Palo Alto Networks Supported SSL/TLS Version and Cipher Suites for Web UI

Printer Friendly Page

A newer list of supported cipher suites is available here : PAN-OS 7.1 Supported ciphers

 

Details

Protocol version SSL 3.0/TLS 1.0 is currently supported for management access.

To log into the Palo Alto Networks firewall, the browser must be TLS 1.0 or version compatible.

 

The following are cipher suites for admin sessions (web interface):

DHE-RSA-AES256-SHA

RSA-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

RSA-CAMELLIA256-SHA

EDH-RSA-3DES-SHA

RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)

DHE-RSA-AES128-SHA

RSA-AES128-SHA

DHE-RSA-SEED-SHA

RSA-SEED-SHA

DHE-RSA-CAMELLIA128-SHA

CAMELLIA128-SHA

RSA-RC4-SHA

RSA-RC4-MD5

 

Note: SSL V3 option has been removed from the PAN OS 6.0.8 and 6.1.2 onward.

 

owner:sgantait

Tags (6)
Comments

Just FYI but with the release of NIST SP 800-52 rev1 this past April and a ban on TLS 1.0 starting January 1st, 2015 within the Federal government for internal facing SSL applications need a way to make this TLS 1.1 or more idea, TLS 1.2.

TLS1.1 is a must for all  Federal Customers 01-01-2014.

Is it possible to disable specific SSL ciphers for the management interface? I don't really like RC4 in the list.

is this support TLS1.3?

can we disable ssl3.0 for Management console? Pls revert

Hi Nicky,

Please find the below link:- it was TLS 1.3 which currently wasnt supported and you to contact your sales engineer to file a request.

Re: SSL Decrypt does NOT work with TLS 1.1 or TLS 1.2

Regards

Satish

Hello Nicky,

SSL V3 option has been removed from the PAN OS 6.0.8 and 6.1.2 onward. Prior to these version, you do not have any option to disable SSL V3 on the firewall, rather, you may disable SSL-V3 on your web browser. Accordingly, the client will not send SSL-v3 during the handshake.

You may go through the security advisory for more detail information: SSL 3.0 MITM Attack (CVE-2014-3566) (PAN-SA-2014-0005) a.k.a. POODLE

Below mentioned BUG has been fixed on PAN OS 6.0.8.

71321—Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive Portal due to CVE-2014-3566 (POODLE).

71320—Removed support for SSL 3.0 from the web interface due to CVE-2014-3566 (POODLE).

Hope this helps.

Thanks

thanks satish

Hello,

 

Support for RSA-RC4-SHA and RSA-RC4-MD5 have been removed from PAN-OS 6.0.7 and 6.1.0 ?
64713 Removed support for the RC4‐MD5 and RC4‐SHA cipher suites. These ciphers cannot be used to negotiate an SSL/TLS connection to the GlobalProtect portal or to the management interface of the firewall.

Hi all,

 

Can anybody please confirm if the latest PAN OS 8.0 still uses TLSv1.0 for handshake during SSL communication? Is there a way we can configure Palo-Alto to use TLSv1.1 or 1.2?

 

I have a HTTP server running services on 443 which supports minimum TLSv1.1 for SSL communication.

I am trying to forward threat logs using HTTP log forwarding profile. I did a packet capture, and it seems like Palo-Alto is making the handshake using TLSv1.0 and it fails as the HTTP server rejects the request.

 

The SSL/TLS Service Profile allows you to select the min protocol version for TLS, but I believe that is for incoming SSL communication request from a client.