topic Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978 in General Topics

Need to Disable TLS 1.0 & 1.1 for port TCP-3978

viveksk.gupta — Thu, 13 Aug 2020 08:08:01 GMT

Can someone suggest on how can we disable TLS 1.0 & 1.1 for port TCP-3978

Description: The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern impleme
ntations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used wheneve
r possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major
vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any known exploits.

Thanks.

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

reaper — Thu, 13 Aug 2020 08:30:13 GMT

If you have access to the server certificate + key you can set up inbound ssl decryption and enforce 1.2 or higher through the decryption profile

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

Remo — Thu, 13 Aug 2020 08:45:58 GMT

Hi @viveksk.gupta

As far as I know there is no configuration option to disable tls1.0/1.1 on this panorama management port. At least I hope that the firewalls will use tls1.2 for this connection, so if there is a firewall between the firewalls and panorama you could block tls1.0/1.1 connection attempts with a custom vulnerability signature.

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

viveksk.gupta — Fri, 21 Aug 2020 11:41:01 GMT

Hi Vsys_remo,

Thanks for your reply...

We have created a profile and disabled TLSv1.0 and TLSv1.1 and enabled TLSv1.2, and I have done a packet capture and I can see communication using TLSv1.2 (TAC also Confirmed TLSv1.0 disabled) but the security team able to scan TLSv1.0 and TLSv1.1 in the scan report. Thanks

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

viveksk.gupta — Fri, 21 Aug 2020 11:45:10 GMT

Hi Reaper,

Port TCP-3978 using for Panorama and Palo alto communication and SSL Profile have enabled TLSv1.2. Thanks

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

thartm — Tue, 01 Sep 2020 05:15:55 GMT

Hey Viveksk.Gupta,

can you give me a quick hint how you set up the profile? We have the same problem and im pretty new to Palo Alto stuff, so a quick hint would be appreciated.

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

viveksk.gupta — Tue, 01 Sep 2020 07:36:13 GMT

Hi Thartm,

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication server call your certificate and profile both (check mark allow custom certificate only)

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

Go to>Panorama>managed collectors>status in sync

Please follow the document below for more information on each settings.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-managed-collectors/log-collector-configuration/communication-settings

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

thartm — Tue, 01 Sep 2020 09:38:10 GMT

Thanks for the quick reply Viveksk.Gulpa 🙂

Ill look into it 🙂

Re: Need to Disable TLS 1.0 & 1.1 for port TCP-3978

viveksk.gupta — Tue, 08 Sep 2020 03:33:43 GMT

Solution:-

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication

Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

Go to>Panorama>managed collectors>status in sync