DOTW: What Are Cipher Suites?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

Find out what are cipher suites and which ones are supported for the different features on your device in this Discussion of the Week.Find out what are cipher suites and which ones are supported for the different features on your device in this Discussion of the Week.


I've seen many questions on the discussions forum about cipher suites or, more specifically, unsupported cipher suites. I've seen this question most often in relation to decrypting traffic (but cipher suites are not limited to this feature). So, what is this cipher suite exactly?


A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm (e.g. ECDHE), an encryption algorithm (e.g. AES256-CBC), and an authentication algorithm (e.g. SHA256).


You can clearly see the different types of algorithms in the Decryption Profile settings (Objects > Decryption > Decryption Profile):




Depending on the PAN-OS version you're running, your device will support or won't support a certain set of algorithms.  For a complete set of supported ciphers suites you should check out the Compatibility Matrix: Supported Cipher Suites. 


As you can see on the matrix page, the supported suites vary between the different PAN-OS versions. In addition to that, depending on the feature you're implementing, you may see different sets of cipher suites being supported. In the latest PAN-OS version (10.1 at the moment I'm writing this) you'll find different ciphers in the following sections:



As I mentioned earlier, in most cases I've seen questions related to cipher suites pop up in relation to decryption issues. For example, when the web server chooses a cipher suite not supported for decryption. Or different sets of suites being supported for inbound versus outbound decryption was also a thing on older PAN-OS versions.


Most of the time taking a PCAP of the SSL handshake would identify the cipher suite being used and then mapping it to the supported matrix page would tell us if the cipher suite was supported or not.  In such a case, a collaboration with the web server administrator is sometimes necessary to disable the unsupported ciphers to make sure that the server uses the same set of ciphers supported by the firewall and make decryption possible.


Here are some related discussions on this topic:


Unsupported cipher. Supported client cipher bitmask: 0x00000000

Questioning about unsupported cipher suite for SSL Decryption

"decrypt-unsupport-param" error on Inbound SSL Decryption 


Feel free to share your questions, comments and ideas in the section below.


Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.


Kiwi out!

Register or Sign-in
Top Liked Authors