topic Re: PCI compliance ECDHE/RSA in GlobalProtect Discussions

PCI compliance ECDHE/RSA

wicklunds — Thu, 10 Nov 2022 13:27:16 GMT

There were a couple of discussions on this months ago with no resolution. SecureTrust's PCI scans say that we are failing. We would need to set both RSA and ECDHE to 2048 but there is no option to do so that I know of for the SSL/TLS profile. The workaround that was discussed was to disable ECDHE and RSA. However, among other possible issues, it breaks the app for Apple devices.

Just wondering if anyone has come across a fix.

Re: PCI compliance ECDHE/RSA

Metgatz — Thu, 10 Nov 2022 01:49:43 GMT

Hello @wicklunds

Good evening, well if you use a SSL/TLS profile, associated with a custom certificate, self-signed, or signed by an internal CA. You can generate it with ECDSA with a 256 or 384 or RSA at least 512 to 4096, at least for those self-signed by Palo Alto, but then if it is an internal CA, it depends on what support you have to generate certificates.

And then this assign it to the firewall administration, to the Web-Gui, so that it responds that certificate.

Review this:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC#:~:text=value%3E%20%20%20%20%20%20%20%20%20%20Profile%20name-,admin%40192.168.1.1%23%20set%20shared%20ssl%2Dtls%2Dservice%2Dprofile%20TLSprofileTest%20protocol%2Dsettings,-(tab%20to%20view

Best regards

Re: PCI compliance ECDHE/RSA

wicklunds — Thu, 10 Nov 2022 13:33:15 GMT

Thanks for the reply. I should have mentioned that this is for PCI compliance. As I understand it the article you posted only allows an on/off toggle. Our certificate is not self-signed. I'll double check but I believe it was generated properly.