topic Re: Is there any command to modify tls response version for ssl decryption forward proxy in General Topics

Is there any command to modify tls response version for ssl decryption forward proxy

Retired Member — Mon, 07 Jan 2019 04:10:35 GMT

When a client's browser disabled TLS1.0 and connect to a website which is only support TLS1.0.

Is there any way to let PA firewall response TLS1.0 to user?

Because before we replaced our customer's firewall, their firewall was CheckPoint CP5800.

In same situation CP5800 responsed TLS1.2 to clients, so they browse the website works fine, but now they couldn't connect to that site anymore.

Anybody know the workaround?

Many, thanks.

Harold

Re: Is there any command to modify tls response version for ssl decryption forward proxy

BPry — Tue, 08 Jan 2019 20:44:46 GMT

@Retired Member,

No. The firewall is going to respond to the client however the website is configured, so TSL1.0 won't magically be upgraded to TLS1.2. If the website is a requirement the client will need to re-enable TLS1.0 on their browser.

FYI: TLS1.0 shouldn't be in use anymore, and best practice would be that its excluded from your Decryption Profile altogether.