What SSL/TLS versions are allowed for WEBUI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What SSL/TLS versions are allowed for WEBUI

Not applicable

Hello,

I'm trying to verify which SSL/TLS versions and Ciphers the PANs accept for WEBUI connections.  Specifically I am trying to verify that it does not accept connections using weaker Protocols or Cipers and if it is configurable.

Please note that this is for Management connections to the PANs only, not user traffic.

Any help would be appreciated.

Thanks.

1 accepted solution

Accepted Solutions

L7 Applicator

Hello Sir,

To log into the firewall, the browser must be TLS 1.0 compatible.

Ciphers suits for Admin Sessions (web interface):

DHE-RSA-AES256-SHA

RSA-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

RSA-CAMELLIA256-SHA

EDH-RSA-3DES-SHA

RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)

DHE-RSA-AES128-SHA

RSA-AES128-SHA

DHE-RSA-SEED-SHA

RSA-SEED-SHA

DHE-RSA-CAMELLIA128-SHA

CAMELLIA128-SHA

RSA-RC4-SHA

RSA-RC4-MD5

For data-plane traffic, The SSL versions supported by PAN-OS are: SSLv3, TLS1.0, and TLS1.1.

Hope it will help you.

Thanks

View solution in original post

9 REPLIES 9

L7 Applicator

Hello Sir,

To log into the firewall, the browser must be TLS 1.0 compatible.

Ciphers suits for Admin Sessions (web interface):

DHE-RSA-AES256-SHA

RSA-AES256-SHA

DHE-RSA-CAMELLIA256-SHA

RSA-CAMELLIA256-SHA

EDH-RSA-3DES-SHA

RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)

DHE-RSA-AES128-SHA

RSA-AES128-SHA

DHE-RSA-SEED-SHA

RSA-SEED-SHA

DHE-RSA-CAMELLIA128-SHA

CAMELLIA128-SHA

RSA-RC4-SHA

RSA-RC4-MD5

For data-plane traffic, The SSL versions supported by PAN-OS are: SSLv3, TLS1.0, and TLS1.1.

Hope it will help you.

Thanks

Thank you very much for the Reply.

Is TLS 1.0 the only protocol that can be used for the Management Interface?  Older protocols such as SSLv2 will be denied and are not supported?  I suspect the answer is yes but need to verify.

Yes, you are correct.

Hello Sir,

I did a small test with IE to open WEBUI for PAN-FW management interface. It is working only with SSL 3.0 and TLS 1.0.

Thanks

According to the release notes for PANOS 6.0 most devices will now support TLS 1.2 for dataplane ssl/tls decryption.

Hello Mikand,

You are correct, The new PAN OS 6.0 is having capability to decrypt TLS 1.2. Although PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.

Thanks

Hello Hulk,

Is there a way to block sslv3 access to management interface of the firewall and allow only TLS1.0 ?

Thanks.

Hi Mbavishi,

Latest content has fix for vulnerability related sslv3, if management traffic is traversing through the Dataports than it can blocked.

If not, there is no way to block it.

Regards,

Hardik Shah

Hi Mbavishi,

Please refer following thread for more detail.

Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface

Regards,

Hardik Shah

  • 1 accepted solution
  • 4981 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!