https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200941#M59427 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>&nbsp;This can also be done with custom signatures.&nbsp; I created one recently for a customer who wanted to block connections using "sha1WithRSAEncryption"</P><P>&nbsp;</P><PRE>&lt;vulnerability-threat version="8.1.0"&gt; &lt;entry name="41023"&gt; &lt;signature&gt; &lt;standard&gt; &lt;entry name="sig1"&gt; &lt;and-condition&gt; &lt;entry name="And Condition 1"&gt; &lt;or-condition&gt; &lt;entry name="Or Condition 1"&gt; &lt;operator&gt; &lt;pattern-match&gt; &lt;pattern&gt;\x2a864886f70d010105\x&lt;/pattern&gt; &lt;context&gt;ssl-rsp-certificate&lt;/context&gt; &lt;negate&gt;no&lt;/negate&gt; &lt;/pattern-match&gt; &lt;/operator&gt; &lt;/entry&gt; &lt;/or-condition&gt; &lt;/entry&gt; &lt;/and-condition&gt; &lt;order-free&gt;yes&lt;/order-free&gt; &lt;scope&gt;session&lt;/scope&gt; &lt;/entry&gt; &lt;/standard&gt; &lt;/signature&gt; &lt;default-action&gt; &lt;alert/&gt; &lt;/default-action&gt; &lt;threatname&gt;sha1WithRSAEncryption&lt;/threatname&gt; &lt;severity&gt;informational&lt;/severity&gt; &lt;direction&gt;server2client&lt;/direction&gt; &lt;comment&gt;detects the presence of SHA-1 signature algorithm ID of server during SSL handshake&lt;/comment&gt; &lt;affected-host&gt; &lt;client&gt;yes&lt;/client&gt; &lt;/affected-host&gt; &lt;/entry&gt; &lt;/vulnerability-threat&gt;</PRE><P>If you're interested in pursuing the custom signature option, head over to the <A title="Custom Signatures discussion area" href="https://live.paloaltonetworks.com/t5/Custom-Signatures/bd-p/CustomSignatures" target="_blank">Custom Signatures discussion area</A>.&nbsp;&nbsp;</P> Fri, 16 Feb 2018 16:39:11 GMT jvalentine 2018-02-16T16:39:11Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200925#M59418 <P>Can PA be used block weak ciphers at zone or server level?</P> Fri, 16 Feb 2018 16:07:17 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200925#M59418 raji_toor 2018-02-16T16:07:17Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200927#M59419 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a></P><P>Take a look at SSL-Decryption profiles.&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/FeaturedArticles/article-id/120" target="_blank">https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/FeaturedArticles/article-id/120</A></P> Fri, 16 Feb 2018 16:08:48 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200927#M59419 BPry 2018-02-16T16:08:48Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200935#M59422 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;What if decryption is not enabled or is not an option.</P> Fri, 16 Feb 2018 16:17:45 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200935#M59422 raji_toor 2018-02-16T16:17:45Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200938#M59425 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>,</P><P>If you aren't utilizing Decryption then I&nbsp;<EM>believe</EM> your only option is going to be through a Vulnerability Protection profile and the only Threat that deals with weak ciphers is ID 38924 'SSL Version 2 Weak RSA Cipher Detected' which you could modify from the default of 'alert' and change it to reset if you'd like.&nbsp;</P> Fri, 16 Feb 2018 16:24:07 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200938#M59425 BPry 2018-02-16T16:24:07Z https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200941#M59427 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>&nbsp;This can also be done with custom signatures.&nbsp; I created one recently for a customer who wanted to block connections using "sha1WithRSAEncryption"</P><P>&nbsp;</P><PRE>&lt;vulnerability-threat version="8.1.0"&gt; &lt;entry name="41023"&gt; &lt;signature&gt; &lt;standard&gt; &lt;entry name="sig1"&gt; &lt;and-condition&gt; &lt;entry name="And Condition 1"&gt; &lt;or-condition&gt; &lt;entry name="Or Condition 1"&gt; &lt;operator&gt; &lt;pattern-match&gt; &lt;pattern&gt;\x2a864886f70d010105\x&lt;/pattern&gt; &lt;context&gt;ssl-rsp-certificate&lt;/context&gt; &lt;negate&gt;no&lt;/negate&gt; &lt;/pattern-match&gt; &lt;/operator&gt; &lt;/entry&gt; &lt;/or-condition&gt; &lt;/entry&gt; &lt;/and-condition&gt; &lt;order-free&gt;yes&lt;/order-free&gt; &lt;scope&gt;session&lt;/scope&gt; &lt;/entry&gt; &lt;/standard&gt; &lt;/signature&gt; &lt;default-action&gt; &lt;alert/&gt; &lt;/default-action&gt; &lt;threatname&gt;sha1WithRSAEncryption&lt;/threatname&gt; &lt;severity&gt;informational&lt;/severity&gt; &lt;direction&gt;server2client&lt;/direction&gt; &lt;comment&gt;detects the presence of SHA-1 signature algorithm ID of server during SSL handshake&lt;/comment&gt; &lt;affected-host&gt; &lt;client&gt;yes&lt;/client&gt; &lt;/affected-host&gt; &lt;/entry&gt; &lt;/vulnerability-threat&gt;</PRE><P>If you're interested in pursuing the custom signature option, head over to the <A title="Custom Signatures discussion area" href="https://live.paloaltonetworks.com/t5/Custom-Signatures/bd-p/CustomSignatures" target="_blank">Custom Signatures discussion area</A>.&nbsp;&nbsp;</P> Fri, 16 Feb 2018 16:39:11 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-block-weak-ciphers/m-p/200941#M59427 jvalentine 2018-02-16T16:39:11Z