topic Re: Disable Cipher Suite in General Topics

Disable Cipher Suite

Joshan_Lakhani — Wed, 05 Aug 2020 16:51:52 GMT

As of the pen test via SSL LAB i was observed that less secure ciphers like DES, RC4 were supported by global protect portal ,so that i have disable the all the weak cipher suite and it's successfully done but the when i disable CBC-256 Suite when i commit it got this error Please Suggest

protocol-settings {

min-version tls1-2;

max-version max;

enc-algo-aes-128-cbc no;

enc-algo-aes-128-gcm no;

auth-algo-sha256 no;

auth-algo-sha384 no;

enc-algo-aes-256-cbc no;

Re: Disable Cipher Suite

raji_toor — Thu, 06 Aug 2020 15:05:24 GMT

@Joshan_Lakhani Curious how do you block ciphers. I have the certificate imported and then creates SSL/TLS service profile set to minimum 1.2. Where do e select ciphers.

Re: Disable Cipher Suite

raji_toor — Thu, 06 Aug 2020 16:38:29 GMT

Ok.. I didn't know it as an option starting version 8.

I ran this command on our panorama(9.0.9) and only thing i see failing in ssllabs test is renegotiation.

set template PA1 config vsys vsys1 ssl-tls-service-profile GP certificate VPN protocol-settings min-version tls1-2 enc-algo-aes-128-cbc no enc-algo-3des no enc-algo-aes-256-cbc no auth-algo-sha1 no enc-algo-rc4 no max-version max keyxchg-algo-rsa no

Re: Disable Cipher Suite

Joshan_Lakhani — Thu, 06 Aug 2020 18:51:20 GMT

@raji_toor

Please follow this KB to disable weak cipher suite. As these cipher suite can be disable from 8.1 onward version before 8.1 you can not disable weak cipher suite.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

Re: Disable Cipher Suite

Joshan_Lakhani — Tue, 11 Aug 2020 17:00:52 GMT

As I disable all other weak cipher suite but the when i disable CBC-256 i got the error. As i use TLS1.2 3rd party certificate.Please suggest