Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

cancel
Showing results for 
Search instead for 
Did you mean: 

Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls

L1 Bithead

how can i Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls.

 

And How can i Ensure all weak ciphers and protocols are disabled before exposing an application to the Internet in palo alto firewalls.

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

@pradeepbabar4,


@pradeepbabar4 wrote:

how can i Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls.

 


From what aspect? Are we talking about the what ciphers and protocols are enabled on the GUI, or what's being used on your inbound decryption profiles? 

 


@pradeepbabar4 wrote:

And How can i Ensure all weak ciphers and protocols are disabled before exposing an application to the Internet in palo alto firewalls.


From an application standpoint this needs to be verified by the application owner, or otherwise directly on the resource you are planning to expose. If you are performing inbound decryption you can somewhat control what ciphers are being utilized, but they need to line up with what the application is actually offering to prevent issues.

You can view what is being offered by running a packet capture, but I would simply ask the application owner for what they are supporting on their end.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@pradeepbabar4,


@pradeepbabar4 wrote:

how can i Extract data of all ciphers and protocols that enabled or disabled in palo alto firewalls.

 


From what aspect? Are we talking about the what ciphers and protocols are enabled on the GUI, or what's being used on your inbound decryption profiles? 

 


@pradeepbabar4 wrote:

And How can i Ensure all weak ciphers and protocols are disabled before exposing an application to the Internet in palo alto firewalls.


From an application standpoint this needs to be verified by the application owner, or otherwise directly on the resource you are planning to expose. If you are performing inbound decryption you can somewhat control what ciphers are being utilized, but they need to line up with what the application is actually offering to prevent issues.

You can view what is being offered by running a packet capture, but I would simply ask the application owner for what they are supporting on their end.

View solution in original post

Thank you for valuable response, it is helpful.

Actually from management team they want to know which are the protocols & cipher are there which are negotiating  before exposing an application to the Internet from your comments i got an idea that whichever applications are there from our internal webserver are responsible for negotiating the protocol/cipher suites.

And the services like Global Protect, IPsec which are provided by firewall are responsible for  negotiating the protocol/cipher suites.

My understanding is correct right?

Thank you for you valuable response & sharing informative links.

I am not able to understand the matrix supported cipher suites, in website they have two column named as FEATURE OR FUNCTION and CIPHERS SUPPORTED IN PAN-OS 8.1 RELEASES what does it means.

 

Does it means that this are the cipher suite list which are available and we have to select one of the cipher suite for negotiation from available list ?

Also i want to know any SSL/TLS service profile we configured & if we configured minimum version as an TLSV1.1 or TLSV1.2 then what will be default cipher suite for negotiation, since there is no any option in GUI to select cipher suite which we want to be negotiatie.  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!