08-13-2020 01:08 AM
Can someone suggest on how can we disable TLS 1.0 & 1.1 for port TCP-3978
Description: The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern impleme
ntations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used wheneve
r possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major
vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any known exploits.
Thanks.
09-07-2020 08:33 PM
Solution:-
Login to Panorama
Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or create new Cert)
Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary
Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication
Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US
Verify:-
Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer
Go to>Panorama>managed collectors>status in sync
08-13-2020 01:30 AM
If you have access to the server certificate + key you can set up inbound ssl decryption and enforce 1.2 or higher through the decryption profile
08-13-2020 01:45 AM
As far as I know there is no configuration option to disable tls1.0/1.1 on this panorama management port. At least I hope that the firewalls will use tls1.2 for this connection, so if there is a firewall between the firewalls and panorama you could block tls1.0/1.1 connection attempts with a custom vulnerability signature.
08-21-2020 04:41 AM
Hi Vsys_remo,
Thanks for your reply...
We have created a profile and disabled TLSv1.0 and TLSv1.1 and enabled TLSv1.2, and I have done a packet capture and I can see communication using TLSv1.2 (TAC also Confirmed TLSv1.0 disabled) but the security team able to scan TLSv1.0 and TLSv1.1 in the scan report. Thanks
08-21-2020 04:45 AM
Hi Reaper,
Port TCP-3978 using for Panorama and Palo alto communication and SSL Profile have enabled TLSv1.2. Thanks
08-31-2020 10:15 PM
Hey Viveksk.Gupta,
can you give me a quick hint how you set up the profile? We have the same problem and im pretty new to Palo Alto stuff, so a quick hint would be appreciated.
BR
09-01-2020 12:36 AM
Hi Thartm,
Login to Panorama
Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or create new Cert)
Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary
Go to >Panorama>Setup>Secure Communication server call your certificate and profile both (check mark allow custom certificate only)
Verify:-
Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer
Go to>Panorama>managed collectors>status in sync
Please follow the document below for more information on each settings.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panora...
09-01-2020 02:38 AM
Thanks for the quick reply Viveksk.Gulpa 🙂
Ill look into it 🙂
09-07-2020 08:33 PM
Solution:-
Login to Panorama
Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or create new Cert)
Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary
Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication
Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US
Verify:-
Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer
Go to>Panorama>managed collectors>status in sync
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
