GlobalProtect Portal SSL in PANOS 8

Reply
L2 Linker

GlobalProtect Portal SSL in PANOS 8

Hello all,

 

I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.

 

More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).

 

This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites  fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.

 

 

More specific, for version 7.0.x, the Cipher Suites list is the following:

 

TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128

 

 

while in PANOS 8.0.x the list is the following:

 

# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK128

 

 

The big question is how to disable these weak Forward Secrecy (FS) DH Weak key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.

Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.

 

Regards,

George G.

Tags (1)
Highlighted
L4 Transporter

Hi George,

 

The SSL/TLS profile hasn't changed in 8.0 either. It's been a carry-forward feature from 7.1.x. And yes, no way to disable/change anything from GUI or CLI (maybe root?). However, imho, this is not a bad option to include in the SSL/TLS profile, kinda similar to what a Decryption profile has. 

 

I'd say you should get in touch with your SE to see if this can be incorporated in some future release.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
Highlighted
L2 Linker

Yes, I agree with you maybe a Feature Request is not a bad idea.

After all, there are some requirements on disabling weak ciphers etc on PCI and CIS compliance audits that PAN Devices do not give that opportunity.

 

George

Highlighted
L4 Transporter

Hi,

 

Im having the same grade because of: This server does not support Forward Secrecy with the reference browsers.

 

how did you solve it? any idea? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!