topic Re: Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls in General Topics

Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

pradeepbabar4 — Thu, 03 Jun 2021 13:56:44 GMT

how can i Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls.

And How can i Ensure all weak ciphers and protocols are disabled before exposing an application to the Internet in palo alto firewalls.

Re: Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

BPry — Thu, 03 Jun 2021 15:37:23 GMT

@pradeepbabar4,

@pradeepbabar4 wrote:

how can i Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls.

From what aspect? Are we talking about the what ciphers and protocols are enabled on the GUI, or what's being used on your inbound decryption profiles?

@pradeepbabar4 wrote:
And How can i Ensure all weak ciphers and protocols are disabled before exposing an application to the Internet in palo alto firewalls.

From an application standpoint this needs to be verified by the application owner, or otherwise directly on the resource you are planning to expose. If you are performing inbound decryption you can somewhat control what ciphers are being utilized, but they need to line up with what the application is actually offering to prevent issues.

You can view what is being offered by running a packet capture, but I would simply ask the application owner for what they are supporting on their end.

Re: Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

OtakarKlier — Thu, 03 Jun 2021 16:48:32 GMT

Hello,

Here are a few articles that might help out.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites

Cheers

Re: Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

pradeepbabar4 — Mon, 07 Jun 2021 01:45:50 GMT

Thank you for valuable response, it is helpful.

Actually from management team they want to know which are the protocols & cipher are there which are negotiating before exposing an application to the Internet from your comments i got an idea that whichever applications are there from our internal webserver are responsible for negotiating the protocol/cipher suites.

And the services like Global Protect, IPsec which are provided by firewall are responsible for negotiating the protocol/cipher suites.

My understanding is correct right?

Re: Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

pradeepbabar4 — Mon, 07 Jun 2021 01:55:24 GMT

Thank you for you valuable response & sharing informative links.

I am not able to understand the matrix supported cipher suites, in website they have two column named as FEATURE OR FUNCTION and CIPHERS SUPPORTED IN PAN-OS 8.1 RELEASES what does it means.

Does it means that this are the cipher suite list which are available and we have to select one of the cipher suite for negotiation from available list ?

Also i want to know any SSL/TLS service profile we configured & if we configured minimum version as an TLSV1.1 or TLSV1.2 then what will be default cipher suite for negotiation, since there is no any option in GUI to select cipher suite which we want to be negotiatie.