topic I found message from scan secutity on Palo alto 850 &quot;Insecure Transport: Weak SSL Cipher ( 11285 )&quot; in General Topics https://live.paloaltonetworks.com/t5/general-topics/i-found-message-from-scan-secutity-on-palo-alto-850-quot/m-p/420980#M93923 <P>Hi All</P> <P>I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"</P> <P>I did configuration command like in document. but the message it still show after scan again.</P> <P>anyone have idea</P> <P>&nbsp;</P> <P>for SSL/TLS to disable weak Algorithm-</P> <P>set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no<BR />set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no<BR />set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no<BR />set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I am reading on document it reccomend to do this anyone can reccomend command</P> <P>thank you</P> <P>&nbsp;</P> <P><SPAN class="fontstyle0">Disable support for weak ciphers on the server. Weak ciphers are generally defined as:<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Any cipher with key length less than 128 bits<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Export-class cipher suites<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">NULL ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Ciphers that support unauthenticated modes<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Ciphers assessed at security strengths below 112 bits<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All RC4 ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE<BR />vulnerabilities<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All 64-bit block ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All ciphers using MD5 and SHA1 for cryptographic hash functions<BR />The following ciphers supported by the server are weak and should be disabled:<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)</SPAN> </P> Wed, 21 Jul 2021 08:36:47 GMT nfsfantasy 2021-07-21T08:36:47Z I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )" https://live.paloaltonetworks.com/t5/general-topics/i-found-message-from-scan-secutity-on-palo-alto-850-quot/m-p/420980#M93923 <P>Hi All</P> <P>I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )"</P> <P>I did configuration command like in document. but the message it still show after scan again.</P> <P>anyone have idea</P> <P>&nbsp;</P> <P>for SSL/TLS to disable weak Algorithm-</P> <P>set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no<BR />set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no<BR />set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no<BR />set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I am reading on document it reccomend to do this anyone can reccomend command</P> <P>thank you</P> <P>&nbsp;</P> <P><SPAN class="fontstyle0">Disable support for weak ciphers on the server. Weak ciphers are generally defined as:<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Any cipher with key length less than 128 bits<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Export-class cipher suites<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">NULL ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Ciphers that support unauthenticated modes<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">Ciphers assessed at security strengths below 112 bits<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All RC4 ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All CBC mode ciphers due to POODLE, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE<BR />vulnerabilities<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All 64-bit block ciphers<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle0">All ciphers using MD5 and SHA1 for cryptographic hash functions<BR />The following ciphers supported by the server are weak and should be disabled:<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)<BR /></SPAN><SPAN class="fontstyle2">· </SPAN><SPAN class="fontstyle3">TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)</SPAN> </P> Wed, 21 Jul 2021 08:36:47 GMT https://live.paloaltonetworks.com/t5/general-topics/i-found-message-from-scan-secutity-on-palo-alto-850-quot/m-p/420980#M93923 nfsfantasy 2021-07-21T08:36:47Z Re: I found message from scan secutity on Palo alto 850 "Insecure Transport: Weak SSL Cipher ( 11285 )" https://live.paloaltonetworks.com/t5/general-topics/i-found-message-from-scan-secutity-on-palo-alto-850-quot/m-p/424779#M94286 <P>Are you able to confirm in your network tab, under IPSec Crypto profile, that your objects do not include any of the above?&nbsp;</P><P>&nbsp;</P><P>AES-GCM-128 and 256 with SHA256 (in my screenshot) will work.&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screen Shot 2021-08-05 at 8.51.12 AM.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35474i94A1AA49E101FB82/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screen Shot 2021-08-05 at 8.51.12 AM.png" alt="Screen Shot 2021-08-05 at 8.51.12 AM.png" /></span></P><P>&nbsp;</P> Thu, 05 Aug 2021 13:52:49 GMT https://live.paloaltonetworks.com/t5/general-topics/i-found-message-from-scan-secutity-on-palo-alto-850-quot/m-p/424779#M94286 LAYER_8 2021-08-05T13:52:49Z