.1 or
later)

Always on VPN √ √ √ √ —
Configuration
(iOS and (Android, (iOS and (Android
Android iOS, and Android only)
only) Windows 10 only)
UWP only)

Remote √ √ √ √ —
Access VPN
(iOS and (Android and (iOS only)
Configuration
Android iOS only)
only)

Per-App VPN √ √ √ — —
Configuration
(Android, (iOS only)
iOS, and
Windows 10
UWP only)

MDM √ — — — —
Integration with
HIP

VPN Lockdown √ — — — —

Palo Alto Networks Compatibility Matrix 213 ©2023 Palo Alto Networks, Inc.
GlobalProtect

Palo Alto Networks Compatibility Matrix 214 ©2023 Palo Alto Networks, Inc.
Prisma Access
The following topics provide support information for Prisma™ Access:
• What Features Does Prisma Access Support?
• Prisma Access and Panorama Version Compatibility
• Supported IKE Cryptographic Parameters

215
Prisma Access

What Features Does Prisma Access Support?

Prisma™ Access helps you to deliver consistent security to your remote networks and mobile
users. There are two ways that you can deploy and manage Prisma Access:
• Cloud Managed Prisma Access—If you aren’t using Panorama™ to manage firewall, the Prisma
Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
• Panorama Managed Prisma Access—If you are already using Panorama to manage your next-
generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing
configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the
management interface you’re using—Panorama or the Prisma Access app. You cannot switch
between the management interfaces after you activate your Prisma Access license. This means
you must decide how you want to manage Prisma Access before you begin setting up the product.
Review the Prisma Access Feature Support information to help you select your management
interface.
For a description of the features supported in GlobalProtect™, see the features that
GlobalProtect supports.
• Prisma Access Feature Support
• Integration with Other Palo Alto Networks Products
• Multitenancy Unsupported Features and Functionality

Prisma Access Feature Support

The following sections provide you with the supported features and network settings for Prisma
Access (both Panorama Managed and Cloud Managed).
• Management
• Remote Networks
• Service Connections
• Mobile Users—GlobalProtect
• Mobile Users—Explicit Proxy
• Security Services
• Network Services
• Identity Services
• Policy Objects
• Logs
• Reports
• Integration with Other Palo Alto Networks Products
• Multitenancy Unsupported Features and Functionality

Palo Alto Networks Compatibility Matrix 216 ©2023 Palo Alto Networks, Inc.
Prisma Access

Management
Feature Prisma Access (Cloud Prisma Access (Panorama
Managed) Managed)

Best Practice Checks √ Learn more —

Default Configurations √ —
Default settings enable you Examples include:
to get started quickly and
• Default DNS settings
securely
• Default GlobalProtect
settings, including for the
Prisma Access portal
• Default Prisma Access
infrastructure settings

Built-in Best Practice Rules √ —

So you’re as secure as Features with best practice
possible, enable your users rules include:
and applications based on
• Security rules
best practice templates. With
best practices as your basis, • Security profiles
you can then refine policy • Decryption
based on your enterprise
needs. • M365

Onboarding Walkthroughs √ Learn more —

for First-Time Setup
Guided walkthroughs include:
• Onboard Remote
Networks
• Onboard Mobile Users
(GlobalProtect)
• Onboard Your HQ or Data
Centers
• Turn on Decryption

Centralized Management √ —
Dashboards
Dashboards are available for
Can includes Best Practice features including:
scores and usage information
• Security Policy
• Security Profiles
• Decryption

Palo Alto Networks Compatibility Matrix 217 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud Prisma Access (Panorama

Managed) Managed)
• Authentication
• Certificates
• SaaS Application
Management

Hit Counts √ √ Learn more

Hit counts for security
profiles include counts
that measure the profile’s
effectiveness, and these
can depend on the profile
(for example, unblocked
critical and high severity
vulnerabilities, or WildFire
submission types).

Policy Rule Usage √

Policy Optimizer — —

Profile Groups √ Learn more √

Configuration Table Export — √

Remote Networks

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

IPSec Tunnels √ √
See Supported IKE
Cryptographic Parameters
for a list of the supported IKE
crypto parameters.
FQDNs for peer IPSec
addresses are not supported;
use an IP address for the peer
address instead.

Secure Inbound Access √ Learn more √ Learn more

Tunnel Monitoring

Palo Alto Networks Compatibility Matrix 218 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Dead Peer Detection (DPD) √ √

ICMP √ √

Bidirectional Forwarding — —
Detection (BFD)

SNMP — —
Use Tunnel Monitoring
instead of SNMP to monitor
the tunnels in Prisma Access.

Service Connections

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

IPSec Tunnels √ √
See Supported IKE FQDNs for peer IPSec
Cryptographic Parameters addresses are not supported;
for a list of the supported IKE use an IP address for the peer
crypto parameters. address instead.

Tunnel Monitoring

Dead Peer Detection (DPD) √ √

ICMP √ √

Bidirectional Forwarding — —
Detection (BFD)

SNMP — —
Use Tunnel Monitoring
instead of SNMP to monitor
the tunnels in Prisma Access.

Traffic Steering √ Learn more √ Learn more

(using policy-based Introduced in version 1.7.
forwarding rules to forward

Palo Alto Networks Compatibility Matrix 219 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
internet-bound traffic to
service connections)

Mobile Users—GlobalProtect

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Using On-Premise Gateways (Hybrid Deployments)

On-premise gateway √ √
integration with Prisma
Using on-premise gateways
Access
with Prisma Access gateways
is supported.

Priorities for Prisma Access √ √

and On-Premise Gateways
Supported for deployments
that have on-premise
GlobalProtect gateways. You
can set a priority separately
for on-premise gateways and
collectively for all gateways in
Prisma Access. You can also
specify source regions for on-
premise gateways.

Manual Gateway Selection √ Learn more √ Learn more

Users can manually select
a cloud gateway from their
client machines using the
GlobalProtect app.

GlobalProtect Gateway Modes

External Mode √ √

Internal Mode — —
You cannot configure Prisma
Access gateways as internal
gateways; however, you can
add one or more on-premise

Palo Alto Networks Compatibility Matrix 220 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
gateways and configure them
as internal gateways.

GlobalProtect App Connect Methods

User-Logon (always on) √ √

Pre-Logon (always on) √ √

Pre-Logon (then on-demand) √ √

On-Demand √ √

Clientless VPN

Clientless VPN √ Learn more √ Learn more

Mobile User—GlobalProtect Features

Support for Mutliple √ √

Username Formats

Mobile Device Management — √ Learn more

(MDM)

MDM Integration with HIP √ √

Prisma Access does not
support AirWatch MDM
HIP service integration;
however, you can use the
GlobalProtect App for
iOS and Android MDM
Integration for HIP-Based
Policy Enforcement

Optimized Split Tunneling for √ √

GlobalProtect

Administratively Log Out √ √ Learn more

Mobile Users
Introduced in version 1.4.

DHCP — —
Prisma Access uses the IP
address pools you specify
during mobile user setup

Palo Alto Networks Compatibility Matrix 221 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
to assign IP addresses to
mobile users and does not
use DHCP.

GlobalProtect App Version √ √ Learn more

Controls
One-click configuration for
GlobalProtect agent log
collection

Mobile Users—Explicit Proxy

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Explicit Proxy Support √ Learn more √ Learn more

Introduced in 2.0 Innovation.

Explicit Proxy Connectivity in √ Learn more √ Learn more

GlobalProtect for Always-On
Introduced in Prisma Introduced in Prisma
Internet Security
Access 4.0 Preferred with Access 4.0 Preferred with
GlobalProtect app version 6.2 GlobalProtect app version 6.2

Security Services

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Security Policy √ √

DoS Protection √ √
The Prisma Access
infrastructure manages DoS
protection.

SaaS Application √ Learn more —

Management
Supported for:

Palo Alto Networks Compatibility Matrix 222 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
• Microsoft 365 apps

Includes
a guided
walkthrough
to safely
enable M365
• Google apps
• Dropbox
• YouTube

Security Profiles

Supported Profile Types √ √

• Anti-Spyware • Anti-Spyware
• DNS Security • DNS Security (enabled via
• Vulnerability Protection an Anti-Spyware profile)

• WildFire and Antivirus • Vulnerability Protection

• URL Filtering • Antivirus

• File Blocking • WildFire

• Data Loss Prevention • URL Filtering

(DLP) • File Blocking
• HTTP Header Insertion • Data Loss Prevention
(DLP)

Dashboards for Security √ Learn more —

Profiles
Dashboards are tailored to
each profile, and give you:
• centralized management
for security service
features
• visibility into profile usage
and effectiveness
• access to cloud databases
(search for threat
coverage, for example)

Best Practice Scores for √ Learn more —

Security Profiles

Palo Alto Networks Compatibility Matrix 223 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Response pages √ √
HTTP response pages
are supported for mobile
users and users at remote
networks. To use HTTPS
response pages, open a CLI
session in the Panorama
that manages Prisma Access,
enter the set template
Mobile_User_Template
config deviceconfig
settingssl-decrypt
url-proxyyes command
in configuration mode, and
commit your changes.

HTTP Header Insertion

HTTP Header Insertion √ √

Profiles

Decryption

Decryption Policies √ √

Decryption Profiles √ √

Automatic SAN Support for √ √

SSL Decryption

Guided Walkthrough: √ —
Turn on Decryption

Network Services

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Network Services

Quality of Service (QoS) √ √

Palo Alto Networks Compatibility Matrix 224 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
Prisma Access uses the same QoS for Remote network
QoS policy rules and QoS deployments that allocate
profiles and supports the bandwidth by compute
same Differentiated Services location is introduced in
Code Point (DSCP) markings version 3.0 Preferred.
as Palo Alto Networks next-
generation firewalls.

Application Override √ √

IPv4 Addressing √ √

IPv6 Addressing √ √
You can access internal
(private) apps that use IPv6
addressing.
Introduced in version 2.2
preferred.

Split Tunnel Based on Access √ √

Route

Split Tunnel Based on √ √

Destination Domain, Client
Process, and Video Streaming
Application

NetFlow — —

NAT √ √
Prisma Access automatically
manages outbound NAT; you
cannot configure the settings.

SSL VPN Connections √ √

Routing Features

Static Routing √ √

Dynamic Routing (BGP) √ √

Dynamic Routing (OSPF) — —

Palo Alto Networks Compatibility Matrix 225 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

High Availability

High availability Availability maintained by Palo √

Alto Networks.

SMTP √ √
Prisma Access may block Prisma Access may block
SMTP port 25 for security SMTP port 25 for security
reasons and to mitigate reasons and to mitigate
the risk from known the risk from known
vulnerabilities that exploit vulnerabilities that exploit
non-secure SMTP. Palo Alto non-secure SMTP. Palo Alto
Networks recommends using Networks recommends using
ports 465, 587 or an alternate ports 465, 587 or an alternate
port 2525 for SMTP. port 2525 for SMTP.

Identity Services

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Authentication Types

SAML √ √

Cloud Identity Engine √ √

Requires 3.0 Innovation or a Requires 3.0 Innovation or a
later Innovation release. later Innovation release.

TACACS+ √ √

RADIUS √ √

LDAP √ √
On-Premises LDAP
Authentication

Kerberos √ √
Kerberos is supported for Kerberos SSO
Windows clients only.

MFA √ √

Palo Alto Networks Compatibility Matrix 226 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
Multi-Factor Authentication
(MFA)

Local Database √ √
Authentication

Authentication Features

Authentication Rules √ √

Authentication Portal √ √

Certificate-Based √ √
Authentication
Supported for both IPSec Supported for both IPSec
and mobile users with and mobile users with
GlobalProtect. GlobalProtect.

RADIUS Vendor-Specific — —
Attributes (VSAs)

Framed-IP-Address retrieval — —
from RADIUS server

Extensible Authentication √ √
Protocol (EAP) Support for
RADIUS

Single Sign-On (SSO) √ √

Terminal Server (TS) Agent √ √

Supported for the following Supported for the following
platforms: platforms:
• Citrix XenApp 7.x • Windows Server 2019
• Windows Server 2019 • Windows 10 Enterprise
• Windows 10 Enterprise Multi-session
Multi-session A maximum of 400 TS Agents
A maximum of 400 TS Agents are supported.
are supported.

Cloud Identity Engine (Directory Sync Component)

Directory Sync for User and √ √

Group-Based Policy

Palo Alto Networks Compatibility Matrix 227 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
Supports on-premises Active You can retrieve user and
Directory and Azure Active group information using the
Directory. Directory Sync component of
the Cloud Identity Engine.
• Learn more
Prisma Access supports on-
premises Active Directory,
Azure Active Directory, and
Google IdP.
Introduced in version 1.6.
Support for Azure Active
Directory introduced in
2.0 Preferred. Support for
Google IdP introduced in 3.0
Preferred and Innovation.

Identity Redistribution √ √
• IP-address-to-username
mappings
• HIP
• Device Quarantine
• IP-Tag
• User-Tag

Ingestion of IP-address-to- — √
username mappings from 3rd
party integration (NAC)

Include username in HTTP √ √

header insertion entries
Introduced in version 1.7.
Requires Panorama running
9.1.1 or later.

Policy Objects

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Addresses √ √

Address Groups √ √

Palo Alto Networks Compatibility Matrix 228 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Dynamic Address Groups √ √

(DAGs) and Auto-Tags

XML API - Based DAG — √

Updates

Regions √ √

Dynamic User Groups (DUGs) √ √

App-ID (Applications) √ √

Simplified Application √ —
Dependency Workflow (App
Commit warnings are not
Dependency tab for commits)
supported for Prisma Access.

Service-Based Session √ √ Learn more

Timeouts

Application Groups √ √

Application Filters √ √

Services √ √

Service Groups √ √

Tags √ √

Streamlined Application- √ √
Based Policy (Tag-based
Introduced in version 1.7.
application filters)
Requires Panorama running
9.1.1 or later.

Auto-Tag Actions √ √

HIP Objects

HIP √ √

HIP Match Log √ √

HIP-Based Security Policy √ √

Palo Alto Networks Compatibility Matrix 229 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

HIP Notifications √ √

HIP Report Submission √ √

HIP Checks √ √

HIP Report Viewing — √

Introduced in version 1.5.

HIP Redistribution √ √
Introduced in version 1.5.

HIP Objects and Profiles √ √

External Dynamic Lists √ √

Certificate Management

Custom Certificates √ √

Palo Alto Networks Issued √ √

Certificates

Certificate Profiles √ √

Custom Certificates √ √

SSL/TLS Service Profiles √ √

SSL √ √
SSL is supported only for
Mobile Users, not for site-to-
site VPNs

SCEPs √ √

OCSP Responders √ √

Default Trusted Certificate √ √

Authorities

Palo Alto Networks Compatibility Matrix 230 ©2023 Palo Alto Networks, Inc.
Prisma Access

Logs

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Enhanced Application √ √
Logging

Cortex™ Data Lake Log √ √

Storage

Log Forwarding App √ √

Forward logs stored in Cortex
Data Lake to syslog and email
destinations

Log Forwarding Profiles √ √

Default log forwarding profile HTTP, SNMP, auto-tagging
in Built-in Actions not
supported

Enhanced Mobile Users √ √

Visibility for Administrators
Introduced in version 1.7.
(GlobalProtect logs)
Requires Panorama 9.1.1 or
a later version. If you use
Panorama running a 9.0
version, you can still see
traffic and HIP logs from
Panorama but you need to
use the Explore app from the
Hub to see the remaining
logs.

Reports

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Reports √ Learn more √ Learn more

Introduced in Prisma Access
1.8.
Prisma Access supports
running scheduled and

Palo Alto Networks Compatibility Matrix 231 ©2023 Palo Alto Networks, Inc.
Prisma Access

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)
custom reports on Panorama
with the following caveats:
Run the scheduled or custom
report under the All device
group. Running a scheduled
or custom report under
a specific Device Group
retrieves a blank report.
You cannot search or sort the
records in a report by specific
device groups.

App Report √ Learn more √ Learn more

This feature has the following
Cortex Data Lake-based
limitation:
SaaS Application Usage
report (Monitor > PDF
Reports > SaaS Application
Usage)—Cannot filter the logs
for user groups (the Include
user group information in
the report choice is not
supported)

Usage Report √ Learn more √ Learn more

User Activity Report √ Learn more √ Learn more

Best Practices Report √ √

WildFire Reports √ √
Supported starting 2.0
Innovation.

Reporting Engine — √
Enhancements

Palo Alto Networks Compatibility Matrix 232 ©2023 Palo Alto Networks, Inc.
Prisma Access

Integration with Other Palo Alto Networks Products

Feature Prisma Access (Cloud- Prisma Access (Panorama-

Managed) Managed)

Cortex XSOAR integration — √

Source IP-based allow lists
and malicious user activity
detection is supported.

Enterprise Data Loss √ √

Prevention (DLP) integration

Cortex XDR integration √ √

Prisma Access is compatible Prisma Access is compatible
with the Cortex XDR version with the Cortex XDR version
of Cortex Data Lake. Cortex of Cortex Data Lake. Cortex
XDR receives Prisma Access XDR receives Prisma Access
log information from Cortex log information from Cortex
Data Lake. Data Lake.

Prisma SaaS integration √ √

SaaS visibility with Cortex SaaS visibility with Cortex
Data Lake and VPN reverse Data Lake and VPN reverse
SAML proxy are supported. SAML proxy are supported.

Multitenancy Unsupported Features and Functionality

The following Prisma Access (Panorama Managed) features are not supported in a multitenant
deployment:
• IoT Security
In addition, a Panorama Managed multitenant deployment has changes to the following
functionality:
• You cannot view your Panorama Managed tenants under Common Services: Tenant
Management.
• For Panorama-managed Prisma Access, continue to use Panorama for managing Prisma Access
and the admin access that is controlled locally on Panorama. You cannot manage users, roles,
and services accounts using Common Services: Identity and Access for Panorama-managed
Prisma Access. However, you can use Common Services: Identity and Access for managing
other apps such as ADEM and Insights.
• You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following caveats when used in a
multitenant deployment:

Palo Alto Networks Compatibility Matrix 233 ©2023 Palo Alto Networks, Inc.
Prisma Access

• For Prisma Access—Explicit Proxy deployments, if you have an existing Prisma Access non-
multitenant deployment and convert it to a multitenant deployment, only the first tenant
(the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the
multitenant deployment after the first do not support Explicit Proxy.
• SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with
the following restrictions:
• Only a Superuser on Panorama can create DLP profiles and patterns and can associate DLP
profiles to security policies for tenants.
• A Superuser must commit all changes to Panorama whenever they make changes in DLP
profiles and patterns.
• All tenants share a single copy of profiles and pattern configurations; therefore, any changes
done to them will be reflected across all tenants.
• Since security policies can be different across tenants, each tenant can have different data
filtering profiles associated with security policies.
• Prisma SD-WAN integration and Configuring multiple portals in Prisma Access can only be
used with one tenant per multitenant deployment.
• If you enable High Availability (HA) with active and passive Panorama appliances in a multi-
tenant deployment, you cannot change the HA pair association after you enable multi-tenancy.

Palo Alto Networks Compatibility Matrix 234 ©2023 Palo Alto Networks, Inc.
Prisma Access

Prisma Access and Panorama Version Compatibility

This section provides you with the minimum and maximum versions of Panorama™ to use with
Prisma™ Access, along with the end-of-service (EoS) dates for Panorama software versions with
Prisma Access.
• Minimum Required Panorama Software Versions
• End-of-Support (EoS) Dates for Panorama Software Version Compatibility with Prisma Access

Minimum Required Panorama Software Versions

The Cloud Services plugins require the following minimum Panorama™ software versions.

Due to the fast-paced release of Prisma Access and the Cloud Services plugin, the
software end-of-support (EoS) dates for Panorama appliances used to manage Prisma
Access can differ from the software end-of-life (EoL) dates for PAN-OS and Panorama
releases. Note that these exceptions apply only to Panorama version compatibility with
Prisma Access.

For FedRAMP deployment required Panorama versions, see Panorama Managed Prisma Access
FedRAMP Requirements.

Cloud Services Plugin Version Minimum Required Panorama Version

4.0 and 4.1. Preferred • PAN-OS 11.0.0 or a later PAN-OS 11.0 version
• PAN-OS 10.2.3 or a later PAN-OS 10.2 version
• PAN-OS 10.1.7 or a later PAN-OS 10.1 version
You must have a Panorama appliance running 10.2
to take advantage of the 10.2 features in Prisma
Access.

3.2.1 Preferred • PAN-OS 11.0.0 or a later PAN-OS 11.0 version

• PAN-OS 10.2.3 or a later PAN-OS 10.2 version

Only Cloud Services plugin versions

3.2 and 3.1.0-h50 or later support a
Panorama running 10.2.3 or later. Do
not upgrade your Panorama to PAN-
OS 10.2.3 until after you upgrade your
Cloud Services plugin to these minimum
versions. No 10.2 Panorama versions
earlier than 10.2.3 are supported.
• 10.1.7 or a later 10.1 version

3.2.1 Innovation • PAN-OS 11.0

• PAN-OS 10.2.3 or a later PAN-OS 10.2 version.

Palo Alto Networks Compatibility Matrix 235 ©2023 Palo Alto Networks, Inc.
Prisma Access

Cloud Services Plugin Version Minimum Required Panorama Version

• 10.1.7 or a later 10.1 version

3.2 Preferred • PAN-OS 10.2.3 or a later PAN-OS 10.2 version.

Only Cloud Services plugin versions

3.2 and 3.1.0-h50 or later support a
Panorama running 10.2.3 or later. Do
not upgrade your Panorama to PAN-
OS 10.2.3 until after you upgrade your
Cloud Services plugin to these minimum
versions. No 10.2 Panorama versions
earlier than 10.2.3 are supported.
• 10.1.7 (10.1.8 recommended) or a later 10.1 version

While Panoramas running 10.1.7 are

supported for use with 3.2, Palo Alto
Networks recommends that you upgrade
your Panorama to a minimum 10.1
version of 10.1.8 to support a future
Panorama Managed Prisma Access
release, to be released after the first
quarter of calendar year 2023.

3.2 Innovation • PAN-OS 10.2.3 or a later PAN-OS 10.2 version.

• 10.1.7 or a later 10.1 version

3.1 Preferred • PAN-OS 10.2.2-h1 or a later PAN-OS 10.2 version

(minimum Cloud Services plugin version of 3.1.0-
h50 required).

Only Cloud Services plugin version 3.1.0-

h50 or later support a Panorama running
10.2.2-h1 or later. Do not upgrade your
Panorama to PAN-OS 10.2.2-h1 until
after you upgrade your Cloud Services
plugin to this minimum version. No 10.2
Panorama versions earlier than 10.2.2-
h1 are supported.

Review the PAN-OS and Prisma Access Known

Issues that are applicable to deployments with
Panorama running PAN-OS 10.2.2 with Prisma
Access 3.1.2.
• PAN-OS 10.1.3 or a later PAN-OS 10.1 version.
You should upgrade your PAN-OS software to
PAN-OS 10.1.4 or a later PAN-OS 10.1 version to
incorporate an addressed issue (CYR-19816) that

Palo Alto Networks Compatibility Matrix 236 ©2023 Palo Alto Networks, Inc.
Prisma Access

Cloud Services Plugin Version Minimum Required Panorama Version

resolves a known issue found in earlier PAN-OS 10.1
versions.
• PAN-OS 10.0.7 or a later PAN-OS 10.0 version.

3.1 Innovation PAN-OS 10.2.3 or a later PAN-OS 10.2 version.

PAN-OS 10.1.3 or a later PAN-OS 10.1 version.
If using a PAN-OS 10.1 version, you should upgrade
your PAN-OS software to PAN-OS 10.1.4 or a later
PAN-OS 10.1 version to incorporate an addressed
issue (CYR-19816) that resolves a known issue found in
earlier PAN-OS 10.1 versions.

3.0 • PAN-OS 10.1.2 or a later PAN-OS 10.1 version.

FedRAMP Prisma Access deployments

require Panorama running PAN-OS
10.1.8. Enabling the Processing Standard
and Common Criteria (FIPS-CC mode)
on the Panorama that manages Prisma
Access is the recommended best practice
aligned with FedRAMP controls.

You should upgrade your PAN-OS software to

PAN-OS 10.1.4 or a later PAN-OS 10.1 version to
incorporate an addressed issue (CYR-19816) that
resolves a known issue found in earlier PAN-OS 10.1
versions.
• PAN-OS 10.0.7 or a later PAN-OS 10.0 version.

2.2 Preferred • PAN-OS 10.1.

FedRAMP Prisma Access deployments

require Panorama running PAN-OS
10.1.8. Enabling the Processing Standard
and Common Criteria (FIPS-CC mode)
on the Panorama that manages Prisma
Access is the recommended best practice
aligned with FedRAMP controls.

You should upgrade your PAN-OS software to

PAN-OS 10.1.4 or a later PAN-OS 10.1 version to
incorporate an addressed issue (CYR-19816) that
resolves a known issue found in earlier PAN-OS 10.1
versions.
• PAN-OS 10.0.5 or a later PAN-OS 10.0 version.

Palo Alto Networks Compatibility Matrix 237 ©2023 Palo Alto Networks, Inc.
Prisma Access

End-of-Support (EoS) Dates for Panorama Software Version

Compatibility with Prisma Access
When Prisma™ Access upgrades its infrastructure and dataplane after a major release, the
upgrades can become incompatible with earlier Panorama™ versions. Because of the fast-paced
release of Prisma Access and the Cloud Services plugin, the software compatibility end-of-support
(EoS) dates for Panorama can differ from the software end-of-life dates for Panorama releases
and apply to Panorama version compatibility with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version that is
incompatible (not supported) with the upgrades, you must upgrade Panorama to a compatible
version to take full advantage of the capabilities of the infrastructure and dataplane upgrades.
It is our goal to make this process as seamless as possible and, for this reason, we make every
effort to provide you with adequate notice of Panorama and Prisma Access version compatibility
requirements.
Use the dates in the following table to learn when a Panorama software version that manages
Prisma Access is no longer compatible with Prisma Access so that you can plan an upgrade to a
supported version prior to the EoS date.

Due to the fast-paced release of Prisma Access and the Cloud Services plugin, the
software compatibility end-of-support (EoS) dates for Panorama appliances used to
manage Prisma Access can differ from the software end-of-life (EoL) dates for PAN-OS
and Panorama releases. Note that these exceptions apply only to Panorama version
compatibility with Prisma Access.

To find the latest EoS compatibility information for your Panorama software with Prisma
Access, log in to the Panorama appliance that manages Prisma Access, select the Service
Setup page (Panorama > Cloud Services > Configuration > Service Setup), and view
the Panorama Alert information. (See Notifications and Alerts for Panorama, Cloud
Services Plugin, and PAN-OS Dataplane Versions for details.)

Panorama Software Version EoS Dates for Prisma Access Deployments

PAN-OS 10.0 March 1, 2023

PAN-OS 9.1 August 1st, 2022

Before this date, you must upgrade your Panorama
to PAN-10.0 or a later supported (with Prisma
Access) PAN-OS version.
PAN-OS 10.1 is supported only after you upgrade
to 2.2 Preferred or to the following 2.1 plugins:
• 2.1.0-h24 Preferred
• 2.1.0-h16 Innovation

The Panorama upgrade is required regardless of the Cloud Services plugin version you are running
at the EoS date. You cannot continue using an earlier version of the Cloud Services plugin with an
earlier unsupported version of Panorama software.

Palo Alto Networks Compatibility Matrix 238 ©2023 Palo Alto Networks, Inc.
Prisma Access

The following Panorama software versions are already EoS and you cannot use them with Prisma
Access:
• PAN-OS 9.0—EoS on February 1, 2021

Palo Alto Networks Compatibility Matrix 239 ©2023 Palo Alto Networks, Inc.
Prisma Access

Supported IKE Cryptographic Parameters

The following table documents the IKE cryptographic settings that are supported with Prisma™
Access.

Component Phase 1 Supported Crypto Phase 2 Supported Crypto

Parameters Parameters

Encryption 3DES Null (not recommended)

AES-128 DES
AES-192 3DES
AES-256 AES-128-CBC
AES-192-CBC
AES-256-CBC
AES-128-GCM
AES-192-GCM
AES-256-GCM

Authentication/Integrity MD5 None (supported with Galois/

Counter Mode (GCM)
SHA-1
MD5
If you use IKEv2 with
certificate-based SHA-1
authentication, only SHA1
SHA-256
is supported in IKE crypto
profiles (Phase 1). SHA-384
SHA-256 SHA-512
SHA-384
SHA-512

DH Group Group 1 No PFS (not recommended)

Group 2 Group 1
Group 5 Group 2
Group 14 Group 5
Group 19 Group 14
Group 20 Group 19
Group 20

Palo Alto Networks Compatibility Matrix 240 ©2023 Palo Alto Networks, Inc.
Prisma Access

Component Phase 1 Supported Crypto Phase 2 Supported Crypto

Parameters Parameters

Security Association (SA) Configurable Configurable

Lifetime

SA Lifebytes N/A Configurable

Palo Alto Networks Compatibility Matrix 241 ©2023 Palo Alto Networks, Inc.
Prisma Access

Palo Alto Networks Compatibility Matrix 242 ©2023 Palo Alto Networks, Inc.
User-ID Agent
You install the User-ID™ agent on a domain server that is running a supported operating system
(OS) and then connect the User-ID agent to exchange or directory servers.
• Where Can I Install the User-ID Agent?
• Which Servers Can the User-ID Agent Monitor?
• Where Can I Install the User-ID Credential Service?

243
User-ID Agent

Where Can I Install the User-ID Agent?

The following table shows the operating systems on which you can install each release of the
Windows-based User-ID™ agent. The system must also meet the minimum requirements (see the
User-ID agent release notes).

Operating System Release Release Release Release Release Release

8.1* 9.1 10.0** 10.1 10.2 11.0

Windows Server 2022 — √ — √ √ √

9.1.4 &
later

Windows Server 2019 — √ √ √ √ √

Windows Server 2016 √ √ √ √ √ √

Windows Server 2012 and √ √ √ √ √ √

2012 R2

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls (and the
M-100 appliance) and only until each reaches its hardware end-of-life (EoL) date.
** PAN-OS 10.0 is supported only on PA-7000 Series firewalls with PA-7000-20G-NPC or
PA-7000-20GQ-NPC cards and only until these cards reach their hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 244 ©2023 Palo Alto Networks, Inc.
User-ID Agent

Which Servers Can the User-ID Agent Monitor?

The following are the exchange and directory servers you can monitor with the PAN-OS®
integrated and Windows-based User-ID™ agents:

You can install only specific releases of the Windows-based User-ID agent on supported
Microsoft Windows servers.

Server Versions Supported

Microsoft • 2019—Only with Windows User-ID agent 9.0.2 and later releases or
Exchange Server with PAN-OS integrated User-ID agents running the following PAN-OS
releases:
• PAN-OS 11.0 (all releases)
• PAN-OS 10.2 (all releases)
• PAN-OS 10.1 (all releases)
• PAN-OS 10.0 (all releases)*
• PAN-OS 9.1 (all releases)
• PAN-OS 8.1.8 and later PAN-OS 8.1 releases*
• 2016—Only with Windows User-ID agent or with PAN-OS integrated
User-ID agents running the following PAN-OS releases:
• PAN-OS 11.0 (all releases)
• PAN-OS 10.2 (all releases)
• PAN-OS 10.1 (all releases)
• PAN-OS 10.0 (all releases)*
• PAN-OS 9.1 (all releases)
• PAN-OS 8.1 (all releases)*
• 2013

Microsoft • 2022—Only with Windows User-ID agent or with PAN-OS integrated

Windows Server User-ID agents running the following PAN-OS releases:
• PAN-OS 11.0
• PAN-OS 10.2.1 and later PAN-OS 10.2 releases
• PAN-OS 10.1.1 and later PAN-OS 10.1 releases
• PAN-OS 9.1.4 and later PAN-OS 9.1 releases

Palo Alto Networks Compatibility Matrix 245 ©2023 Palo Alto Networks, Inc.
User-ID Agent

Server Versions Supported

• 2019—Only with Windows User-ID agent 9.0.2 and later releases or
with PAN-OS integrated User-ID agents running the following PAN-OS
releases:
• PAN-OS 11.0 (all releases)
• PAN-OS 10.2 (all releases)
• PAN-OS 10.1 (all releases)
• PAN-OS 10.0 (all releases)*
• PAN-OS 9.1 (all releases)
• PAN-OS 8.1.8 and later PAN-OS 8.1 releases*
• 2016—Only with Windows User-ID agent or with PAN-OS integrated
User-ID agents running the following PAN-OS releases:
• PAN-OS 11.0 (all releases)
• PAN-OS 10.2 (all releases)
• PAN-OS 10.1 (all releases)
• PAN-OS 10.0 (all releases)*
• PAN-OS 9.1 (all releases)
• PAN-OS 8.1 (all releases)*
• 2012 and 2012 R2

Novell 8.8
eDirectory
Server

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls (and the
M-100 appliance) and only until each reaches its hardware end-of-life (EoL) date.
* PAN-OS 10.0 is supported only on PA-7000 Series firewalls with PA-7000-20G-NPC or
PA-7000-20GQ-NPC cards and only until these cards reach their hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 246 ©2023 Palo Alto Networks, Inc.
User-ID Agent

Where Can I Install the User-ID Credential Service?

The following table shows the Read-Only Domain Controller (RODC) on which you can install
each release of the Windows User-ID™ agent with the User-ID credential service to detect
credential submissions. The credential service is an add-on for the Windows User-ID agent; you
must install the add-on separately.

Server PAN-OS Version Supported Windows User-ID Agent

Version Supported

Windows Server 2022 11.0 11.0

Windows Server 2019 • 11.0 • 11.0

• 10.2.3 • 10.2.1
• 10.1.7 • 10.0.6
• 10.0.11-h1* • 10.1.1
• 9.1.15 • 9.1.4

* PAN-OS 10.0 is supported only on PA-7000 Series firewalls with PA-7000-20G-NPC or

PA-7000-20GQ-NPC cards and only until these cards reach their hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 247 ©2023 Palo Alto Networks, Inc.
User-ID Agent

Palo Alto Networks Compatibility Matrix 248 ©2023 Palo Alto Networks, Inc.
Terminal Server (TS) Agent
You install the Terminal Server (TS) agent on a domain server that is running a supported
operating system (OS) and then report username-to-port mapping information to PAN-OS®
firewalls.
• Where Can I Install the Terminal Server (TS) Agent?
• How Many TS Agents Does My Firewall Support?

249
Terminal Server (TS) Agent

Where Can I Install the Terminal Server (TS) Agent?

The following table shows the operating systems on which you can install each release of the
Terminal Server (TS) agent.

For optimal configuration, install the TS agent version that matches the PAN-OS version
running on the firewall. If there is not a TS agent version that matches the PAN-OS
version, install the latest version that is closest to the PAN-OS version.

Operating TS Agent TS Agent TS Agent TS Agent TS Agent TS Agent

System 8.1 * 9.1 10.0** 10.1 10.2 11.0

Windows — √ — √ √ √
Server 2022
9.1.4 &
later

Windows — √ √ √ √ √
Server 2019

Windows √ √ √ √ √ √
Server 2016
8.1.1 &
later

Windows √ √ √ √ √ √
Server 2012
R2

Windows 11 — √ — √ √ √
Enterprise
9.1.4 &
Multi-session
later

Windows 10 — √ √ √ √ √
Enterprise
9.1.1 & 10.0.1 &
Multi-session
later later

Citrix √ √ √ √ √ √
Metaframe
Presentation
Server 4.x

Citrix XenApp √ √ √ √ √ √
5.x

Citrix XenApp √ √ √ √ √ √
6.x

Palo Alto Networks Compatibility Matrix 250 ©2023 Palo Alto Networks, Inc.
Terminal Server (TS) Agent

Operating TS Agent TS Agent TS Agent TS Agent TS Agent TS Agent

System 8.1 * 9.1 10.0** 10.1 10.2 11.0

Citrix XenApp √ √ √ √ √ √
7.x

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls (and the
M-100 appliance) and only until each reaches its hardware end-of-life (EoL) date.
** PAN-OS 10.0 is supported only on PA-7000 Series firewalls with PA-7000-20G-NPC or
PA-7000-20GQ-NPC cards and only until these cards reach their hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 251 ©2023 Palo Alto Networks, Inc.
Terminal Server (TS) Agent

How Many TS Agents Does My Firewall Support?

The following table shows how many Terminal Server (TS) agents each hardware-based and VM-
Series firewall supports. To confirm which PAN-OS® releases are supported on your firewall,
review the Supported PAN-OS releases for each model.

For optimal configuration, install the TS agent version that matches the PAN-OS version
running on the firewall. If there is not a TS agent version that matches the PAN-OS
version, install the latest version that is closest to the PAN-OS version.

Firewall or VM Model PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

9.1 10.0* 10.1 10.2 11.0

Hardware Firewalls

PA-7000 Series 2,000 2,000 2,000 2,000 2,000

PA-7000 Series with SMC-B 2,500 2,500 2,500 2,500 2,500

PA-5450 — — 2,500 2,500 2,500

PA-5440 — — — — 2,500

PA-5430 — — — 400 400

PA-5420
PA-5410

PA-5200 Series 2,500 — 2,500 2,500 2,500

PA-3440 — — — 2,000 2,000

PA-3430

PA-3420 — — — 400 400

PA-3410

PA-3200 Series 2,000 — 2,000 2,000 2,000

PA-3000 Series 400 — — — —

PA-1400 Series — — — — 400

PA-800 Series 1,000 — 1,000 1,000 1,000

PA-460 — — 1,000 1,000 1,000

Palo Alto Networks Compatibility Matrix 252 ©2023 Palo Alto Networks, Inc.
Terminal Server (TS) Agent

Firewall or VM Model PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

9.1 10.0* 10.1 10.2 11.0

PA-450 — — 400 400 400

PA-445 — — — — 800

PA-440 — — 800 800 800

PA-415 — — — — 400

PA-410 — — 400 400 400

10.1.2 &
later

PA-220R 400 — 400 400 400

PA-220 400 — 400 400 —

VM-Series Firewalls

VM-700 2,500 — 2,500 2,500 2,500

VM-500 2,000 — 2,000 2,000 2,000

VM-300 400 — 400 400 400

VM-100 400 — 400 400 400

VM-50 Lite 400 — 400 400 400

* PAN-OS 10.0 is supported only on PA-7000 Series firewalls with PA-7000-20G-NPC or

PA-7000-20GQ-NPC cards and only until these cards reach their hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 253 ©2023 Palo Alto Networks, Inc.
Terminal Server (TS) Agent

Palo Alto Networks Compatibility Matrix 254 ©2023 Palo Alto Networks, Inc.
Cortex Data Lake
• Cortex Data Lake Software Compatibility

255
Cortex Data Lake

Cortex Data Lake Software Compatibility

To forward firewall log data to Cortex® Data Lake, you must ensure that your firewalls are
running a supported PAN-OS® version. The PAN-OS version you need depends on whether you
use Panorama™ to onboard several firewalls simultaneously or you onboard firewalls individually.
To onboard firewalls to Cortex Data Lake using Panorama, you must also install a supported
version of the Cloud Services plugin. If you use the Cloud Services plugin to enable Prisma™
Access, ensure that your Panorama is running supported versions of PAN-OS and the Cloud
Services plugin.
Version Requirements for Panorama-Managed Firewalls
Software versions required to integrate a Panorama-managed deployment with Cortex Data Lake.

Software Version Description

PAN-OS* Minimum: To forward logs from Panorama-managed firewalls to

Cortex Data Lake in the Americas or Europe regions,
• Americas and
both Panorama and the firewalls must run PAN-OS 8.1
Europe: PAN-
or a later version. Forwarding logs to any other region
OS 8.1; PAN-
requires Panorama to be running PAN-OS 9.1 or a later
OS 8.1.3 or later
supported PAN-OS version.
recommended
• Other regions: PAN- For enhanced application logging and more reliable
OS 9.1 service, upgrade to PAN-OS 8.1.3 or a later PAN-OS
8.1* version or to PAN-OS 9.1 or a later supported
version.

Cloud Minimum: The Cloud Services plugin enables you to send log data
Services from Panorama-managed firewalls. To download the
• Americas and
plugin plugin, see the step describing how to install the plugin
Europe: 1.4.0
when you configure Panorama for Cortex Data Lake.
• Other regions: 1.5.0-
h6 Ensure that your Panorama is running a
Recommended: the PAN-OS version that supports your Cloud
latest version Services plugin version. Failure to do so
can result in a loss of data.

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls (and the
M-100 appliance) and only until each reaches its hardware end-of-life (EoL) date.
Version Requirements for Individually Managed Firewalls

Software Version Description

PAN-OS Minimum: PAN-OS 9.1 Individually managed firewalls must run PAN-OS 9.1 or
a later supported PAN-OS version to authenticate to
Cortex Data Lake.

Palo Alto Networks Compatibility Matrix 256 ©2023 Palo Alto Networks, Inc.
Cortex Data Lake

Software Version Description

Content Minimum: 8274 Install the latest content updates to ensure your
Version firewall can authenticate to Cortex Data Lake.

Palo Alto Networks Compatibility Matrix 257 ©2023 Palo Alto Networks, Inc.
Cortex Data Lake

Palo Alto Networks Compatibility Matrix 258 ©2023 Palo Alto Networks, Inc.
Cortex XDR
Compatibility information for Cortex XDR® has a new home. Going forward, when you
click the links below, you will be redirected to the Palo Alto Networks docs-cortex
website.

• Where Can I Install the Cortex XDR Agent?

• Cortex XDR Supported Kernel Module Versions by Distribution
• Cortex XDR and Traps Compatibility with Third-Party Security Products

259
Cortex XDR

Where Can I Install the Cortex XDR Agent?

The Traps™ agent is now the Cortex XDR® agent in Cortex XDR agent release 7.0 and later
releases.

Compatibility information for Cortex XDR (and Traps) has a new home. Going forward,
you can determine where you can install the Cortex XDR agent by going to the Palo
Alto Networks docs-cortex website.

Palo Alto Networks Compatibility Matrix 260 ©2023 Palo Alto Networks, Inc.
Cortex XDR

Cortex XDR Supported Kernel Module Versions by

Distribution
On Linux endpoints, to perform malware analysis of Executable and Linkable Format (ELF) files
and to collect data for endpoint detection and response (EDR) and behavioral threat analysis, the
Cortex XDR® agent requires Linux kernel 3.4 or a later version. If you deploy the Cortex XDR
agent on a Linux server that is not running one of the kernel versions required for these additional
protection capabilities, the agent will operate in asynchronous mode. Go to the Palo Alto Networks
docs-cortex website to learn more about Cortex XDR supported kernel module versions.

Palo Alto Networks Compatibility Matrix 261 ©2023 Palo Alto Networks, Inc.
Cortex XDR

Cortex XDR and Traps Compatibility with Third-Party

Security Products
We renamed the Traps™ agent as the Cortex XDR® agent in Cortex XDR agent release 7.0 and
later releases.
You can review considerations related to third-party security software integration with Cortex
XDR and Traps software by visiting the Palo Alto Networks docs-cortex website.

Palo Alto Networks Compatibility Matrix 262 ©2023 Palo Alto Networks, Inc.
Endpoint Security Manager (ESM)
You can install the Traps™ agent, now known as the Cortex XDR® agent, and the Endpoint
Security Manager (ESM) Components (comprised of the ESM Console, one or more ESM Servers,
and the database) only on servers and endpoints that are running a supported operating system
(OS).
• Where Can I Install the Endpoint Security Manager (ESM)?
• Where Can I Install the Cortex XDR Agent?

263
Endpoint Security Manager (ESM)

Where Can I Install the Endpoint Security Manager

(ESM)?
The Endpoint Security Manager (ESM) comprises the ESM Console, one or more ESM Servers, and
a database. You can install the ESM components on dedicated servers or install them on the same
server as long as you install them on a supported operating system (OS).

Server Operating System ESM 4.2

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

*4.2.6 & later

Palo Alto Networks Compatibility Matrix 264 ©2023 Palo Alto Networks, Inc.
Endpoint Security Manager (ESM)

Where Can I Install the Cortex XDR Agent?

The Traps™ agent is now the Cortex XDR® agent in Cortex XDR agent release 7.0 and later
releases.

Compatibility information for Cortex XDR (and Traps) has a new home. Going forward,
you can determine where you can install the Cortex XDR agent by going to the Palo
Alto Networks docs-cortex website.

Palo Alto Networks Compatibility Matrix 265 ©2023 Palo Alto Networks, Inc.
Endpoint Security Manager (ESM)

Palo Alto Networks Compatibility Matrix 266 ©2023 Palo Alto Networks, Inc.
IPv6 Support by Feature
• IPv6 Support by Feature

267
IPv6 Support by Feature

IPv6 Support by Feature

Use the following table to review PAN-OS® features (listed by category) that support IPv6 traffic.
• Security
• Management & Panorama
• Networking
• VPN
• Host Dynamic Address Configuration
• Device
• User-ID

PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

8.1* 9.1 10.1 10.2 11.0

Security

WildFire® Appliance — — √ √ √

App-ID™ and Firewalling in Layer 2 √ √ √ √ √

and Layer 3

User-ID™ √ √ √ √ √

Content-ID™ √ √ √ √ √

Block IPv6 in IPv4 Tunneling (via √ √ √ √ √

App-ID)

Zone Protection √ √ √ √ √

Packet-Based Attack Protection √ √ √ √ √

Reconnaissance Protection √ √ √ √ √

URL Filtering √ √ √ √ √

SSL Decryption √ √ √ √ √

SSH Decryption √ √ √ √ √

DoS Rulebase √ √ √ √ √

IPv6 Access to PAN-DB √ √ √ √ √

Palo Alto Networks Compatibility Matrix 268 ©2023 Palo Alto Networks, Inc.
IPv6 Support by Feature

PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

8.1* 9.1 10.1 10.2 11.0

DNS Sinkhole √ √ √ √ √

External Dynamic List (EDL) √ √ √ √ √

Management & Panorama™

SSH Management (dedicated √ √ √ √ √

MGMT port)

Web Interface Management √ √ √ √ √

(dedicated MGMT port)

Interface Management (ping, telnet, √ √ √ √ √

ssh, http, https - all ports)

Device to Panorama SSL TCP √ √ √ √ √

Connection

Panorama HA Connection Between √ √ √ √ √

Peers

DNS √ √ √ √ √

Dynamic DNS Support for Firewall — √ √ √ √

Interfaces (DHCP-based interfaces)

RADIUS √ √ √ √ √

LDAP √ √ √ √ √

SYSLOG √ √ √ √ √

SNMP √ √ √ √ √

NTP √ √ √ √ √

Device DNS (device only) √ √ √ √ √

DNS Proxy √ √ √ √ √

Reporting and Visibility in to IPv6 √ √ √ √ √

IPv6 Address Objects √ √ √ √ √

IPv6 FQDN Address Objects √ √ √ √ √

Palo Alto Networks Compatibility Matrix 269 ©2023 Palo Alto Networks, Inc.
IPv6 Support by Feature

PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

8.1* 9.1 10.1 10.2 11.0

Networking

IPv6 Static Routes √ √ √ √ √

PBF √ √ √ √ √

PBF Next-Hop Monitor (v6 √ √ √ √ √

endpoint)

OSPFv3 √ √ √ √ √

MP-BGP √ √ √ √ √

GRE Tunneling Support — √ √ √ √

ECMP √ √ √ √ √

Dual Stack Support for L3 √ √ √ √ √

Interfaces

QoS Policy √ √ √ √ √

QoS Marking √ √ √ √ √

DSCP (session based) √ √ √ √ √

Neighbor Discovery and Duplicate √ √ √ √ √

Address Detection

Tunnel Content Inspection √ √ √ √ √

Virtual Wires √ √ √ √ √

NPTv6 (stateless prefix translation) √ √ √ √ √

NAT64 (IP-IPv6 protocol √ √ √ √ √

translation)

LLDP (Link Layer Discovery √ √ √ √ √

Protocol)

Bidirectional Forwarding Detection √ √ √ √ √

(BFD)

VPN

Palo Alto Networks Compatibility Matrix 270 ©2023 Palo Alto Networks, Inc.
IPv6 Support by Feature

PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

8.1* 9.1 10.1 10.2 11.0

GlobalProtect™ √ √ √ √ √

IKE/IPSec √ √ √ √ √

IKEv2 √ √ √ √ √

IPv6 over IPv4 IPSec Tunnel √ √ √ √ √

Large Scale VPN (LSVPN) √ √ √ √ √

Host Dynamic Address Configuration

DHCPv6 Relay √ √ √ √ √

DHCPv6 Client with Prefix — — — — √

Delegation (Dataplane Interface
only)

SLAAC (Router Advertisements) √ √ √ √ √

SLAAC (Router Preference) √ √ √ √ √

SLAAC (RDNSS) √ √ √ √ √

Device

High Availability (HA)—Active/ √ √ √ √ √

Active

HA—Active/Passive √ √ √ √ √

HA—IPv6 transport for HA1 & HA2 √ √ √ √ √

HA Path Monitoring (IPv6 √ √ √ √ √

Endpoint)

HA Clustering — — √ √ √

User-ID

Map IPv6 Address to Users √ √ √ √ √

Captive Portal for IPv6 √ √ √ √ √

Palo Alto Networks Compatibility Matrix 271 ©2023 Palo Alto Networks, Inc.
IPv6 Support by Feature

PAN-OS Feature PAN-OS PAN-OS PAN-OS PAN-OS PAN-OS

8.1* 9.1 10.1 10.2 11.0

Connection to User-ID Agents over √ √ √ √ √

IPv6

User-ID XML API for IPv6 √ √ √ √ √

Terminal Server Agent IPv6 √ √ √ √ √

* PAN-OS 8.1 is supported only on PA-200, PA-500, and PA-5000 Series firewalls and the M-100
appliance and only until each reaches its hardware end-of-life (EoL) date.

Palo Alto Networks Compatibility Matrix 272 ©2023 Palo Alto Networks, Inc.
Mobile Network Infrastructure
Feature Support
Specific Palo Alto Networks firewall models support GTP and SCTP security and 3GPP Technical
Standards:
• PAN-OS Releases by Model that Support GTP, SCTP, and 5G Security
• 3GPP Technical Standard References

273
Mobile Network Infrastructure Feature Support

PAN-OS Releases by Model that Support GTP, SCTP,

and 5G Security
The following table lists which firewall models support GTP Security, SCTP Security, and 5G
Security.

Firewall Model PAN-OS 9.1 PAN-OS 10.1 PAN-OS 10.2 PAN-OS 11.0
(GTP and (GTP, SCTP, (GTP, SCTP, (GTP, SCTP,
SCTP) and 5G) and 5G) and 5G)

VM-Series firewalls √ √ √ √

PA-7000 Series firewalls that √ √ √ √

use three of the following
cards*:
• PA-7000-100G-NPC
card;
• PA-7000-LFC-A card; and
• PA-7050-SMC-B card
OR
PA-7080-SMC-B card

PA-5450 firewalls — √ √ √

PA-5400 Series firewalls — — √ √

PA-5200 Series firewalls √ √ √ √

PA-3430 and PA-3440 — — √ √

firewalls

CN-Series firewalls — √ √ √

* To verify that your PA-7000 Series firewall is installed with the cards that support GTP and
SCTP, use the show chassis inventory CLI command. However, it is possible that cards are
installed but not functional if not all dependencies are met. Refer to the PA-7000 Series Firewall
Hardware Reference for installation instructions and to review the dependencies for each card.

CN-Series Daemonset mode supports GTP, SCTP, and 5G security in PAN-OS 10.1 and
later versions. CN-Series firewalls running PAN-OS 10.2 support GTP, SCTP, and 5G
security on K8s cloud-native network (CNF) mode and Daemonset mode.

Palo Alto Networks Compatibility Matrix 274 ©2023 Palo Alto Networks, Inc.
Mobile Network Infrastructure Feature Support

3GPP Technical Standard References

3GPP Technical Standards references of mobile network security features for PAN-OS® releases
on firewalls that support GTP security.
• 3GPP TS References for GTP Security
• 3GPP TS References for 5G Security
• 3GPP TS References for 5G Multi-Edge Security

3GPP TS References for GTP Security

3GPP TS references for GTP security on firewalls that support GTP security.

Protocol 3GPP TS 3GPP TS Release

PAN-OS 10.2 GTPv2-C 29.274 Up to 15.2

PAN-OS 10.1
GTPv1-C 29.060 Up to 15.5.0

GTP-U 29.281 Up to 15.0.0

— 43.129 15.0.0

— 23.401 15.12.0

PAN-OS 9.1 GTPv2-C 29.274 Up to 15.2

GTPv1-C 29.060 Up to 15.1

GTP-U 29.281 Up to 15.0.0

PAN-OS 8.1 (only where GTPv2-C 29.274 Up to 13.4

supported)
GTPv1-C 29.060 Up to 13.4

GTP-U 29.281 Up to 13.0

3GPP TS References for 5G Security

3GPP Technical Standards references for 5G network slice, 5G subscriber ID, and 5G equipment
ID security on firewalls that support GTP security.
• Procedures for the 5G System (5GS)
• 5GS Session Management Services

Palo Alto Networks Compatibility Matrix 275 ©2023 Palo Alto Networks, Inc.
Mobile Network Infrastructure Feature Support

3GPP TS 3GPP TS Release

PAN-OS 10.2 23.502 Up to 15.5.0

PAN-OS 10.1
29.502 Up to 15.4.0

3GPP TS References for 5G Multi-Edge Security

5G Multi-Edge Security supports Packet Forwarding Control Protocol (PFCP) messages over N4
interfaces for the following technical specifications in the 3GPP TS release:
• Interface between the Control Plane and the User Plane nodes
3GPP Technical Standards reference for 5G Multi-Edge Security on firewalls that support 5G
MEC Security:

3GPP TS 3GPP TS Release

PAN-OS 10.2 29.244 Up to 16.5.0

PAN-OS 10.1

3GPP TS References for UE-to-IP Address Correlation with PFCP

in 4G
The below table provides the 3GPP Technical Standards reference for firewalls that leverage User
Equipment (UE)-to-IP Address Correlation using the Packet Forwarding Control Protocol (PFCP)
for 4G network traffic.

3GPP TS 3GPP TS Release

PAN-OS 11.0 23.214 Up to 16.2.0

29.244 Up to 16.9.1

Palo Alto Networks Compatibility Matrix 276 ©2023 Palo Alto Networks, Inc.