PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2

PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2

23759
Created On 09/27/18 09:15 AM - Last Modified 06/01/23 08:42 AM


Resolution


Issue

PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2

 

Cause

Running PAN-OS 6.1.4 and below, by default the GlobalProtect Agent connects using TLS 1.0.

 

Resolution

To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.

 

Steps

  1. Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile.User-added image
  2. Go to the GlobalProtect configuration under Network > GlobalProtect.
  3. Map the newly created SSL/TLS service profile to both the portal and the gateway configuration.User-added imageUser-added image
  4. Commit the configuration.
  5. Reconnect to the GlobalProtect from the client machine.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8hCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language