Global Protect HTTPS weakness - Help!

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect HTTPS weakness - Help!

L2 Linker

Hi,

I would really like an answer to this considering this is supposed to be a security product in the first place and I see several people have already asked the question.

We have just had a security audit completed by a third party, they highlighted 2 issues with the address that our global protect portal and gateway reside on.

SSL server accepts connections that use:

1. Rivest Cipher RC4

2. Cipher-block chaining (CBC) mode

I noted that these 2 are similar questions that dont really have an answer, one tries to answer it but I'm not sure what FIPS is and enabling it (How to Enable or Disable FIPS Mode) sounds like a nightmare considering according to this article it erases your config and puts you back to defaults?

Qualys Scans

SSL Weak CBC Mode Vulnerability

Is there a good way to fix this, maybe someone can answer all three posts by answering mine!

8 REPLIES 8

L6 Presenter

Hi Tezza,

There is no way to block any encryption algorithm for SSL traffic to Firewall.

If Browser supports those algorithms then firewall will accept the sessions.

I do not have more information on Vulnerability, if I get information I will let you know.

Regards,

Hardik Shah

L4 Transporter

You have to enable FIPS, sorry !

OK I can see what FIPS might fix the issue but why the heck do I need to reset the configuration of my firewall just to do it? Also why is this not enabled by default? I'm guessing it breaks some features, is this usual in other brands of firewall?

L2 Linker

Also found this article if just so we get all the information in one post.

Does PAN Device Support FIPS Mode?

I must say I have had a good scan of the admin and global protect guides there is very little mentioned about FIPS, its not like it says oh by the way if you want you firewall to pass security audits you might want to enable FIPS.

The bigger question is why doesn't Palo Alto firewalls with global protect enabled pass audits by default!

That's a good question.  One would expect that PA should be able to pass audits by definition at this level instead of requiring fancy footwork with additional configurations.

We had an audit done recently and was found to be open on RC4, MD5 and 96bit encryption being 'allowed'.  Although 'low' risk, I now have to please-explain to the client why his state-of-the-art firewall is allowing risky connections to its SSL management and vpn clients.

L2 Linker

Any word on this from Palo Alto???

It would be nice to disable certain ciphers not just for Global Protect, but for all traffic that passes through the firewall.

L3 Networker

I got the information from our SE that it should be possible to deactivate RC4 Cipher, SSL1.0, SSL2.0 and TLS1.0 Algorithms in PanOS 7.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!