https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13927#M10220 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>I did a small test with IE to open WEBUI for PAN-FW management interface. It is working only with SSL 3.0 and TLS 1.0.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 15 Jan 2014 20:24:23 GMT HULK 2014-01-15T20:24:23Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13923#M10216 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P> I'm trying to verify which SSL/TLS versions and Ciphers the PANs accept for WEBUI connections.&nbsp; Specifically I am trying to verify that it does not accept connections using weaker Protocols or Cipers and if it is configurable.</P><P></P><P>Please note that this is for Management connections to the PANs only, not user traffic.</P><P></P><P></P><P>Any help would be appreciated.</P><P></P><P> Thanks.</P></BODY></HTML> Tue, 14 Jan 2014 15:27:47 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13923#M10216 TSPphooper 2014-01-14T15:27:47Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13924#M10217 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P>To log into the firewall, the browser must be TLS 1.0 compatible.</P><P></P><H5 style="font-family: 'PT Sans', 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Ciphers</SPAN> suits for Admin Sessions (web interface):</H5><P></P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">DHE-RSA-AES256-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-AES256-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">DHE-RSA-CAMELLIA256-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-CAMELLIA256-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">EDH-RSA-3DES-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">DHE-RSA-AES128-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-AES128-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">DHE-RSA-SEED-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-SEED-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">DHE-RSA-CAMELLIA128-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">CAMELLIA128-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-RC4-SHA</P><P style="margin-bottom: 10px; font-size: 12px; font-family: 'Lucida Grande', 'Helvetica Neue', Helvetica, Arial, sans-serif;">RSA-RC4-MD5</P><P>For data-plane traffic, The SSL versions supported by PAN-OS are: SSLv3, TLS1.0, and TLS1.1.</P><P></P><P>Hope it will help you.</P><P></P><P>Thanks</P></BODY></HTML> Tue, 14 Jan 2014 15:53:18 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13924#M10217 HULK 2014-01-14T15:53:18Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13925#M10218 <HTML><HEAD></HEAD><BODY><P>Thank you very much for the Reply.</P><P></P><P> Is TLS 1.0 the only protocol that can be used for the Management Interface?&nbsp; Older protocols such as SSLv2 will be denied and are not supported?&nbsp; I suspect the answer is yes but need to verify.</P></BODY></HTML> Wed, 15 Jan 2014 16:56:30 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13925#M10218 TSPphooper 2014-01-15T16:56:30Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13926#M10219 <HTML><HEAD></HEAD><BODY><P>Yes, you are correct.</P></BODY></HTML> Wed, 15 Jan 2014 18:19:40 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13926#M10219 HULK 2014-01-15T18:19:40Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13927#M10220 <HTML><HEAD></HEAD><BODY><P>Hello Sir,</P><P></P><P>I did a small test with IE to open WEBUI for PAN-FW management interface. It is working only with SSL 3.0 and TLS 1.0.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 15 Jan 2014 20:24:23 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13927#M10220 HULK 2014-01-15T20:24:23Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13928#M10221 <HTML><HEAD></HEAD><BODY><P>According to the release notes for PANOS 6.0 most devices will now support TLS 1.2 for dataplane ssl/tls decryption.</P></BODY></HTML> Tue, 21 Jan 2014 08:34:55 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13928#M10221 mikand 2014-01-21T08:34:55Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13929#M10222 <HTML><HEAD></HEAD><BODY><P>Hello Mikand, </P><P></P><P>You are correct, The new PAN OS 6.0 is having capability to decrypt TLS 1.2. Although<SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"> PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.</SPAN></P><P></P><P>Thanks</P></BODY></HTML> Tue, 21 Jan 2014 15:32:20 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13929#M10222 HULK 2014-01-21T15:32:20Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13930#M10223 <HTML><HEAD></HEAD><BODY><P>Hello Hulk,</P><P></P><P>Is there a way to block sslv3 access to management interface of the firewall and allow only TLS1.0 ?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 20 Oct 2014 20:01:49 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13930#M10223 mbavishi 2014-10-20T20:01:49Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13931#M10224 <HTML><HEAD></HEAD><BODY><P>Hi Mbavishi,</P><P></P><P>Latest content has fix for vulnerability related sslv3, if management traffic is traversing through the Dataports than it can blocked.</P><P></P><P>If not, there is no way to block it.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 20 Oct 2014 22:10:54 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13931#M10224 hshah 2014-10-20T22:10:54Z https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13932#M10225 <HTML><HEAD></HEAD><BODY><P>Hi Mbavishi,</P><P></P><P>Please refer following thread for more detail.</P><P><A href="https://live.paloaltonetworks.com/message/45776">Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 20 Oct 2014 22:29:23 GMT https://live.paloaltonetworks.com/t5/general-topics/what-ssl-tls-versions-are-allowed-for-webui/m-p/13932#M10225 hshah 2014-10-20T22:29:23Z