10-15-2014 10:24 AM
Hi All,
I have a case where customer needs to disable SSL 3.0 on an interface and just use SSL 1.0 and 2.0 for both device management and GP. Is this possible? if so then how? Is there any other way apart from disabling the entire SSL feature on the interface? Kindly Advice
10-15-2014 10:29 AM
I have not tested this but you can try creating a custom vulnerability with ssl-rsp-version 3 and block it:
The above vulnerability will only be effective for traffic going through dataplane port so if you are accessing management directly (without going dataplane port) this will not help for disabling SSLv3 on management interface.
Will keep you posted if I get a chance to try this in lab
Hope it helps !
10-15-2014 11:45 AM
Just tested this in my lab and it works 
You have to specify the decimal value for SSL 3.0 hexadecimal code (0x0300) which is 768.
Hope it helps !
10-15-2014 12:33 PM
Hi Mrafi,
This will stop SSLv3 on Data port only, for that you will have to configure custom vuln profile in policy.
This will not help to stop SSLv3 on Management interface.
Regards,
Hardik Shah
10-15-2014 01:17 PM
Hi Mrafi,
Just FYI...
Regards,
Hardik Shah
10-16-2014 08:23 AM
I created a custom signature like csharma suggested and I can confirm that it works.
Although, it does not seem to work if you are decrypting the SSL traffic via Palo Alto.
10-16-2014 10:03 AM
Just to add guys content version 463 has been released which contains the SSLv3 poodle vulnerability signature.
Hope it helps !
10-30-2014 05:04 PM
No you can not disable this, the version is negotiated by the end-host and server.
The Vulnerability signature which is provided will not be applied to traffic destined to firewall
For example: people from DMZ are tried to manage firewall on firewall's DMZ interface, the signature will not be enough to identify ssl3, because content inspection is not applied when traffic is destined to firewall and not passing through the firewall. The same will apply to GP. we would not be able to identify this when SSL connection terminates on untrust interface of firewall
The work around while we wait for engineering is to host the service on loopback. Because when the service is hosted on loopback (different zone). This will make packet pass though the CTD engine of firewall like regular traffic to detect vulnerability.
Regards
Sai
10-31-2014 09:03 AM
wow, so PA cant disable sslv3 ... thats not good. I know the sig can protect but common,,,, we cant pick protocols/ciphers on an enterprise class firewall ..?? AND its based on Linux right? so PA went out of its way to make it so we cant do this?
11-04-2014 06:44 AM
Why does the PA NOT detect SSLv3 when it's set to decrypt the passing traffic?
Here's what I did to test...
1. I forced my browser to user ONLY SSLv3.
2. Set Threat ID 36815(SSLv3 Found in Server Response) to "drop-all-packets".
3. Browsed to web server behind the PA and page loaded fine.
4. Wireshark capture shows only SSLv3 being used.
5. Not detected in PA.
Then I tried web traffic that is not being decrypted and the PA detected and blocked the SSLv3 attempt.
11-19-2014 02:13 AM
I's suppose the PA to be able to adjust the SSL/TLS Versions allowed in SSL hello messages when performing SSL Decryption since it is acting as the clientside towards the WebServer ?!
Why is there no way to infuence this with a Decryption Profile?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
