- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-27-2018 02:59 PM
PAN-OS 8.1 seems to lack the capability to perform fine-grained configuration of cipher suite selection and prioritization for GlobalProtect VPN functions.
I ran a fairly detailed SSL functionality assessment on a configured TLS v1.2-only GP gateway and found that RSA encryption-based ciphers are selected by default by all simulated clients. This was a bigger concern previously due to ROBOT (CVE-2017-17841 for PAN-OS, patched in PAN-OS 8.0.7), but there's also the fact that RSA encryption-based ciphers don’t provide perfect forward secrecy. My assessment yields the following ciphers, in order of the PAN FW’s preference:
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
Highlighted are the RSA encryption-based ciphers. For some reason, they’re A) being used at all and B) prioritized over other PFS-capable cipher options. Any TLS v1.2-capable client is by definition capable of communicating using PFS-capable cipher suites, so this ordering is surprising.
Cryptographic best practices (as of now) would dictate the following order:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
AES128-SHA
Even better, best practices-wise, would be to omit the highlighted options entirely. Ideally, the combination and priority of cipher suites offered to the client would be configurable on the FW itself. Currently, only the TLS version is configurable.
(Minorly edited copy-paste of my conversation with a channel engineer.)
09-29-2021 01:37 AM
the same applies to the ciphers for the ssl forward proxy. while some ciphers can be disabled in general, one cannot prefer ciphers using ecdhe over plain rsa.
for pan-os 9.1 plain rsa is preferred over ecdhe-rsa. from a security perspective, (ec)dhe should be preferred, since they offer forward secrecy.
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
...
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
...
So I would love to see a configuration dialogue for the cipher preference in panos, too!
03-28-2018 08:26 AM
Right there with you on this one. I have been waiting for them to add the ability to control the cipher suites being used. we are using our traffic managers and load balancers to restrict ciphers to the ECDHE options with everything else but there is no way to adjust this for the GP portal from the firewall itself.
Maybe someone can speak to this being roadmapped?
07-02-2020 02:22 PM
I would agree. From a security perspective, ECDHE-ECDSA and ECDHE-RSA should ALWAYS be preferred to non ECDHE/DHE ciphers.
09-29-2021 01:37 AM
the same applies to the ciphers for the ssl forward proxy. while some ciphers can be disabled in general, one cannot prefer ciphers using ecdhe over plain rsa.
for pan-os 9.1 plain rsa is preferred over ecdhe-rsa. from a security perspective, (ec)dhe should be preferred, since they offer forward secrecy.
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
...
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
...
So I would love to see a configuration dialogue for the cipher preference in panos, too!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!