- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
I've seen many questions on the discussions forum about cipher suites or, more specifically, unsupported cipher suites. I've seen this question most often in relation to decrypting traffic (but cipher suites are not limited to this feature). So, what is this cipher suite exactly?
A cipher suite is a set of algorithms that help secure a network connection. Suites typically use Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain include: a key exchange algorithm (e.g. ECDHE), an encryption algorithm (e.g. AES256-CBC), and an authentication algorithm (e.g. SHA256).
You can clearly see the different types of algorithms in the Decryption Profile settings (Objects > Decryption > Decryption Profile):
Depending on the PAN-OS version you're running, your device will support or won't support a certain set of algorithms. For a complete set of supported ciphers suites you should check out the Compatibility Matrix: Supported Cipher Suites.
As you can see on the matrix page, the supported suites vary between the different PAN-OS versions. In addition to that, depending on the feature you're implementing, you may see different sets of cipher suites being supported. In the latest PAN-OS version (10.1 at the moment I'm writing this) you'll find different ciphers in the following sections:
As I mentioned earlier, in most cases I've seen questions related to cipher suites pop up in relation to decryption issues. For example, when the web server chooses a cipher suite not supported for decryption. Or different sets of suites being supported for inbound versus outbound decryption was also a thing on older PAN-OS versions.
Most of the time taking a PCAP of the SSL handshake would identify the cipher suite being used and then mapping it to the supported matrix page would tell us if the cipher suite was supported or not. In such a case, a collaboration with the web server administrator is sometimes necessary to disable the unsupported ciphers to make sure that the server uses the same set of ciphers supported by the firewall and make decryption possible.
Here are some related discussions on this topic:
Unsupported cipher. Supported client cipher bitmask: 0x00000000
Questioning about unsupported cipher suite for SSL Decryption
"decrypt-unsupport-param" error on Inbound SSL Decryption
Feel free to share your questions, comments and ideas in the section below.
Thank you for taking time to read this blog.
Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.
Kiwi out!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |