https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121141#M46021 <P>Hi,</P><P>&nbsp;</P><P>Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.</P> Tue, 25 Oct 2016 12:08:09 GMT arvesynd 2016-10-25T12:08:09Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121115#M46015 <P>We are currently being required to disable 3DES in order to pass PCI compliance (due to the Sweet32 exploit).</P><P>&nbsp;</P><P>We have a decryption profile for all incoming traffic hitting our firewall and services behind it, where I have tried disabling 3DES.</P><P>However, the firewall will still accept 3DES after doing a commit. When opening the decryption profile again. 3DES will be shown as enabled again.</P><P>&nbsp;</P><P>As you can see in the picture, 3DES seems to be disabled in the decryption profile list, but when opening the specified decryption profile it shows up as enabled.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3DES.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/6045i3EE0632F26C816B4/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3DES.png" alt="3DES.png" /></span></P><P>&nbsp;</P><P>Does anyone know how to properly disable 3DES on PANOS 7.1.x?</P> Tue, 25 Oct 2016 10:27:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121115#M46015 arvesynd 2016-10-25T10:27:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121129#M46017 <P>Hello,</P><P>&nbsp;</P><P>Seems odd, can you try changing this via the CLI?</P><P>&nbsp;</P><P>&gt;configure</P><P>#edit profiles decryption "name of decryption profile" ssl-protocol-settings</P><P>#set enc-algo-3des no</P><P>#commit</P><P>&nbsp;</P><P>let us know if this resolves the issue.</P><P>&nbsp;</P><P>Ben</P> Tue, 25 Oct 2016 10:45:05 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121129#M46017 bmorris1 2016-10-25T10:45:05Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121131#M46018 <P>Hi Ben,</P><P>&nbsp;</P><P>This did not resolve the issue, but it should be disabled.</P><P>The firewall still provides&nbsp;<SPAN>TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients.</SPAN></P><P>&nbsp;</P><P>Here's the output from show of ssl-protocol-settings for the decryption profile:</P><P>&nbsp;</P><PRE>(active)# show ssl-protocol-settings { keyxchg-algo-dhe yes; keyxchg-algo-ecdhe yes; min-version tls1-1; keyxchg-algo-rsa yes; enc-algo-3des no; enc-algo-rc4 no; enc-algo-aes-128-cbc yes; enc-algo-aes-256-cbc yes; enc-algo-aes-128-gcm yes; enc-algo-aes-256-gcm yes; auth-algo-sha1 yes; auth-algo-sha256 yes; auth-algo-sha384 yes; }</PRE> Tue, 25 Oct 2016 11:20:41 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121131#M46018 arvesynd 2016-10-25T11:20:41Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121132#M46019 <P>Hi,</P> <P>&nbsp;</P> <P>I see the same thing in my lab (running PAN-OS 7.1.3 on a VM-100).</P> <P>&nbsp;</P> <P>It might just be&nbsp;a cosmetic bug because the CLI command indicates it is disabled :</P> <P>&nbsp;</P> <P class="p1"><SPAN class="s1">admin@PA-VM# show profiles decryption test ssl-protocol-settings</SPAN></P> <P class="p1"><SPAN class="s1">ssl-protocol-settings {</SPAN></P> <P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>enc-algo-3des no;</SPAN></P> <P class="p1"><SPAN class="s1"><SPAN class="Apple-converted-space">&nbsp; </SPAN>enc-algo-rc4 no;</SPAN></P> <P class="p1"><SPAN class="s1">}</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">I'd recommend to open a bug report with support so they can get this GUI bug fixed.</SPAN></P> <P class="p1">&nbsp;</P> <P class="p1"><SPAN class="s1">Cheers,</SPAN></P> <P class="p1"><SPAN class="s1">-Kim.</SPAN></P> Tue, 25 Oct 2016 11:29:44 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121132#M46019 kiwi 2016-10-25T11:29:44Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121141#M46021 <P>Hi,</P><P>&nbsp;</P><P>Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.</P> Tue, 25 Oct 2016 12:08:09 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121141#M46021 arvesynd 2016-10-25T12:08:09Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121659#M46069 <P>Kim This command is working on 6.0 ?</P> Thu, 27 Oct 2016 07:37:22 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121659#M46069 Fahad-Khan 2016-10-27T07:37:22Z https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121660#M46070 <P>I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL.</P><P>&nbsp;</P><P>To make this work, I set min. protocol&nbsp;version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection.</P><P>&nbsp;</P><P>Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.</P><P>&nbsp;</P> Thu, 27 Oct 2016 07:40:24 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-properly-disable-3des-encryption-algorithm/m-p/121660#M46070 arvesynd 2016-10-27T07:40:24Z