https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595543#M5702 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for trying to help.&nbsp;</P> <P>&nbsp;</P> <P>The settings are as follows.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_0-1724287239746.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61644iC87326CA319FFF20/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_0-1724287239746.png" alt="Oliver_Dalugodage_0-1724287239746.png" /></span></P> <P>&nbsp;</P> <P>The Cipher suits are as follows.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_0-1724303176340.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61647iFB899FCC2764E548/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_0-1724303176340.png" alt="Oliver_Dalugodage_0-1724303176340.png" /></span></P> <P>&nbsp;</P> <P>I will check out your Youtube channel. Thank you for providing the info to it.&nbsp;</P> <P>&nbsp;</P> <P>Please help.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> Thu, 22 Aug 2024 05:06:28 GMT Oliver_Dalugodage 2024-08-22T05:06:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595431#M5694 <P>Hi Champions,</P> <P>&nbsp;</P> <P>I have evaluated the IP address to<SPAN data-teams="true"><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">&nbsp;the GlobalProtect gateway on the Palo Alto firewall via Qualys SSL Labs and got the following results.&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_0-1724221684555.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61621iB53F3D32C4138C22/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_0-1724221684555.png" alt="Oliver_Dalugodage_0-1724221684555.png" /></span></P> <P><STRONG>Object &gt; Decryption &gt; Decryption Profile&nbsp;</STRONG>is</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_1-1724222240030.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61622i3457D821AE720F3C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_1-1724222240030.png" alt="Oliver_Dalugodage_1-1724222240030.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I am trying to find out how to fix this issue of "<SPAN>This server does not support Forward Secrecy with the reference browsers. Grade capped to B."</SPAN> to get the grade back to A.&nbsp;</P> <P>&nbsp;</P> <P>Pan OS version is: 10.1.10-h2</P> <P>&nbsp;</P> <P>Could you please help me?&nbsp;</P> <P>&nbsp;</P> <P>Thank you so much for your attention and participation.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 21 Aug 2024 06:39:11 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595431#M5694 Oliver_Dalugodage 2024-08-21T06:39:11Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595437#M5695 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1352883893">@Oliver_Dalugodage</a>&nbsp;Normally with DHE &amp; ECDHE, it should be enabled by default on Palo Alto.</P> <P>Can you confirm what encryption and authentication algorithm are you using? It might be flagged due to weak algorithm being used.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SutareMayur_0-1724226240164.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61624iD37F1C0DE84FDCB6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="SutareMayur_0-1724226240164.png" alt="SutareMayur_0-1724226240164.png" /></span></P> <P>&nbsp;</P> Wed, 21 Aug 2024 07:46:22 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595437#M5695 SutareMayur 2024-08-21T07:46:22Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595543#M5702 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/132521">@SutareMayur</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thank you for trying to help.&nbsp;</P> <P>&nbsp;</P> <P>The settings are as follows.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_0-1724287239746.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61644iC87326CA319FFF20/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_0-1724287239746.png" alt="Oliver_Dalugodage_0-1724287239746.png" /></span></P> <P>&nbsp;</P> <P>The Cipher suits are as follows.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oliver_Dalugodage_0-1724303176340.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61647iFB899FCC2764E548/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Oliver_Dalugodage_0-1724303176340.png" alt="Oliver_Dalugodage_0-1724303176340.png" /></span></P> <P>&nbsp;</P> <P>I will check out your Youtube channel. Thank you for providing the info to it.&nbsp;</P> <P>&nbsp;</P> <P>Please help.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> Thu, 22 Aug 2024 05:06:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595543#M5702 Oliver_Dalugodage 2024-08-22T05:06:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595742#M5716 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1352883893">@Oliver_Dalugodage</a>&nbsp;</P> <P>You should get a rid of CBC mode ciphers. Many Security organizations including Qualys where you are scanning your site, consider CBC ciphers to be weak. Due to this, there are few ciphers enabled which does not support PFS and so showing in your scanning report also. Kindly refer this <A href="https://ciphersuite.info/cs/TLS_RSA_WITH_AES_256_CBC_SHA256/" target="_self">article.</A></P> <P>&nbsp;</P> <P>Hope it helps!</P> Fri, 23 Aug 2024 10:45:27 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/this-server-does-not-support-forward-secrecy-with-the-reference/m-p/595742#M5716 SutareMayur 2024-08-23T10:45:27Z