08-16-2022 01:19 AM - edited 08-16-2022 01:50 AM
Hi guys,
Would like to know how to disable the following ciphers:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
Can i follow the following KB to disable:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC
Protocol settings is at TSLv1.0
Or i can GUI and disable the ciphers from ssl/tls service profile ?
Also, i want to know if i need to disable SSL/TSL on panorama ?
If yes, is it using the above KB mentioned?
08-17-2022 11:51 AM
Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:
configure
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha256 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha384 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-dhe yes
commit
@palo Alto: When will you fix the Secure Renegotiation issue?
08-17-2022 11:51 AM
Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:
configure
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha256 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha384 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-dhe yes
commit
@palo Alto: When will you fix the Secure Renegotiation issue?
08-17-2022 09:21 PM
Hi Han.Valk,
Thanks for the solution. But what about panorama?
Is it set panorama ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
