Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Reply
Not applicable

Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi All,

I have a case where customer needs to disable SSL 3.0 on an interface and just use SSL 1.0 and 2.0 for both device management and GP. Is this possible? if so then how? Is there any other way apart from disabling the entire SSL feature on the interface? Kindly Advice

bat
L5 Sessionator

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

mrafi

I have not tested this but you can try creating a custom vulnerability with ssl-rsp-version 3 and block it:

sslv3.JPG

The above vulnerability will only be effective for traffic going through dataplane port so if you are accessing management directly (without going dataplane port) this will not help for disabling SSLv3 on management interface.

Will keep you posted if I get a chance to try this in lab

Hope it helps !

L6 Presenter

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi Mrafi,

You can not disable SSLv3 by any command or configuration.

However, you may want to try custom vuln. signature mentioned above.

Regards,

Hardik Shah

bat
L5 Sessionator

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

mrafi

Just tested this in my lab and it works :smileyhappy:

You have to specify the decimal value for SSL 3.0 hexadecimal code (0x0300) which is 768.

sslv3_decimal.JPG

Hope it helps !

L6 Presenter

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Hi Mrafi,

This will stop SSLv3 on Data port only, for that you will have to configure custom vuln profile in policy.

This will not help to stop SSLv3 on Management interface.

Regards,

Hardik Shah

L6 Presenter

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

L4 Transporter

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

I created a custom signature like

bat
L5 Sessionator

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.

Hope it helps !

Highlighted
L4 Transporter

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

No you can not disable this, the version is negotiated by the end-host and server.

The Vulnerability signature which is provided will not be applied to traffic destined to  firewall

For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall

The work around while we wait for engineering is to host the service on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall like regular traffic to detect vulnerability.

Regards

Sai

~ Sai Srivastava Tumuluri ~
L3 Networker

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

wow, so PA cant disable sslv3 ... thats not good. I know the sig can protect but common,,,, we cant pick protocols/ciphers on an enterprise class firewall ..?? AND its based on Linux right? so PA went out of its way to make it so we cant do this?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!