07-15-2014 08:27 PM
Hi,
I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question.
We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on.
SSL server accepts connections that use:
1. Rivest Cipher RC4
2. Cipher-block chaining (CBC) mode
I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults?
SSL Weak CBC Mode Vulnerability
Is there a good way to fix this, maybe someone can answer all three posts by answering mine!
07-15-2014 10:09 PM
Hi Tezza,
There is no way to block any encryption algorithm for SSL traffic to Firewall.
If Browser supports those algorithms then firewall will accept the sessions.
I do not have more information on Vulnerability, if I get information I will let you know.
Regards,
Hardik Shah
07-16-2014 02:20 PM
You have to enable FIPS, sorry !
07-16-2014 08:30 PM
OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?
07-16-2014 08:34 PM
Also found this article if just so we get all the information in one post.
Does PAN Device Support FIPS Mode?
I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS.
The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!
11-06-2014 03:15 AM
That's a good question. One would expect that PA should be able to pass audits by definition at this level instead of requiring fancy footwork with additional configurations.
We had an audit done recently and was found to be open on RC4, MD5 and 96bit encryption being 'allowed'. Although 'low' risk, I now have to please-explain to the client why his state-of-the-art firewall is allowing risky connections to its SSL management and vpn clients.
11-19-2014 11:38 AM
It would be nice to disable certain ciphers not just for Global Protect, but for all traffic that passes through the firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
