https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/340905#M85535 <P><SPAN>Hi,</SPAN></P><P>&nbsp;</P><P><SPAN>Im having the same grade because of:&nbsp;This server does not support Forward Secrecy with the reference browsers.</SPAN></P><P>&nbsp;</P><P><SPAN>how did you solve it? any idea?&nbsp;</SPAN></P> Mon, 27 Jul 2020 17:23:21 GMT BigPalo 2020-07-27T17:23:21Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/157212#M51581 <P>Hello all,</P><P>&nbsp;</P><P>I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.</P><P>&nbsp;</P><P>More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).</P><P>&nbsp;</P><P>This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites&nbsp; fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.</P><P>&nbsp;</P><P>&nbsp;</P><P>More specific, for version 7.0.x, the Cipher Suites list is the following:</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><DIV class="reportSubHeading">TLS 1.2 (suites in server-preferred order)</DIV></TD></TR><TR><TD>TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)</TD><TD>256</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)</TD><TD>128</TD></TR><TR><TD>TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)</TD><TD>256</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)</TD><TD>128</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)</TD><TD>128</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><P>while in PANOS 8.0.x the list is the following:</P><P>&nbsp;</P><TABLE><TBODY><TR><TD><SPAN class="hideIcon"><IMG src="https://ip1.i.lithium.com/391cbefce907d7bda2925c591585af18e27fd1fb/68747470733a2f2f7777772e73736c6c6162732e636f6d2f696d616765732f636f6c6c617073652e706e67" width="14" border="0" height="14" /></SPAN><DIV class="reportSubHeading"># TLS 1.2 (suites in server-preferred order)</DIV></TD></TR><TR><TD>TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)</TD><TD>256</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)</TD><TD>128</TD></TR><TR><TD>TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)</TD><TD>256</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)</TD><TD>128</TD></TR><TR><TD>TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)</TD><TD>128</TD></TR><TR><TD>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) &nbsp; <SPAN class="greySmall">ECDH secp521r1 (eq. 15360 bits RSA) &nbsp; FS</SPAN></TD><TD>256</TD></TR><TR><TD>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) &nbsp; <SPAN class="greySmall">ECDH secp521r1 (eq. 15360 bits RSA) &nbsp; FS</SPAN></TD><TD>128</TD></TR><TR><TD>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) &nbsp; <SPAN class="greySmall">ECDH secp521r1 (eq. 15360 bits RSA) &nbsp; FS</SPAN></TD><TD>256</TD></TR><TR><TD>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) &nbsp; <SPAN class="greySmall">ECDH secp521r1 (eq. 15360 bits RSA) &nbsp; FS</SPAN></TD><TD>128</TD></TR><TR><TD>TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) &nbsp; <SPAN class="weakSmall colorF88017"><SPAN>DH 1024 bits</SPAN> &nbsp; FS</SPAN> &nbsp; <SPAN class="colorF88017"><STRONG>WEAK</STRONG></SPAN></TD><TD>256</TD></TR><TR><TD>TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) &nbsp; <SPAN class="weakSmall colorF88017"><SPAN>DH 1024 bits</SPAN> &nbsp; FS</SPAN> &nbsp; <SPAN class="colorF88017"><STRONG>WEAK</STRONG></SPAN></TD><TD>128</TD></TR><TR><TD>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) &nbsp; <SPAN class="weakSmall colorF88017"><SPAN>DH 1024 bits</SPAN> &nbsp; FS</SPAN> &nbsp; <SPAN class="colorF88017"><STRONG>WEAK</STRONG></SPAN></TD><TD>256</TD></TR><TR><TD>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) &nbsp; <SPAN class="weakSmall colorF88017"><SPAN>DH 1024 bits</SPAN> &nbsp; FS</SPAN> &nbsp; <SPAN class="colorF88017"><STRONG>WEAK</STRONG></SPAN></TD><TD>128</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>&nbsp;</P><P>The big question is how to disable these weak Forward Secrecy (FS) DH <STRONG>Weak</STRONG> key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.</P><P>Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.</P><P>&nbsp;</P><P>Regards,</P><P>George G.</P> Thu, 18 May 2017 16:01:25 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/157212#M51581 ggoudr 2017-05-18T16:01:25Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/157554#M51660 <P>Hi George,</P><P>&nbsp;</P><P>The SSL/TLS profile hasn't changed in 8.0 either. It's been a carry-forward feature from 7.1.x. And yes, no way to disable/change anything from GUI or CLI (maybe root?). However, imho, this is not a bad option to include in the SSL/TLS profile, kinda similar to what a Decryption profile has.&nbsp;</P><P>&nbsp;</P><P>I'd say you should get in touch with your SE to see if this can be incorporated in some future release.</P><P>&nbsp;</P><P>Regards,</P><P>Anurag</P> Sat, 20 May 2017 00:45:03 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/157554#M51660 ansharma 2017-05-20T00:45:03Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/158023#M51744 <P>Yes, I agree with you maybe a Feature Request is not a bad idea.</P><P>After all, there are some requirements on disabling weak ciphers etc on PCI and CIS compliance audits that PAN Devices do not give that opportunity.</P><P>&nbsp;</P><P>George</P> Wed, 24 May 2017 07:59:48 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/158023#M51744 ggoudr 2017-05-24T07:59:48Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/340905#M85535 <P><SPAN>Hi,</SPAN></P><P>&nbsp;</P><P><SPAN>Im having the same grade because of:&nbsp;This server does not support Forward Secrecy with the reference browsers.</SPAN></P><P>&nbsp;</P><P><SPAN>how did you solve it? any idea?&nbsp;</SPAN></P> Mon, 27 Jul 2020 17:23:21 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/340905#M85535 BigPalo 2020-07-27T17:23:21Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/431415#M95079 <P>Run the following commands on in the cli at the edit prompt.</P><P>then commit</P><P>set shared ssl-tls-service-profile (select your security profile here) protocol-settings keyxchg-algo-rsa no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-rc4 no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-aes-256-cbc no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-3des no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings auth-algo-sha1 no</P><P>&nbsp;</P> Fri, 03 Sep 2021 16:20:46 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-portal-ssl-in-panos-8/m-p/431415#M95079 MannCave 2021-09-03T16:20:46Z