I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question.
We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on.
SSL server accepts connections that use:
1. Rivest Cipher RC4
2. Cipher-block chaining (CBC) mode
I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults?
Is there a good way to fix this, maybe someone can answer all three posts by answering mine!
There is no way to block any encryption algorithm for SSL traffic to Firewall.
If Browser supports those algorithms then firewall will accept the sessions.
I do not have more information on Vulnerability, if I get information I will let you know.
OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?
Also found this article if just so we get all the information in one post.
I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS.
The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!
That's a good question. One would expect that PA should be able to pass audits by definition at this level instead of requiring fancy footwork with additional configurations.
We had an audit done recently and was found to be open on RC4, MD5 and 96bit encryption being 'allowed'. Although 'low' risk, I now have to please-explain to the client why his state-of-the-art firewall is allowing risky connections to its SSL management and vpn clients.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!