Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enabling TLS 1.1 in Decryption profile always allows 3DES even if unchecked

L1 Bithead

Scenario:

Decryption profile for traffic from the internet to GlobalProtect IP along with an SSL/TLS Service Profile for GlobalProtect, both set to TLS 1.1 or above; Decryption profile has 3DES unchecked.

PA-5020, 7.1.10


Scans from sites like ssllabs.com will show that 3DES is still enabled.  Only changing one of the profiles to TLS 1.2 stops this.

 

Can be repeated with decryption profiles that inspect inbound traffic to a test server that still allows 3DES and TLS 1.1+.

 

Is this normal?

 

On a side note, anytime I change the decryption profile dropdown from TLS 1.2 to TLS 1.1 to TLS 1.0, the 3DES box is checked automatically and I have to uncheck it.

7 REPLIES 7

Community Team Member

Hi @bfperez,

 

I'd recommend opening a TAC case with the results of ssllabs.

 

That said, I'm seeing the same behaviour with the 3DES checkbox on both PAN-OS 7.1 and 8.0 so I'm thinking this is currenlty the expected behaviour.

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L7 Applicator

Cool, it is possible to add a decryption profile to global protect traffic? On the same firewall or is this only possible if you have another PA in front of the global protect portal/gateway where you do inbound decryption?

We just have an HA pair that does all inbound decryption AND houses the GP Portals and Gateways. 

 

We have a decryption profile setup for traffic from the internet to the portals/gatways just like the decryption profiles for other inbound traffic, and it works.

You could try to "uncheck" 3DES from the CLI, maybe this works (if it is a bug in the webUI.

L7 Applicator

Besides the fact that there seems to be a bug: Is this a real problem? Wouldn't it make more sense to only enable TLS1.2 as there are almost 0 clients that stop at TLS1.1 and do not support TLS1.2

Community Team Member

Hi @bfperez @Remo,

 

Unchecking in the GUI seems to work fine.

The xml file will also reflect this config once it's committed :

 

 

blah { 
     ssl-protocol-settings { 
                           enc-algo-3des no; 
} }

 

The problem seems to be that the GUI doesn't "retain" this setting if you return to the same tab for a second time.  Notice how 3DES is re-checked even when it's not listed in the 'Encryption Algorithms'.

 

 

3DES is enabled.3DES is enabled.

 

If you click OK here and recommit then you might re-enable 3DES unintentionally.

 

Eitherway I believe it might be a good idea to get TAC involved.

 

Cheers !

-Kiwi.

 

 

 

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Agreed that it's not a real problem.  I was just trying to move one step at a time in case we had some oddball app/user that could only do 1.1 or lower.

 

 

  • 3571 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!