topic diffternt TLS protocolsbetween client and server supported in pan ?? in General Topics

diffternt TLS protocolsbetween client and server supported in pan ??

DineshPal — Mon, 03 Aug 2020 09:26:43 GMT

we have a legacy client which supported only TLS(1.1) & need to connect to server in cloud which works on TLS1.2 only .. So If we do a SSL Decryption in pan firewall does pan will allow tls1.1 between client and pan firewall and tls 1.2 between pan firewall and cloud server ??

Dinesh

Re: diffternt TLS protocolsbetween client and server supported in pan ??

MP18 — Tue, 04 Aug 2020 00:21:00 GMT

@DineshPal

Seems PA has decryption profile under Objects.

It has option to allow

Min Protocol Version and Maximum Protocol Version

There you can specify TLS1.1as Minimum and TLS1.2 as Maximum

Then it will allow all the connection between TLS1.1 and TLS1.2.

However if server only supports 1.2 then SSL decryption will not work as Client only supports TLS1.1

You either need to make change at client or server side

Regards

Re: diffternt TLS protocolsbetween client and server supported in pan ??

SutareMayur — Tue, 04 Aug 2020 04:07:47 GMT

@DineshPal,

I don't think if any firewall can change SSL/TLS version of in/out traffic. It can decrypt traffic (if it is enabled) and see what is happening but can't change the versions at client and/or server side. Agreed with @MP18 Need to make changes at either client or server side to make it work.

Hope it helps!

Mayur