https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/504479#M1664 <P>Hmmm.. My scans still show this as an issue after applying these settings.</P> Fri, 17 Jun 2022 13:45:39 GMT PatrickMurphy 2022-06-17T13:45:39Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/466853#M1506 <P>Hi,&nbsp;</P><P>&nbsp;</P><P>One of our runs vulnerability&nbsp; Assessment on LAN Interface of the PA NGFW, And they are getting&nbsp;<FONT face="arial black,avant garde"><STRONG>SSL/TLS Client-Initiated Renegotiation </STRONG></FONT>vulnerability, Please help me to remediate the same.&nbsp;</P> Fri, 18 Feb 2022 18:53:46 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/466853#M1506 SubaMuthuram 2022-02-18T18:53:46Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/468669#M1519 <P>You don't give much detail... but this is probably a renegotiation to lower TLS versions 1.0/1.1 that are vulnerable. Look at which SSL/TLS Profile you are using on your PA management interface:</P><P class="lia-indent-padding-left-30px">Device -&gt; Setup -&gt; Management -&gt; General Settings -&gt; SSL/TLS Service Profile == &lt;xxx&gt;</P><P class="lia-indent-padding-left-30px">&nbsp;</P><P>Then make sure your SSL/TLS profile is set to minimum TLS 1.2 (Note: Some older apps/browsers may not be able to handle this, so check if you are using the SSL/TLS profile for something else as well). Update the SSL/TLS profile:</P><P class="lia-indent-padding-left-30px">Device -&gt; Certificate Management -&gt; SSL/TLS Service Profile -&gt; &lt;xxx&gt; -&gt; Min Version = 1.2</P><P class="lia-indent-padding-left-30px">&nbsp;</P> Fri, 25 Feb 2022 15:31:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/468669#M1519 Adrian_Jensen 2022-02-25T15:31:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/476595#M1566 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/184804">@Adrian_Jensen</a>&nbsp;,&nbsp;</P><P>&nbsp;</P><P>I have resolved with the same way.&nbsp;</P> Tue, 29 Mar 2022 11:48:54 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/476595#M1566 SubaMuthuram 2022-03-29T11:48:54Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/504479#M1664 <P>Hmmm.. My scans still show this as an issue after applying these settings.</P> Fri, 17 Jun 2022 13:45:39 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/504479#M1664 PatrickMurphy 2022-06-17T13:45:39Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/504527#M1665 <P>Do you have multiple certificate SSL/TLS profiles and you are alerting on one other than associated with the management port? I.e. a different profile for your GlobalProtect Portals and Gateways which are not a minimum of TLS&gt;=1.2?</P> Fri, 17 Jun 2022 17:53:25 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssl-tls-client-initiated-renegotiation-vulnerability-in-ngfw-lan/m-p/504527#M1665 Adrian_Jensen 2022-06-17T17:53:25Z