https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/523599#M108406 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162723">@Ghidini</a> ,</P> <P>&nbsp;</P> <P>There are actually 2 existing FRs for this feature:</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 8112 (support for secure renegotiation / inbound SSL decrypt and GlobalProtect&nbsp;)<BR /></SPAN></SPAN></P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 18516 (Support for RFC 5746&nbsp;)<BR /></SPAN></SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>Please reach out to your local SE and you can have your vote added to them.</SPAN></SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>Kind regards,</SPAN></SPAN></P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>-Kiwi.</SPAN></SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 08 Dec 2022 07:32:11 GMT kiwi 2022-12-08T07:32:11Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256219#M72690 <P>I'm seeing some posts stating that Secure Renegotiation is not supported on the Palo Alto platform. Is this still true for the latest release, v9.x? If so, how is it enabled?&nbsp;</P> Thu, 04 Apr 2019 23:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256219#M72690 richardhicks 2019-04-04T23:31:30Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256377#M72735 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110304">@richardhicks</a>,</P><P>I'm fairly certain that TLS Renegotiation was fixed in an update to 6.0, so it's been available for a while. Regardless renegotiation is dying anyways; TLS 1.3 removes it completely.&nbsp;</P> Fri, 05 Apr 2019 19:58:56 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256377#M72735 BPry 2019-04-05T19:58:56Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256382#M72739 <P>Good to hear. So how to enable it? I'm certainly glad that TLS 1.3 eliminates it, but my customer has TLS 1.2 at the moment and need to elminate this audit finding. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Apr 2019 20:43:11 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256382#M72739 richardhicks 2019-04-05T20:43:11Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256449#M72751 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110304">@richardhicks</a>&nbsp;</P><P>&nbsp;</P><P>At least on a global protect portal website secure renegotiation is still not supported ... so I assume this also applies to inbound decryption.</P><P>&nbsp;</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>What do you think when TLS1.3 support will be added? I would saysomewhere in 2021 <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span> (with PAN-OS 10?)</P> Sun, 07 Apr 2019 11:26:47 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256449#M72751 Remo 2019-04-07T11:26:47Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256480#M72764 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>,</P><P>Last I heard it was still being targeted for 9.1**, but it wouldn't suprise me at all of this got pushed back to 10*. There's some really interesting papers you can find that speak in detail about the additional issues with TLS 1.3 and attempting to intercept that communication in a passive format.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><EM>*version names referenced are simply picked from historical release information. </EM></P><P><EM>**Inside Baseball (IE: Roadmap) discussions are strictly confidential and enforced through an NDA. The information presented in this post is non-official information and was not directly supplied by Palo Alto Networks or its employees.&nbsp;</EM></P> Sun, 07 Apr 2019 01:21:28 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/256480#M72764 BPry 2019-04-07T01:21:28Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/443370#M100208 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/110304">@richardhicks</a>&nbsp;</P><P>Are there any current versions of PAN-OS that support secure renegotiation?<BR />Inbound decryption SERVER-INITIATED Secure Renegotiation IS NOT supported.<BR />Secure Renegotiatio----&gt;Not supported ACTION NEEDED (more info)<BR />Secure Client-Initiated Renegotiation---- &gt;No</P><P>From palo alto side can to possible to configure&nbsp;support secure renegotiation</P><P>if it is&nbsp; feature request then can you please provide me FR number&nbsp;</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P> Tue, 26 Oct 2021 07:12:28 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/443370#M100208 bit_byte 2021-10-26T07:12:28Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/523469#M108399 <P>Is finally secure renegotiation (in inbound decryption) supported in the 10.1 or 11.0 firmware?</P> <P>It seems is a feature that has been missing for too long.</P> <P>&nbsp;</P> <P>Thanks</P> Wed, 07 Dec 2022 10:38:47 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/523469#M108399 Ghidini 2022-12-07T10:38:47Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/523599#M108406 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/162723">@Ghidini</a> ,</P> <P>&nbsp;</P> <P>There are actually 2 existing FRs for this feature:</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 8112 (support for secure renegotiation / inbound SSL decrypt and GlobalProtect&nbsp;)<BR /></SPAN></SPAN></P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN><STRONG>FR ID:</STRONG> 18516 (Support for RFC 5746&nbsp;)<BR /></SPAN></SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>Please reach out to your local SE and you can have your vote added to them.</SPAN></SPAN></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>Kind regards,</SPAN></SPAN></P> <P data-unlink="true"><SPAN class="news-body-text"><SPAN>-Kiwi.</SPAN></SPAN></P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 08 Dec 2022 07:32:11 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/523599#M108406 kiwi 2022-12-08T07:32:11Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/554375#M112662 <P>10.2.5 and SSLLabs result for GlobalProtect portal went from A- to A+&nbsp;<span class="lia-unicode-emoji" title=":party_popper:">🎉</span></P> <P>It requires removing weak ciphers from CLI though.</P> Sat, 19 Aug 2023 21:16:52 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/554375#M112662 Raido_Rattameister 2023-08-19T21:16:52Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/558746#M113335 <P>Thank you,</P> <P>currently we are on 10.1.10 release.</P> <P>So, to obtain an A+ we must upgrade exactly to 10.2.5 release or we need only to remove weak ciphers by CLI?</P> <P>Which is the real solution?</P> <P>&nbsp;</P> <P>Thank you for your support,</P> <P>Daniel</P> Wed, 20 Sep 2023 09:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/558746#M113335 Ghidini 2023-09-20T09:54:29Z https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/558778#M113341 <P>You need to upgrade PANOS. Removing weak ciphers gives only A-&nbsp;</P> <P>To get A+ you need to upgrade to PANOS that supports&nbsp;<SPAN>renegotiation.</SPAN></P> <P>&nbsp;</P> <P><SPAN>10.2.5</SPAN></P> <P><SPAN>PAN-184630 -&nbsp;Fixed an issue where TLS clients, such as those using OpenSSL 3.0, enforced the TLS renegotiation extension (RFC 5746).<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed-issues/pan-os-10-2-5-addressed-issues" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/pan-os-10-2-5-known-and-addressed-issues/pan-os-10-2-5-addressed-issues</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>You need to review 10.1.x release notes to see if renegotiation is fixed in any of it's versions.</SPAN></P> Wed, 20 Sep 2023 12:31:47 GMT https://live.paloaltonetworks.com/t5/general-topics/secure-renegotiation-in-panos-9x/m-p/558778#M113341 Raido_Rattameister 2023-09-20T12:31:47Z