Global Protect HTTPS weakness - Help!

Reply
Highlighted
L2 Linker

Global Protect HTTPS weakness - Help!

Hi,

I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question.

We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on.

SSL server accepts connections that use:

1. Rivest Cipher RC4

2. Cipher-block chaining (CBC) mode

I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults?

Qualys Scans

SSL Weak CBC Mode Vulnerability

Is there a good way to fix this, maybe someone can answer all three posts by answering mine!

Highlighted
L6 Presenter

Re: Global Protect HTTPS weakness - Help!

Hi Tezza,

There is no way to block any encryption algorithm for SSL traffic to Firewall.

If Browser supports those algorithms then firewall will accept the sessions.

I do not have more information on Vulnerability, if I get information I will let you know.

Regards,

Hardik Shah

Highlighted
L4 Transporter

Re: Global Protect HTTPS weakness - Help!

You have to enable FIPS, sorry !

Highlighted
L2 Linker

Re: Global Protect HTTPS weakness - Help!

OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?

Highlighted
L2 Linker

Re: Global Protect HTTPS weakness - Help!

Also found this article if just so we get all the information in one post.

Does PAN Device Support FIPS Mode?

I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS.

The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!

Highlighted
L1 Bithead

Re: Global Protect HTTPS weakness - Help!

That's a good question.  One would expect that PA should be able to pass audits by definition at this level instead of requiring fancy footwork with additional configurations.

We had an audit done recently and was found to be open on RC4, MD5 and 96bit encryption being 'allowed'.  Although 'low' risk, I now have to please-explain to the client why his state-of-the-art firewall is allowing risky connections to its SSL management and vpn clients.

Highlighted
L2 Linker

Re: Global Protect HTTPS weakness - Help!

Any word on this from Palo Alto???

Highlighted
L4 Transporter

Re: Global Protect HTTPS weakness - Help!

It would be nice to disable certain ciphers not just for Global Protect, but for all traffic that passes through the firewall.

Highlighted
L3 Networker

Re: Global Protect HTTPS weakness - Help!

I got the information from our SE that it should be possible to deactivate RC4 Cipher, SSL1.0, SSL2.0 and TLS1.0 Algorithms in PanOS 7.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!