https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39075#M28644 <HTML><HEAD></HEAD><BODY><P>Hello Hardik,</P><P></P><P>Even in latest code, we have removed the SSL v3 from the code for management connection including GlobalProtect gateway, GlobalProtect portal, and Captive Portal. There is no such option or button to enable/disable SSL V3. Secondly, if you create a custom signature to block SSL V3 connection and the client keep initiating SSL V3 connection,&nbsp; then you will not be able to establish a connection, which would be a major black-hole. </P><P></P><P>So, custom signature would not be a recommended solution for production environment. </P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 28 Jan 2015 19:01:36 GMT HULK 2015-01-28T19:01:36Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39071#M28640 <HTML><HEAD></HEAD><BODY><P>Hi Friends,</P><P></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">how we can disable SSL V.3&nbsp; only for management console on PA firewall.</SPAN></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;"><BR /></SPAN></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Regards</SPAN></P><P><SPAN style="font-size: 11.0pt; font-family: 'Calibri','sans-serif'; color: #1f497d;">Satish<BR /></SPAN></P></BODY></HTML> Wed, 28 Jan 2015 17:29:53 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39071#M28640 Satish 2015-01-28T17:29:53Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39072#M28641 <HTML><HEAD></HEAD><BODY><P>Hello Satish, <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>SSL V3 option has been removed from the PAN OS 6.0.8 and 6.1.2 onward. Prior to these version, you do not have any option to disable SSL V3 on the firewall, rather, you may disable SSL-V3 on your web browser. Accordingly, the client will not send SSL-v3 during the handshake. </P><P></P><P>You may go through the security advisory for more detail information: <A href="https://live.paloaltonetworks.com/docs/DOC-8360">SSL 3.0 MITM Attack (CVE-2014-3566) (PAN-SA-2014-0005) a.k.a. POODLE</A></P><P></P><P>Below mentioned BUG has been fixed on PAN OS 6.0.8.</P><P></P><P><STRONG>71321—Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive Portal due to CVE-2014-3566 (POODLE).</STRONG></P><P><STRONG> 71320—Removed support for SSL 3.0 from the web interface due to CVE-2014-3566 (POODLE).</STRONG></P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 28 Jan 2015 17:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39072#M28641 HULK 2015-01-28T17:53:44Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39073#M28642 <HTML><HEAD></HEAD><BODY><P>One more related link: <A href="https://securityadvisories.paloaltonetworks.com/" title="https://securityadvisories.paloaltonetworks.com/">Palo Alto Networks Product Vulnerability - Security Advisories</A></P><P></P><P>Look into the <SPAN style="color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; background-color: #d6e1e7;">SSL 3.0 MITM Attack (CVE-2014-3566)</SPAN></P><P></P><P>Thanks</P></BODY></HTML> Wed, 28 Jan 2015 17:57:47 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39073#M28642 HULK 2015-01-28T17:57:47Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39074#M28643 <HTML><HEAD></HEAD><BODY><P>Hi Satish,</P><P></P><P>If firewall is not on the latest code, than you can not disable SSLv3.</P><P></P><P>However, there is one work around if management traffic is going through data plane. In that case through custom signature SSLv3 traffic can be blocked.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 28 Jan 2015 18:53:03 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39074#M28643 hshah 2015-01-28T18:53:03Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39075#M28644 <HTML><HEAD></HEAD><BODY><P>Hello Hardik,</P><P></P><P>Even in latest code, we have removed the SSL v3 from the code for management connection including GlobalProtect gateway, GlobalProtect portal, and Captive Portal. There is no such option or button to enable/disable SSL V3. Secondly, if you create a custom signature to block SSL V3 connection and the client keep initiating SSL V3 connection,&nbsp; then you will not be able to establish a connection, which would be a major black-hole. </P><P></P><P>So, custom signature would not be a recommended solution for production environment. </P><P></P><P>Hope this helps.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 28 Jan 2015 19:01:36 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39075#M28644 HULK 2015-01-28T19:01:36Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39076#M28645 <HTML><HEAD></HEAD><BODY><P>When will 6.1.2 be released?</P></BODY></HTML> Thu, 29 Jan 2015 01:09:27 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39076#M28645 ASCIT 2015-01-29T01:09:27Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39077#M28646 <HTML><HEAD></HEAD><BODY><P>Hello <STRONG style="font-size: 11.6999998092651px; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1245" data-externalid="" data-presence="null" data-userid="30544" data-username="ascit" href="https://live.paloaltonetworks.com/people/ascit" style="padding: 0 3px 0 0; font-weight: inherit; font-style: inherit; font-size: 1.1em; font-family: inherit; color: #006595;">ascit</A></STRONG>,</P><P></P><P>The PAN OS version 6.1.2 is expected to be released during the week of February 2, 2015. </P><P></P><P>Thanks</P></BODY></HTML> Thu, 29 Jan 2015 02:48:24 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39077#M28646 HULK 2015-01-29T02:48:24Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39078#M28647 <HTML><HEAD></HEAD><BODY><P>Hi.</P><P></P><P>Thanks Hulk &amp; <SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;">Hardik for reply.<img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;">Regards</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 13px;">Satish<BR /></SPAN></P></BODY></HTML> Thu, 29 Jan 2015 04:04:51 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-v-3/m-p/39078#M28647 Satish 2015-01-29T04:04:51Z