TLS 1.3 support

Reply
L7 Applicator

Re: TLS 1.3 support

@Sec101,

What exactly are you still wondering? The basis of this post still remains the same, PAN does not currently support the decryption of TLS1.3 traffic. 

 

Tags (2)
L4 Transporter

Re: TLS 1.3 support

@BPry-Thank you for the quick reponse.   I didn't completely understand the fact that palo was supporting but not decrypting on this as of yet.  I think it was mentioned in this post, but I'm guessing most are eagerly awaiting hearing how this will work in the future, being transparent/explicit, or however it will work/if it will work...

 

From a pure security perspective, do you forsee more and more dependence on the endpoint logging and detection, and less and less from the firewall perspective moving forwared?  Without decryption, it seems like the ACC would be a block of SSL and dns.  

L7 Applicator

Re: TLS 1.3 support

@Sec101,

I'm running under the assumption that there will be a break in time in which we need to follow current guidance and disable TLS1.3 on endpoints to ensure it only utilizes something that can be decrypted. 

From a pure fundamental standpoint decrypting TLS1.3 doesn't actually change, it's still very possible. The ability to passively decrypt the connection with a private key however does. PAN just needs to make some adjustments to the way they are decrypting traffic and this will function from a firewall level perfectly fine. This is already targeted for a public release in 9.1 (that could get pushed back), so until the time comes that you can install whatever release TLS1.3 decryption is enabled in, simply force your clients to fall back to 1.2.

L4 Transporter

Re: TLS 1.3 support

@kiwi Can you post a statement to the current TLS 1.3 decryption situation?

L6 Presenter

Re: TLS 1.3 support


@Chacko42 wrote:

@kiwi Can you post a statement to the current TLS 1.3 decryption situation?


Nothing has changed. 

 

Support of decrypting TLS versions will only come in the release of new PAN-OS versions other than patch updates (so X.X).  It wasn't supported on 8.0.X, it's not supported on 8.1.X nor is it supported on 9.0.X.  The community is currently waiting on a public release as to if it'll be support in 9.1.X or if even somtime in a future release.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!