https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/513209#M106622 <P>Nessus scanning is picking up TCP/443 TLS v1.0 and v1.1 on our WildFire (WF-500) appliances.</P> <P>&nbsp;</P> <P><SPAN>Is there a way to turn off TLS v1.0 and v1.1 on the WildFire ?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is the Nessus scanner notification.</SPAN><BR /><BR /><SPAN>--------------------------------------------------------------------------------</SPAN><BR /><SPAN>Policy Violation 443/tcp Nessus ID: 56984</SPAN><BR /><SPAN>--------------------------------------------------------------------------------</SPAN><BR /><SPAN>Synopsis :</SPAN><BR /><SPAN>The remote service encrypts communications.</SPAN><BR /><BR /><SPAN>Description :</SPAN><BR /><SPAN>This plugin detects which SSL and TLS versions are supported by the</SPAN><BR /><SPAN>remote service for encrypting communications.</SPAN><BR /><BR /><SPAN>See also :</SPAN><BR /><BR /><BR /><BR /><SPAN>Solution :</SPAN><BR /><SPAN>n/a</SPAN><BR /><BR /><SPAN>Risk factor :</SPAN><BR /><SPAN>None / CVSS Base Score :0.0</SPAN><BR /><BR /><SPAN>Prioritized Risk :</SPAN><BR /><SPAN>None (VPR: n/a / CVSS v3: None / CVSS v2: None)</SPAN><BR /><BR /><SPAN>Plugin output :</SPAN><BR /><BR /><SPAN>This port supports TLSv1.0/TLSv1.1/TLSv1.2.</SPAN></P> Mon, 29 Aug 2022 01:49:52 GMT pjohnson1 2022-08-29T01:49:52Z https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/513209#M106622 <P>Nessus scanning is picking up TCP/443 TLS v1.0 and v1.1 on our WildFire (WF-500) appliances.</P> <P>&nbsp;</P> <P><SPAN>Is there a way to turn off TLS v1.0 and v1.1 on the WildFire ?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below is the Nessus scanner notification.</SPAN><BR /><BR /><SPAN>--------------------------------------------------------------------------------</SPAN><BR /><SPAN>Policy Violation 443/tcp Nessus ID: 56984</SPAN><BR /><SPAN>--------------------------------------------------------------------------------</SPAN><BR /><SPAN>Synopsis :</SPAN><BR /><SPAN>The remote service encrypts communications.</SPAN><BR /><BR /><SPAN>Description :</SPAN><BR /><SPAN>This plugin detects which SSL and TLS versions are supported by the</SPAN><BR /><SPAN>remote service for encrypting communications.</SPAN><BR /><BR /><SPAN>See also :</SPAN><BR /><BR /><BR /><BR /><SPAN>Solution :</SPAN><BR /><SPAN>n/a</SPAN><BR /><BR /><SPAN>Risk factor :</SPAN><BR /><SPAN>None / CVSS Base Score :0.0</SPAN><BR /><BR /><SPAN>Prioritized Risk :</SPAN><BR /><SPAN>None (VPR: n/a / CVSS v3: None / CVSS v2: None)</SPAN><BR /><BR /><SPAN>Plugin output :</SPAN><BR /><BR /><SPAN>This port supports TLSv1.0/TLSv1.1/TLSv1.2.</SPAN></P> Mon, 29 Aug 2022 01:49:52 GMT https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/513209#M106622 pjohnson1 2022-08-29T01:49:52Z https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/513334#M106641 <P>Hello,</P> <P>&nbsp;</P> <P>Please see the article below and set the min TLS version you want:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/set-up-and-manage-a-wildfire-appliance/set-up-authentication-using-custom-certs-standalone-wildfire-appliance/configure-authentication-with-custom-certificates-on-wf-500" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/wildfire/9-1/wildfire-admin/set-up-and-manage-a-wildfire-appliance/set-up-authentication-using-custom-certs-standalone-wildfire-appliance/configure-authentication-with-custom-certificates-on-wf-500</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>---</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI class=""> <DIV style="display: inline;"> <DIV style="display: inline;"> <UL> <LI class=""> <DIV style="display: inline;"> <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV class="" data-label="NOTE"> <DIV> <DIV style="display: inline;"> <DIV class=""> <DIV style="display: inline;">PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You must set the max version to TLS 1.2 or max. <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV style="display: inline;">admin@WF-500# <DIV style="display: inline;">set shared ssl-tls-service-profile <DIV style="display: inline;">&lt;name&gt;protocol-settings min-version {tls1-0 | tls1-1 | tls1-2} <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV style="display: inline;">admin@WF-500# <DIV style="display: inline;">set shared ssl-tls-service-profile <DIV style="display: inline;">&lt;name&gt;protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max}</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </LI> <LI class=""> <DIV style="display: inline;"> <DIV style="display: inline;">Configure secure server communication on the WildFire appliance. <DIV style="display: inline;"> <UL> <LI class=""> <DIV style="display: inline;"> <DIV style="display: inline;">Set the SSL/TLS profile. This SSL/TLS service profile applies to all SSL connection between WildFire and client devices. <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV style="display: inline;">admin@WF-500# <DIV style="display: inline;">set deviceconfig setting management secure-conn-server ssl-tls-service-profile <DIV style="display: inline;">&lt;ssltls-profile&gt; <DIV style="display: inline;">&nbsp; <DIV style="display: inline;">&nbsp; <DIV style="display: inline;">&nbsp; <DIV style="display: inline;">&nbsp; <P>&nbsp;</P> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </LI> </UL> </DIV> </DIV> </DIV> </LI> <LI class=""> <DIV style="display: inline;"> <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV class="" data-label="NOTE"> <DIV> <DIV style="display: inline;"> <DIV class=""> <DIV style="display: inline;"> <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV style="display: inline;"> <DIV style="display: inline;"> <DIV style="display: inline;"> <DIV class="" data-label="ADDITIONAL INFORMATION"> <DIV style="display: inline;"> <DIV style="display: inline;"> <DIV style="display: inline;"> <DIV style="display: inline;">&nbsp;</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </LI> </UL> </DIV> </DIV> </LI> </UL> Tue, 30 Aug 2022 06:29:15 GMT https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/513334#M106641 nikoolayy1 2022-08-30T06:29:15Z https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/1220622#M123288 <P>how does this disable weak ciphers?</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 17 Feb 2025 06:35:47 GMT https://live.paloaltonetworks.com/t5/general-topics/in-wildfire-how-do-we-disable-weak-tls-ciphers/m-p/1220622#M123288 S.Ramesh960545 2025-02-17T06:35:47Z