This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Disable Cipher Suite

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Disable Cipher Suite

Joshan_Lakhani
L4 Transporter

‎08-05-2020 09:51 AM

As of the pen test via SSL LAB  i was observed that less secure ciphers like DES, RC4 were supported by global protect portal ,so that i have disable the all the weak cipher suite and it's successfully done but the when i disable CBC-256 Suite when i commit it got this error  Please Suggest 

 

Joshan_Lakhani_0-1596646238785.png

 

 

protocol-settings {

  min-version tls1-2;

  max-version max;

  enc-algo-aes-128-cbc no;

  enc-algo-aes-128-gcm no;

  auth-algo-sha256 no;

  auth-algo-sha384 no;

  enc-algo-aes-256-cbc no;

0 Likes Likes
4 REPLIES 4

raji_toor
L4 Transporter

‎08-06-2020 08:05 AM

@Joshan_Lakhani Curious how do you block ciphers. I have the certificate imported and then creates SSL/TLS service profile set to minimum 1.2. Where do e select ciphers.

0 Likes Likes

raji_toor
L4 Transporter
In response to raji_toor

‎08-06-2020 09:38 AM

Ok.. I didn't know it as an option starting version 8.

I ran this command on our panorama(9.0.9) and only thing i see failing in ssllabs test is renegotiation. 

 

set template PA1 config vsys vsys1 ssl-tls-service-profile GP certificate VPN protocol-settings min-version tls1-2 enc-algo-aes-128-cbc no enc-algo-3des no enc-algo-aes-256-cbc no auth-algo-sha1 no enc-algo-rc4 no max-version max keyxchg-algo-rsa no

0 Likes Likes
(1)

Joshan_Lakhani
L4 Transporter
In response to raji_toor

‎08-06-2020 11:51 AM

@raji_toor 

 

Please follow this KB  to disable weak cipher suite. As these cipher suite can be disable from 8.1 onward version before 8.1 you can not disable weak cipher suite.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

0 Likes Likes

Joshan_Lakhani
L4 Transporter
In response to Joshan_Lakhani

‎08-11-2020 10:00 AM

As I disable all other weak  cipher suite but the when i disable CBC-256 i got the error. As i use TLS1.2  3rd party certificate.Please suggest

0 Likes Likes
  • 6602 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks