Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Not applicable

Hi All,

I have a case where customer needs to disable SSL 3.0 on an interface and just use SSL 1.0 and 2.0 for both device management and GP. Is this possible? if so then how? Is there any other way apart from disabling the entire SSL feature on the interface? Kindly Advice

11 REPLIES 11

L5 Sessionator

mrafi

I have not tested this but you can try creating a custom vulnerability with ssl-rsp-version 3 and block it:

sslv3.JPG

The above vulnerability will only be effective for traffic going through dataplane port so if you are accessing management directly (without going dataplane port) this will not help for disabling SSLv3 on management interface.

Will keep you posted if I get a chance to try this in lab

Hope it helps !

L6 Presenter

Hi Mrafi,

You can not disable SSLv3 by any command or configuration.

However, you may want to try custom vuln. signature mentioned above.

Regards,

Hardik Shah

L5 Sessionator

mrafi

Just tested this in my lab and it works Smiley Happy

You have to specify the decimal value for SSL 3.0 hexadecimal code (0x0300) which is 768.

sslv3_decimal.JPG

Hope it helps !

L6 Presenter

Hi Mrafi,

This will stop SSLv3 on Data port only, for that you will have to configure custom vuln profile in policy.

This will not help to stop SSLv3 on Management interface.

Regards,

Hardik Shah

L6 Presenter

I created a custom signature like

Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.

Hope it helps !

L4 Transporter

No you can not disable this, the version is negotiated by the end-host and server.

The Vulnerability signature which is provided will not be applied to traffic destined to  firewall

For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall

The work around while we wait for engineering is to host the service on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall like regular traffic to detect vulnerability.

Regards

Sai


~ Sai Srivastava Tumuluri ~

wow, so PA cant disable sslv3 ... thats not good. I know the sig can protect but common,,,, we cant pick protocols/ciphers on an enterprise class firewall ..?? AND its based on Linux right? so PA went out of its way to make it so we cant do this?


Why does the PA NOT detect SSLv3 when it's set to decrypt the passing traffic?

Here's what I did to test...

1.  I forced my browser to user ONLY SSLv3.

2.  Set Threat ID 36815(SSLv3 Found in Server Response) to "drop-all-packets".

3.  Browsed to web server behind the PA and page loaded fine.

4.  Wireshark capture shows only SSLv3 being used.

5.  Not detected in PA.

Then I tried web traffic that is not being decrypted and the PA detected and blocked the SSLv3 attempt.

I's suppose the PA to be able to adjust the SSL/TLS Versions allowed in SSL hello messages when performing SSL Decryption since it is acting as the clientside towards the WebServer ?!

Why is there no way to infuence this with a Decryption Profile?

  • 10648 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!