https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/845#M655 <HTML><HEAD></HEAD><BODY><P>Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.</P><P></P><P>Hope it helps !</P></BODY></HTML> Thu, 16 Oct 2014 17:03:46 GMT bat 2014-10-16T17:03:46Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/838#M648 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I have a case where customer needs to disable SSL 3.0 on an interface and just use SSL 1.0 and 2.0 for both device management and GP. Is this possible? if so then how? Is there any other way apart from disabling the entire SSL feature on the interface? Kindly Advice</P></BODY></HTML> Wed, 15 Oct 2014 17:24:32 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/838#M648 mrafi 2014-10-15T17:24:32Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/839#M649 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/29222">mrafi</A></P><P></P><P>I have not tested this but you can try creating a custom vulnerability with ssl-rsp-version 3 and block it:</P><P></P><P><IMG __jive_id="16321" alt="sslv3.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16321_sslv3.JPG" style="height: 265px; width: 620px;" /></P><P></P><P>The above vulnerability will only be effective for traffic going through dataplane port so if you are accessing management directly (without going dataplane port) this will not help for disabling SSLv3 on management interface.</P><P></P><P>Will keep you posted if I get a chance to try this in lab</P><P></P><P>Hope it helps !</P></BODY></HTML> Wed, 15 Oct 2014 17:29:27 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/839#M649 bat 2014-10-15T17:29:27Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/840#M650 <HTML><HEAD></HEAD><BODY><P>Hi Mrafi,</P><P></P><P>You can not disable SSLv3 by any command or configuration.</P><P></P><P>However, you may want to try custom vuln. signature mentioned above.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 15 Oct 2014 17:43:33 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/840#M650 hshah 2014-10-15T17:43:33Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/841#M651 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/29222">mrafi</A></P><P></P><P>Just tested this in my lab and it works <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P></P><P>You have to specify the decimal value for SSL 3.0 hexadecimal code (0x0300) which is 768.</P><P></P><P><IMG alt="sslv3_decimal.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16325_sslv3_decimal.JPG" style="height: 227px; width: 620px;" /></P><P></P><P>Hope it helps !</P></BODY></HTML> Wed, 15 Oct 2014 18:45:33 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/841#M651 bat 2014-10-15T18:45:33Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/842#M652 <HTML><HEAD></HEAD><BODY><P>Hi Mrafi,</P><P></P><P>This will stop SSLv3 on Data port only, for that you will have to configure custom vuln profile in policy.</P><P></P><P>This will not help to stop SSLv3 on Management interface.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 15 Oct 2014 19:33:42 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/842#M652 hshah 2014-10-15T19:33:42Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/843#M653 <HTML><HEAD></HEAD><BODY><P>Hi Mrafi,</P><P></P><P>Just FYI...</P><P><A href="http://www.networkworld.com/article/2833937/security/security-experts-warn-of-poodle-attack-against-ssl-30.html" style="font-size: 10pt; line-height: 1.5em;" title="http://www.networkworld.com/article/2833937/security/security-experts-warn-of-poodle-attack-against-ssl-30.html">http://www.networkworld.com/article/2833937/security/security-experts-warn-of-poodle-attack-against-ssl-30.html</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Wed, 15 Oct 2014 20:17:05 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/843#M653 hshah 2014-10-15T20:17:05Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/844#M654 <HTML><HEAD></HEAD><BODY><P>I created a custom signature like <SPAN class="j-post-author"><STRONG><A _jive_internal="true" class="jiveTT-hover-user jive-username-link" data-avatarid="1246" data-externalid="" data-presence="null" data-userid="28201" data-username="csharma" href="https://live.paloaltonetworks.com/people/csharma">csharma</A> </STRONG>suggested and I can confirm that it works.</SPAN></P><P><SPAN class="j-post-author"><BR /></SPAN></P><P><SPAN class="j-post-author">Although, it does not seem to work if you are decrypting the SSL traffic via Palo Alto.</SPAN></P></BODY></HTML> Thu, 16 Oct 2014 15:23:29 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/844#M654 jambulo 2014-10-16T15:23:29Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/845#M655 <HTML><HEAD></HEAD><BODY><P>Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.</P><P></P><P>Hope it helps !</P></BODY></HTML> Thu, 16 Oct 2014 17:03:46 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/845#M655 bat 2014-10-16T17:03:46Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/846#M656 <HTML><HEAD></HEAD><BODY><P>No you can not disable this, the version is negotiated by the end-host and server. </P><P></P><P>The Vulnerability signature which is provided will not be applied to traffic destined to&nbsp; firewall</P><P></P><P>For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall</P><P></P><P>The work around while we wait for engineering is to host the service on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall like regular traffic to detect vulnerability.</P><P></P><P>Regards</P><P>Sai</P></BODY></HTML> Fri, 31 Oct 2014 00:04:17 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/846#M656 Sai_Tumuluri 2014-10-31T00:04:17Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/847#M657 <HTML><HEAD></HEAD><BODY><P>wow, so PA cant disable sslv3 ... thats not good. I know the sig can protect but common,,,, we cant pick protocols/ciphers on an enterprise class firewall ..?? AND its based on Linux right? so PA went out of its way to make it so we cant do this?</P><P></P><P></P><P><BR /> </P></BODY></HTML> Fri, 31 Oct 2014 16:03:38 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/847#M657 choff123 2014-10-31T16:03:38Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/848#M658 <HTML><HEAD></HEAD><BODY><P>Why does the PA NOT detect SSLv3 when it's set to decrypt the passing traffic?</P><P></P><P>Here's what I did to test...</P><P>1.&nbsp; I forced my browser to user ONLY SSLv3.</P><P>2.&nbsp; Set Threat ID 36815(SSLv3 Found in Server Response) to "drop-all-packets".</P><P>3.&nbsp; Browsed to web server behind the PA and page loaded fine.</P><P>4.&nbsp; Wireshark capture shows only SSLv3 being used.</P><P>5.&nbsp; Not detected in PA.</P><P></P><P>Then I tried web traffic that is not being decrypted and the PA detected and blocked the SSLv3 attempt.</P></BODY></HTML> Tue, 04 Nov 2014 14:44:06 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/848#M658 jambulo 2014-11-04T14:44:06Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/849#M659 <HTML><HEAD></HEAD><BODY><P>I's suppose the PA to be able to adjust the SSL/TLS Versions allowed in SSL hello messages when performing SSL Decryption since it is acting as the clientside towards the WebServer ?!</P><P>Why is there no way to infuence this with a Decryption Profile?</P></BODY></HTML> Wed, 19 Nov 2014 10:13:09 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-specifically-disable-ssl-3-0-on-a-palo-alto/m-p/849#M659 ruby 2014-11-19T10:13:09Z