Disable ciphers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disable ciphers

L1 Bithead

Hi guys,

 

Would like to know how to disable the following ciphers:

 

TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

 

 

Can i follow the following KB to disable:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC 

Protocol settings is at TSLv1.0

 

Or i can GUI and disable the ciphers from ssl/tls service profile ?


 

Also, i want to know if i need to disable SSL/TSL on panorama ?

If yes, is it using the above KB mentioned?

1 accepted solution

Accepted Solutions

L2 Linker

Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:

 

configure
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha256 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha384 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-dhe yes

commit

 

@palo Alto: When will you fix the Secure Renegotiation issue?

 

View solution in original post

2 REPLIES 2

L2 Linker

Yes, you can use that article. I would use the following commands to achieve the best possible score on SSL Labs that you can get with a Palo Alto fw which is A-:

 

configure
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha256 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings auth-algo-sha384 yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-128-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings enc-algo-aes-256-gcm yes
set shared ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings keyxchg-algo-dhe yes

commit

 

@palo Alto: When will you fix the Secure Renegotiation issue?

 

Hi Han.Valk,

 

Thanks for the solution. But what about panorama?

 

Is it set panorama ssl-tls-service-profile <SSL/TLS Service Profile> protocol-settings?

  • 1 accepted solution
  • 2272 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!