- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Audit Global protect server
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Audit Global protect server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Audit Global protect server
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
07-27-2020 08:32 AM
Hi,
We launched a sslab test for a GlobalProtect Portal website. Our note is B. We would like to improve these two things but we dont know what it can be done in PA config. These are:
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
08-01-2020 03:01 AM
Hi @BigPalo
Forward secrecy actually is supported by paloalto. If you look at the details of the browser handshake list, you should see most of them use ciphersuites with forward secrecy. Only a few - which count as reference browser for Qualys SSLLabs - do not use forward secrecy ciphersuites.
The point with the missing secure renegotiation is still true and unfortunately theres nothing you can do about that at the moment except wait until it is supportet (in PAN-OS 10 it is still not supported).
An explanation of secure renegotiation you can find here: https://devcentral.f5.com/s/articles/ssl-legacy-renegotiation-vs-secure-renegotiation-explained-usin...
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
09-09-2020 03:51 AM
Hi @BigPalo ,
You can easily get A minus on SSLlabs and take out most of the forward secrecy.
I assume you have your ssl-tls-service-profile set at minimum TLS 1.2
Just run the following via the CLI:
- configure
- set shared ssl-tls-service-profile yourprofile protocol-settings auth-algo-sha1 no
- set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-3des no
While you are at it also disable the following:
- set shared ssl-tls-service-profile yourprofile protocol-settings enc-algo-rc4 no
- set shared ssl-tls-service-profile yourprofile protocol-settings keyxchg-algo-rsa no
- commit
Unfortunately it does not fix anything for secure renegotiation.
Regards,
Raymond
- deploying ssl decryption cert using global protect client in VM-Series in the Private Cloud
- FTP Server Access concerns over VPN in General Topics
- Split Tunnel with Global Protect and cannot get to internet in General Topics
- Global Protect users unable to access internal resources in General Topics
- export users global protect "user name" and "Login Time" in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
