- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Secure Renegotiation in PANOS 9x?
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Secure Renegotiation in PANOS 9x?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-04-2019 04:31 PM - edited 04-04-2019 04:31 PM
I'm seeing some posts stating that Secure Renegotiation is not supported on the Palo Alto platform. Is this still true for the latest release, v9.x? If so, how is it enabled?
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-06-2019 12:00 PM - edited 04-07-2019 04:26 AM
At least on a global protect portal website secure renegotiation is still not supported ... so I assume this also applies to inbound decryption.
What do you think when TLS1.3 support will be added? I would saysomewhere in 2021 😛 (with PAN-OS 10?)
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-05-2019 12:58 PM
I'm fairly certain that TLS Renegotiation was fixed in an update to 6.0, so it's been available for a while. Regardless renegotiation is dying anyways; TLS 1.3 removes it completely.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-05-2019 01:43 PM
Good to hear. So how to enable it? I'm certainly glad that TLS 1.3 eliminates it, but my customer has TLS 1.2 at the moment and need to elminate this audit finding. 🙂
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-06-2019 12:00 PM - edited 04-07-2019 04:26 AM
At least on a global protect portal website secure renegotiation is still not supported ... so I assume this also applies to inbound decryption.
What do you think when TLS1.3 support will be added? I would saysomewhere in 2021 😛 (with PAN-OS 10?)
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
04-06-2019 06:21 PM
Last I heard it was still being targeted for 9.1**, but it wouldn't suprise me at all of this got pushed back to 10*. There's some really interesting papers you can find that speak in detail about the additional issues with TLS 1.3 and attempting to intercept that communication in a passive format.
*version names referenced are simply picked from historical release information.
**Inside Baseball (IE: Roadmap) discussions are strictly confidential and enforced through an NDA. The information presented in this post is non-official information and was not directly supplied by Palo Alto Networks or its employees.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
10-26-2021 12:12 AM
Hi @vsys_remo @BPry @richardhicks
Are there any current versions of PAN-OS that support secure renegotiation?
Inbound decryption SERVER-INITIATED Secure Renegotiation IS NOT supported.
Secure Renegotiatio---->Not supported ACTION NEEDED (more info)
Secure Client-Initiated Renegotiation---- >No
From palo alto side can to possible to configure support secure renegotiation
if it is feature request then can you please provide me FR number
Thanks
- GP IPsec tunnel always falling back to SSL in GlobalProtect Discussions
- Secure Renegotiation Support in GlobalProtect Discussions
- Is PANOS 9.1.6 is vulnerable for wreck security vulnerability? in General Topics
- How to setup No-IP Dynamic DNS on Palo Alto PAN-OS 9.0.12 in General Topics
- Inbound SSL decryption for apache2 server in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
