How to properly disable 3DES encryption algorithm?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to properly disable 3DES encryption algorithm?

L3 Networker

We are currently being required to disable 3DES in order to pass PCI compliance (due to the Sweet32 exploit).

 

We have a decryption profile for all incoming traffic hitting our firewall and services behind it, where I have tried disabling 3DES.

However, the firewall will still accept 3DES after doing a commit. When opening the decryption profile again. 3DES will be shown as enabled again.

 

As you can see in the picture, 3DES seems to be disabled in the decryption profile list, but when opening the specified decryption profile it shows up as enabled.

 

3DES.png

 

Does anyone know how to properly disable 3DES on PANOS 7.1.x?

1 accepted solution

Accepted Solutions

I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL.

 

To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection.

 

Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.

 

View solution in original post

6 REPLIES 6

L4 Transporter

Hello,

 

Seems odd, can you try changing this via the CLI?

 

>configure

#edit profiles decryption "name of decryption profile" ssl-protocol-settings

#set enc-algo-3des no

#commit

 

let us know if this resolves the issue.

 

Ben

Hi Ben,

 

This did not resolve the issue, but it should be disabled.

The firewall still provides TLS_RSA_WITH_3DES_EDE_CBC_SHA for clients.

 

Here's the output from show of ssl-protocol-settings for the decryption profile:

 

(active)# show
ssl-protocol-settings {
  keyxchg-algo-dhe yes;
  keyxchg-algo-ecdhe yes;
  min-version tls1-1;
  keyxchg-algo-rsa yes;
  enc-algo-3des no;
  enc-algo-rc4 no;
  enc-algo-aes-128-cbc yes;
  enc-algo-aes-256-cbc yes;
  enc-algo-aes-128-gcm yes;
  enc-algo-aes-256-gcm yes;
  auth-algo-sha1 yes;
  auth-algo-sha256 yes;
  auth-algo-sha384 yes;
}

Community Team Member

Hi,

 

I see the same thing in my lab (running PAN-OS 7.1.3 on a VM-100).

 

It might just be a cosmetic bug because the CLI command indicates it is disabled :

 

admin@PA-VM# show profiles decryption test ssl-protocol-settings

ssl-protocol-settings {

  enc-algo-3des no;

  enc-algo-rc4 no;

}

 

I'd recommend to open a bug report with support so they can get this GUI bug fixed.

 

Cheers,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi,

 

Yes, the GUI is showing it as disabled, yet the firewall will still offer 3DES to clients, so this is not just a cosmetic issue.

Kim This command is working on 6.0 ?

I finally managed to disable 3DES, but it was not as straight forward as disabling 3DES on the decryption profile for inbound SSL.

 

To make this work, I set min. protocol version of the decryption profile to TLS 1.2, and then I had to do the same for the SSL/TLS Service Profile for each of the certificates used for inbound SSL inspection.

 

Now the firewall will only use TLS 1.2 and 3DES is disabled across the board.

 

  • 1 accepted solution
  • 11447 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!