cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Portal SSL in PANOS 8

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Portal SSL in PANOS 8

ggoudr
L2 Linker

‎05-18-2017 09:01 AM

Hello all,

 

I have noticed an important difference in PANOS v8.0 in comparison with PANOS 7.x.x concerning the SSL settings for the GlobalProtect portal.

 

More specific, the famous site for SSL Server tests, Qualys SSL Labs presents PANOS 7.0.x with Grade A-, while for PANOS 8.0.x the grade is lowered to Grade B (worst).

 

This happends because, while in PANOS 8.0.x there is a wider support of ciphersuites  fot TLSv1.2, the additional ciphersuites supported use weak weak Diffie-Hellman (DH) key exchange parameters. More specific, for some cipher suites, the DH key exchange is weak, as 1024-bits are being used.

 

 

More specific, for version 7.0.x, the Cipher Suites list is the following:

 

TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128

 

 

while in PANOS 8.0.x the list is the following:

 

# TLS 1.2 (suites in server-preferred order)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp521r1 (eq. 15360 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp521r1 (eq. 15360 bits RSA)   FS128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits   FS   WEAK128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK128

 

 

The big question is how to disable these weak Forward Secrecy (FS) DH Weak key exchange exchange parameters as there is no option to manipulate these settings either from the Web UI or the CLI.

Maybe the new SSL/TLS Service Profile that appears in PANOS 7.1.x should have something for the CipherSuites and the Forward Secrecy (FS) key exchange parameters that need to be enabled/disabled/used (and the order they are being presented to the client's web browser.

 

Regards,

George G.

1 person had this problem.
4 REPLIES 4

ansharma
L4 Transporter

‎05-19-2017 05:45 PM

Hi George,

 

The SSL/TLS profile hasn't changed in 8.0 either. It's been a carry-forward feature from 7.1.x. And yes, no way to disable/change anything from GUI or CLI (maybe root?). However, imho, this is not a bad option to include in the SSL/TLS profile, kinda similar to what a Decryption profile has. 

 

I'd say you should get in touch with your SE to see if this can be incorporated in some future release.

 

Regards,

Anurag

================================================================
ACE 7.0, 8.0, PCNSE 7
0 Likes Likes

ggoudr
L2 Linker
In response to ansharma

‎05-24-2017 12:59 AM

Yes, I agree with you maybe a Feature Request is not a bad idea.

After all, there are some requirements on disabling weak ciphers etc on PCI and CIS compliance audits that PAN Devices do not give that opportunity.

 

George

0 Likes Likes

BigPalo
L4 Transporter
In response to ggoudr

‎07-27-2020 10:23 AM

Hi,

 

Im having the same grade because of: This server does not support Forward Secrecy with the reference browsers.

 

how did you solve it? any idea? 

0 Likes Likes

MannCave
L0 Member

‎09-03-2021 09:19 AM - edited ‎09-03-2021 09:20 AM

Run the following commands on in the cli at the edit prompt.

then commit

set shared ssl-tls-service-profile (select your security profile here) protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile (select your security profile here) protocol-settings auth-algo-sha1 no

 

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks