08-24-2017 04:02 PM - edited 08-24-2017 05:50 PM
Scenario:
Decryption profile for traffic from the internet to GlobalProtect IP along with an SSL/TLS Service Profile for GlobalProtect, both set to TLS 1.1 or above; Decryption profile has 3DES unchecked.
PA-5020, 7.1.10
Scans from sites like ssllabs.com will show that 3DES is still enabled. Only changing one of the profiles to TLS 1.2 stops this.
Can be repeated with decryption profiles that inspect inbound traffic to a test server that still allows 3DES and TLS 1.1+.
Is this normal?
On a side note, anytime I change the decryption profile dropdown from TLS 1.2 to TLS 1.1 to TLS 1.0, the 3DES box is checked automatically and I have to uncheck it.
08-25-2017 04:53 AM
Hi @bfperez,
I'd recommend opening a TAC case with the results of ssllabs.
That said, I'm seeing the same behaviour with the 3DES checkbox on both PAN-OS 7.1 and 8.0 so I'm thinking this is currenlty the expected behaviour.
Cheers !
-Kiwi.
08-25-2017 07:24 AM
Cool, it is possible to add a decryption profile to global protect traffic? On the same firewall or is this only possible if you have another PA in front of the global protect portal/gateway where you do inbound decryption?
08-25-2017 12:12 PM
We just have an HA pair that does all inbound decryption AND houses the GP Portals and Gateways.
We have a decryption profile setup for traffic from the internet to the portals/gatways just like the decryption profiles for other inbound traffic, and it works.
08-25-2017 01:18 PM
You could try to "uncheck" 3DES from the CLI, maybe this works (if it is a bug in the webUI.
08-26-2017 04:06 AM
Besides the fact that there seems to be a bug: Is this a real problem? Wouldn't it make more sense to only enable TLS1.2 as there are almost 0 clients that stop at TLS1.1 and do not support TLS1.2
08-28-2017 01:37 AM
Unchecking in the GUI seems to work fine.
The xml file will also reflect this config once it's committed :
blah {
ssl-protocol-settings {
enc-algo-3des no;
}
}
The problem seems to be that the GUI doesn't "retain" this setting if you return to the same tab for a second time. Notice how 3DES is re-checked even when it's not listed in the 'Encryption Algorithms'.
If you click OK here and recommit then you might re-enable 3DES unintentionally.
Eitherway I believe it might be a good idea to get TAC involved.
Cheers !
-Kiwi.
08-28-2017 08:04 AM - edited 08-28-2017 08:04 AM
Agreed that it's not a real problem. I was just trying to move one step at a time in case we had some oddball app/user that could only do 1.1 or lower.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
