PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2
23759
Created On 09/27/18 09:15 AM - Last Modified 06/01/23 08:42 AM
Resolution
Issue
PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2
Cause
Running PAN-OS 6.1.4 and below, by default the GlobalProtect Agent connects using TLS 1.0.
Resolution
To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.
Steps
- Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile.
- Go to the GlobalProtect configuration under Network > GlobalProtect.
- Map the newly created SSL/TLS service profile to both the portal and the gateway configuration.
- Commit the configuration.
- Reconnect to the GlobalProtect from the client machine.