https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344145#M86114 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;</P><P>&nbsp;</P><P>As i&nbsp; have&nbsp; disable the all the other weak cipher only one cipher suite cbc-256 is when i disable this error is Kindly suggest</P> Sun, 16 Aug 2020 19:27:05 GMT Joshan_Lakhani 2020-08-16T19:27:05Z https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/343922#M86066 <P><SPAN>Has anyone had success getting past a B on ssllabs for the globalprotect web portal</SPAN></P><P>&nbsp;</P><TABLE width="856px"><TBODY><TR><TD width="855.333px" height="29px"><DIV class="reportSubHeading"># TLS 1.2 (suites in server-preferred order)</DIV></TD></TR><TR><TD width="814.667px" height="29px"><FONT color="#F88017">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) &nbsp;&nbsp;<SPAN class="greySmall">ECDH secp256r1 (eq. 3072 bits RSA) &nbsp; FS</SPAN>&nbsp;&nbsp;&nbsp;<STRONG>WEAK</STRONG></FONT></TD><TD width="40.6667px" height="29px"><FONT color="#F88017">256</FONT></TD></TR><TR><TD width="814.667px" height="29px"><P><FONT color="#F88017">TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) &nbsp;&nbsp;<SPAN class="greySmall"><SPAN>DH 2048 bits</SPAN>&nbsp;&nbsp; FS</SPAN>&nbsp;&nbsp;&nbsp;<STRONG>WEAK</STRONG></FONT></P><P>&nbsp;</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>When i disable Weak cipher&nbsp; suite i got this error please suggest</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Joshan_Lakhani_2-1597424067542.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27374i12B2A80F023512F1/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Joshan_Lakhani_2-1597424067542.png" alt="Joshan_Lakhani_2-1597424067542.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 14 Aug 2020 16:54:50 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/343922#M86066 Joshan_Lakhani 2020-08-14T16:54:50Z https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344140#M86109 <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/130663">@Joshan_Lakhani</a>&nbsp;</P> <P>&nbsp;</P> <P>Seems your SSL/TLS profile&nbsp; uses a cert and that cert might be using these ciphers when you disable weak ciphers.</P> <P>I tested this on my PA and did the commit and no issues.</P> <P>&nbsp;</P> <P>Please check Ciphers used the certificate for SSL/TLS profile.</P> <P>Regards</P> <P>&nbsp;</P> Sun, 16 Aug 2020 19:05:39 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344140#M86109 MP18 2020-08-16T19:05:39Z https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344145#M86114 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;</P><P>&nbsp;</P><P>As i&nbsp; have&nbsp; disable the all the other weak cipher only one cipher suite cbc-256 is when i disable this error is Kindly suggest</P> Sun, 16 Aug 2020 19:27:05 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344145#M86114 Joshan_Lakhani 2020-08-16T19:27:05Z https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344205#M86122 <P>You can disable the weak ciphers w/ CLI commands.&nbsp; This Reddit thread has a good walk-through.&nbsp; When I followed it, I got up to an A- on the SSLLabs evaluation.<BR /><BR /><A href="https://www.reddit.com/r/paloaltonetworks/comments/hexquf/global_protect_and_cipher_suites/" target="_blank">https://www.reddit.com/r/paloaltonetworks/comments/hexquf/global_protect_and_cipher_suites/</A></P> Mon, 17 Aug 2020 15:24:34 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/344205#M86122 OwenFuller 2020-08-17T15:24:34Z https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/431416#M95080 <P>Run the following commands on in the cli at the edit prompt.</P><P>then commit</P><P>set shared ssl-tls-service-profile ?&nbsp; (to get the security profile name)</P><P>set shared ssl-tls-service-profile (select your security profile here) protocol-settings keyxchg-algo-rsa no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-rc4 no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-aes-256-cbc no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-3des no<BR />set shared ssl-tls-service-profile (select your security profile here) protocol-settings auth-algo-sha1 no</P> Fri, 03 Sep 2021 16:23:26 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-weak-cipher-suite/m-p/431416#M95080 MannCave 2021-09-03T16:23:26Z