topic Re: Audit Global protect server in General Topics

Audit Global protect server

BigPalo — Mon, 27 Jul 2020 15:32:49 GMT

Hi,

We launched a sslab test for a GlobalProtect Portal website. Our note is B. We would like to improve these two things but we dont know what it can be done in PA config. These are:

There is no support for secure renegotiation. MORE INFO »

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »

What means "secure renegotiation"? how can solve this in PA?

what about Palo support froward secrecy? anything to do in Palo?

Re: Audit Global protect server

Remo — Sat, 01 Aug 2020 10:01:41 GMT

Hi @BigPalo

Forward secrecy actually is supported by paloalto. If you look at the details of the browser handshake list, you should see most of them use ciphersuites with forward secrecy. Only a few - which count as reference browser for Qualys SSLLabs - do not use forward secrecy ciphersuites.

The point with the missing secure renegotiation is still true and unfortunately theres nothing you can do about that at the moment except wait until it is supportet (in PAN-OS 10 it is still not supported).

An explanation of secure renegotiation you can find here: https://devcentral.f5.com/s/articles/ssl-legacy-renegotiation-vs-secure-renegotiation-explained-using-wireshark-34023

Re: Audit Global protect server

RaymondSchuiling — Wed, 09 Sep 2020 10:51:04 GMT

Hi @BigPalo ,

You can easily get A minus on SSLlabs and take out most of the forward secrecy.

I assume you have your ssl-tls-service-profile set at minimum TLS 1.2

Just run the following via the CLI:

configure
set shared ssl-tls-service-profile yourprofile protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-3des no

While you are at it also disable the following:

set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile yourprofile protocol-settings keyxchg-algo-rsa no
commit

Unfortunately it does not fix anything for secure renegotiation.

Regards,

Raymond

Re: Audit Global protect server

DavidJohnson — Mon, 16 Jan 2023 17:10:34 GMT

Can this be done as a push from Panorama? I do not like the concept of doing a command line only change on an individual firewall which could easily be forgotten in the case of a disaster restore or upgrade situation.

Re: Audit Global protect server

Raido_Rattameister — Mon, 16 Jan 2023 18:15:21 GMT

You can run those commands in Panorama CLI.

Instead of command:

set shared ssl-tls-service-profile...

You need to use:

set template TemplateName config shared ssl-tls-service-profile...

Re: Audit Global protect server

DavidJohnson — Mon, 16 Jan 2023 18:53:38 GMT

I must be missing something...

I used the following commands (with the template name changed)

set template HiddenTemplateName config shared ssl-tls-service-profile VPN-SSL protocol-settings auth-algo-sha1 no
set template HiddenTemplateName config shared ssl-tls-service-profile VPN-SSL protocol-settings enc-algo-3des no
set template HiddenTemplateName config shared ssl-tls-service-profile VPN-SSL protocol-settings enc-algo-rc4 no
set template HiddenTemplateName config shared ssl-tls-service-profile VPN-SSL protocol-settings keyxchg-algo-rsa no

The following commit failed with the result down below - what am I missing - all the profiles (there are three like this) have certificates already and in use?

Operation
Commit
Status
Completed
Result
Failed
Details
sd_wan plugin validation: Config valid
Validation Error:
devices -> localhost.localdomain -> template-stack -> HiddenStackName -> config -> shared -> ssl-tls-service-profile -> VPN-SSL is missing 'certificate'
devices -> localhost.localdomain -> template-stack -> HiddenStackName -> config -> shared -> ssl-tls-service-profile is invalid

Re: Audit Global protect server

Raido_Rattameister — Mon, 16 Jan 2023 19:13:51 GMT

Go to "Device > Certificate management > SSL/TLS Service Profile"

Did you use correct name for profile or did it create new one named "VPN-SSL" as a result of the command?

Re: Audit Global protect server

DavidJohnson — Mon, 16 Jan 2023 19:42:25 GMT

I had already restored from backup the previous config so I just ran the commands and attempted commit again.

A new profile was not created according to the GUI. I looked in all the associated templates and template stacks.

I am now restoring back to original.

Re: Audit Global protect server

Raido_Rattameister — Mon, 16 Jan 2023 19:44:39 GMT

Try to tab complete the command and use questionmark to get correct options.

There must be typo in command somewhere.

Re: Audit Global protect server

DavidJohnson — Mon, 16 Jan 2023 20:03:45 GMT

Just adding "" around the various template names did not change anything. The commands have always been accepted with and without the "".

Using the ? as I worked through the first command I saw that certificate was an option. Adding that sub-command and then a ? again I was shown some certificates; however the one that is in use (from an external CA) was not in the list.

It looks like I will need to open a support ticket to get this sorted out.

Re: Audit Global protect server

Raido_Rattameister — Mon, 16 Jan 2023 20:12:32 GMT

No "" needed if template or profile names don't contain spaces.

Command works well and commit worked after entering command.