cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
mrafi
mrafi
Not applicable
‎10-15-2014 10:24 AM
‎10-15-2014 10:24 AM

Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi All,

I have a case where customer needs to disable SSL 3.0 on an interface and just use SSL 1.0 and 2.0 for both device management and GP. Is this possible? if so then how? Is there any other way apart from disabling the entire SSL feature on the interface? Kindly Advice

0 Likes
Reply
bat
bat
L5 Sessionator
‎10-15-2014 10:29 AM
‎10-15-2014 10:29 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

mrafi

I have not tested this but you can try creating a custom vulnerability with ssl-rsp-version 3 and block it:

sslv3.JPG

The above vulnerability will only be effective for traffic going through dataplane port so if you are accessing management directly (without going dataplane port) this will not help for disabling SSLv3 on management interface.

Will keep you posted if I get a chance to try this in lab

Hope it helps !

0 Likes
Reply
hshah
hshah
L6 Presenter
‎10-15-2014 10:43 AM
‎10-15-2014 10:43 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi Mrafi,

You can not disable SSLv3 by any command or configuration.

However, you may want to try custom vuln. signature mentioned above.

Regards,

Hardik Shah

0 Likes
Reply
bat
bat
L5 Sessionator
‎10-15-2014 11:45 AM
‎10-15-2014 11:45 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

mrafi

Just tested this in my lab and it works :smileyhappy:

You have to specify the decimal value for SSL 3.0 hexadecimal code (0x0300) which is 768.

sslv3_decimal.JPG

Hope it helps !

Reply
hshah
hshah
L6 Presenter
‎10-15-2014 12:33 PM
‎10-15-2014 12:33 PM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi Mrafi,

This will stop SSLv3 on Data port only, for that you will have to configure custom vuln profile in policy.

This will not help to stop SSLv3 on Management interface.

Regards,

Hardik Shah

0 Likes
Reply
hshah
hshah
L6 Presenter
‎10-15-2014 01:17 PM
‎10-15-2014 01:17 PM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi Mrafi,

Just FYI...

http://www.networkworld.com/article/2833937/security/security-experts-warn-of-poodle-attack-against-...

Regards,

Hardik Shah

0 Likes
Reply
jambulo
jambulo
L4 Transporter
‎10-16-2014 08:23 AM
‎10-16-2014 08:23 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

I created a custom signature like csharma suggested and I can confirm that it works.


Although, it does not seem to work if you are decrypting the SSL traffic via Palo Alto.

0 Likes
Reply
bat
bat
L5 Sessionator
‎10-16-2014 10:03 AM
‎10-16-2014 10:03 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.

Hope it helps !

0 Likes
Reply
Highlighted
Sai_Tumuluri
Sai_Tumuluri
L4 Transporter
‎10-30-2014 05:04 PM
‎10-30-2014 05:04 PM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

No you can not disable this, the version is negotiated by the end-host and server.

The Vulnerability signature which is provided will not be applied to traffic destined to  firewall

For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall

The work around while we wait for engineering is to host the service on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall like regular traffic to detect vulnerability.

Regards

Sai

~ Sai Srivastava Tumuluri ~
Reply
choff123
choff123
L3 Networker
‎10-31-2014 09:03 AM
‎10-31-2014 09:03 AM

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

wow, so PA cant disable sslv3 ... thats not good. I know the sig can protect but common,,,, we cant pick protocols/ciphers on an enterprise class firewall ..?? AND its based on Linux right? so PA went out of its way to make it so we cant do this?


0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks