12-10-2021 08:21 AM
My company are going to migrate upgrade one firewall from 6.0 to 10.1.
And I found below KB points out the supported payload options above and below PANOS 7.0.
Several IKE/IPSec profiles are using aes128 for ESP encryption, is it aes128 equal to aes-128-cbc?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYtCAK
| PAN-OS 5.0 and above | PAN-OS 7.0 and above |
| aes128 | aes-128-cbc |
12-10-2021 01:52 PM
Hello,
You also have aes-128-gcm which is different. Not sure how many PAN's you have to upgrade, however it seems like it might be a large-ish project. However version 6 is way low and vulnerable so its worth it to upgrade sooner rather than later.
Regards,
12-10-2021 05:53 PM
The project size is only one small office and with several VPN connections and will be migrated to PA-410.
In current I added aes-128-cbc & aes-128-gcm to IPSec crypto for prevention payload issues.
12-13-2021 01:08 PM
Hello,
If you plan on using the machine learning capabilities of the PAN for the remote office, I would suggest a PA-440 instead. The 410 has limitations even with logging. Check out the requirements.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
