https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/512189#M106439 <P>Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:</P> <P>&nbsp;</P> <P><EM>configure</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha1 no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-3des no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-128-cbc no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-256-cbc no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-rc4 no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings keyxchg-algo-rsa no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha256 yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha384 yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-128-gcm yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-256-gcm yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings keyxchg-algo-dhe yes</EM></P> <P><EM>commit</EM></P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5544">@palo</a> Alto: When will you fix the&nbsp;Secure Renegotiation issue?</P> <P>&nbsp;</P> Wed, 17 Aug 2022 18:51:37 GMT Han.Valk 2022-08-17T18:51:37Z https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/511964#M106411 <P>Hi guys,</P> <P>&nbsp;</P> <P>Would like to know how to disable the following ciphers:</P> <P>&nbsp;</P> <P>TLS_DHE_RSA_WITH_AES_256_CBC_SHA<BR />TLS_DHE_RSA_WITH_AES_128_CBC_SHA<BR />TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<BR />TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA<BR />TLS_RSA_WITH_AES_256_CBC_SHA<BR />TLS_RSA_WITH_AES_128_CBC_SHA</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Can i follow the following KB to disable:<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC</A>&nbsp;</P> <P>Protocol settings is at TSLv1.0</P> <P>&nbsp;</P> <P>Or i can GUI and disable the ciphers from ssl/tls service profile ?<BR /><BR /><BR /></P> <P>&nbsp;</P> <P>Also, i want to know if i need to disable SSL/TSL on panorama ?</P> <P>If yes, is it using the above KB mentioned?</P> Tue, 16 Aug 2022 08:50:56 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/511964#M106411 JingKai 2022-08-16T08:50:56Z https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/512189#M106439 <P>Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:</P> <P>&nbsp;</P> <P><EM>configure</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha1 no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-3des no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-128-cbc no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-256-cbc no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-rc4 no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings keyxchg-algo-rsa no</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha256 yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings auth-algo-sha384 yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-128-gcm yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings enc-algo-aes-256-gcm yes</EM><BR /><EM>set shared ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings keyxchg-algo-dhe yes</EM></P> <P><EM>commit</EM></P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5544">@palo</a> Alto: When will you fix the&nbsp;Secure Renegotiation issue?</P> <P>&nbsp;</P> Wed, 17 Aug 2022 18:51:37 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/512189#M106439 Han.Valk 2022-08-17T18:51:37Z https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/512217#M106441 <P>Hi Han.Valk,</P> <P>&nbsp;</P> <P>Thanks for the solution. But what about panorama?</P> <P>&nbsp;</P> <P>Is it&nbsp;<EM>set panorama ssl-tls-service-profile &lt;SSL/TLS Service Profile&gt; protocol-settings?</EM></P> Thu, 18 Aug 2022 04:21:33 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ciphers/m-p/512217#M106441 JingKai 2022-08-18T04:21:33Z