Need to Disable TLS 1.0 & 1.1 for port TCP-3978

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need to Disable TLS 1.0 & 1.1 for port TCP-3978

L1 Bithead

Can someone suggest on how can we disable TLS 1.0 & 1.1 for port TCP-3978

 

Description: The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has a number of cryptographic design flaws. Modern impleme
ntations of TLS 1.0 mitigate these problems, but newer versions of TLS like 1.2 and 1.3 are designed against these flaws and should be used wheneve
r possible.
As of March 31, 2020, Endpoints that aren’t enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major
vendors.
PCI DSS v3.2 requires that TLS 1.0 be disabled entirely by June 30, 2018, except for POS POI terminals (and the SSL/TLS termination points to which
they connect) that can be verified as not being susceptible to any known exploits.

 

Thanks.

VK
1 accepted solution

Accepted Solutions

Solution:-

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication 

Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

VK

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

If you have access to the server certificate + key you can set up inbound ssl decryption and enforce 1.2 or higher through the decryption profile

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L7 Applicator

Hi @viveksk.gupta 

As far as I know there is no configuration option to disable tls1.0/1.1 on this panorama management port. At least I hope that the firewalls will use tls1.2 for this connection, so if there is a firewall between the firewalls and panorama you could block tls1.0/1.1 connection attempts with a custom vulnerability signature.

Hi ,

 

Thanks for your reply...

 

We have created a profile and disabled TLSv1.0 and TLSv1.1 and enabled TLSv1.2, and I have done a packet capture and I can see communication using TLSv1.2 (TAC also Confirmed TLSv1.0 disabled) but the security team able to scan TLSv1.0 and TLSv1.1 in the scan report. Thanks 

VK

Hi Reaper,

 

Port TCP-3978 using for Panorama and Palo alto communication and SSL Profile have enabled TLSv1.2. Thanks 

VK

Hey Viveksk.Gupta,

 

can you give me a quick hint how you set up the profile? We have the same problem and im pretty new to Palo Alto stuff, so a quick hint would be appreciated.

 

BR 

Hi Thartm,

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication server call your certificate and profile both (check mark allow custom certificate only)

 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

Please follow the document below for more information on each settings.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panora...

VK

Thanks for the quick reply Viveksk.Gulpa 🙂 

 

Ill look into it 🙂

Solution:-

 

Login to Panorama

Go to >Panorama>Certificate Management>Certificate>Generate> (you can use existing root cert or  create new Cert)

Go to >Panorama>Certificate Management>SSL/TLS Service Profile >Add (call your newly created cert ) create 2 cert for Primary and secondary

Go to >Panorama>Setup>Secure Communication Settings >Customize Communication>Select HA Communication 

Note:- in Palo Alto 8.X.X we can disable only TLSv1.0 we can not disable TLSv1.1 for on port-3978 TAC has confirmed to US 

Verify:-

Go to >Panorama>managed devices>summary see device state must be connected and Certificate untrusted issuer

 Go to>Panorama>managed collectors>status in sync

 

VK
  • 1 accepted solution
  • 16344 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!