PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2

Printer Friendly Page


PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2



Running PAN-OS 6.1.4 and below, by default the GlobalProtect Agent connects using TLS 1.0.



To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.



  1. Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile.tls1.2.png
  2. Go to the GlobalProtect configuration under Network > GlobalProtect.
  3. Map the newly created SSL/TLS service profile to both the portal and the gateway configuration.portal tls1.2.pngGateway tls1.2.png
  4. Commit the configuration.
  5. Reconnect to the GlobalProtect from the client machine.






My customer has the same problem. PA is a vPA VM-100 on Software Version 8.1.0 and GlobalProtect Agent 4.1.2. 


All setting match per the items above in the article. However, the scan is showing Global Protect Portal IP allows TLS 1.0.


How to disallow TLS version prior to 1.2?


Thank you.


hi @Managed-Services


did you set the tls profile to only allow minimum version 1.2 ?



Thank you. Yes, we did. This is resolved now.