cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Audit Global protect server

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
jesuscano
L4 Transporter
‎07-27-2020 08:32 AM
‎07-27-2020 08:32 AM

Audit Global protect server

Hi,

 

We launched a sslab test for a GlobalProtect Portal website. Our note is B. We would like to improve these two things but we dont know what it can be done in PA config. These are:

 

There is no support for secure renegotiation.  MORE INFO »
This server does not support Forward Secrecy with the reference browsers. Grade capped to B.  MORE INFO »
 
What means "secure renegotiation"? how can solve this in PA?
what about Palo support froward secrecy? anything to do in Palo?
 
0 Likes
Reply
vsys_remo
Cyber Elite
Cyber Elite
‎08-01-2020 03:01 AM
‎08-01-2020 03:01 AM

Hi @jesuscano 

Forward secrecy actually is supported by paloalto. If you look at the details of the browser handshake list, you should see most of them use ciphersuites with forward secrecy. Only a few - which count as reference browser for Qualys SSLLabs - do not use forward secrecy ciphersuites.

The point with the missing secure renegotiation is still true and unfortunately theres nothing you can do about that at the moment except wait until it is supportet (in PAN-OS 10 it is still not supported).

An explanation of secure renegotiation you can find here: https://devcentral.f5.com/s/articles/ssl-legacy-renegotiation-vs-secure-renegotiation-explained-usin...

0 Likes
Reply
RaymondSchuiling
L0 Member
‎09-09-2020 03:51 AM
‎09-09-2020 03:51 AM

Hi @jesuscano ,

 

You can easily get A minus on SSLlabs and take out most of the forward secrecy.

I assume you have your ssl-tls-service-profile set at minimum TLS 1.2

 

Just run the following via the CLI:

  • configure
  • set shared ssl-tls-service-profile yourprofile protocol-settings auth-algo-sha1 no
  • set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-3des no

 

While you are at it also disable the following:

  • set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-rc4 no
  • set shared ssl-tls-service-profile yourprofile protocol-settings keyxchg-algo-rsa no
  • commit

Unfortunately it does not fix anything for secure renegotiation.

 

Regards,

Raymond

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks