01-14-2014 07:27 AM
Hello,
I'm trying to verify which SSL/TLS versions and Ciphers the PANs accept for WEBUI connections. Specifically I am trying to verify that it does not accept connections using weaker Protocols or Cipers and if it is configurable.
Please note that this is for Management connections to the PANs only, not user traffic.
Any help would be appreciated.
Thanks.
01-14-2014 07:53 AM
Hello Sir,
To log into the firewall, the browser must be TLS 1.0 compatible.
DHE-RSA-AES256-SHA
RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
RSA-CAMELLIA256-SHA
EDH-RSA-3DES-SHA
RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)
DHE-RSA-AES128-SHA
RSA-AES128-SHA
DHE-RSA-SEED-SHA
RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
CAMELLIA128-SHA
RSA-RC4-SHA
RSA-RC4-MD5
For data-plane traffic, The SSL versions supported by PAN-OS are: SSLv3, TLS1.0, and TLS1.1.
Hope it will help you.
Thanks
01-14-2014 07:53 AM
Hello Sir,
To log into the firewall, the browser must be TLS 1.0 compatible.
DHE-RSA-AES256-SHA
RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
RSA-CAMELLIA256-SHA
EDH-RSA-3DES-SHA
RSA-3DES-SHA (aka RSA-DES-CBC3-SHA aka DES-CBC3-SHA)
DHE-RSA-AES128-SHA
RSA-AES128-SHA
DHE-RSA-SEED-SHA
RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
CAMELLIA128-SHA
RSA-RC4-SHA
RSA-RC4-MD5
For data-plane traffic, The SSL versions supported by PAN-OS are: SSLv3, TLS1.0, and TLS1.1.
Hope it will help you.
Thanks
01-15-2014 08:56 AM
Thank you very much for the Reply.
Is TLS 1.0 the only protocol that can be used for the Management Interface? Older protocols such as SSLv2 will be denied and are not supported? I suspect the answer is yes but need to verify.
01-15-2014 10:19 AM
Yes, you are correct.
01-15-2014 12:24 PM
Hello Sir,
I did a small test with IE to open WEBUI for PAN-FW management interface. It is working only with SSL 3.0 and TLS 1.0.
Thanks
01-21-2014 12:34 AM
According to the release notes for PANOS 6.0 most devices will now support TLS 1.2 for dataplane ssl/tls decryption.
01-21-2014 07:32 AM
Hello Mikand,
You are correct, The new PAN OS 6.0 is having capability to decrypt TLS 1.2. Although PANOS 5.0, if we detect a TLS1.1 or TLS1.2 session, we first try to downgrade it to TLS1.0 and decrypt. If that fails, we won't decrypt the session and either drop the session or allow it encrypted based upon your policy settings.
Thanks
10-20-2014 01:01 PM
Hello Hulk,
Is there a way to block sslv3 access to management interface of the firewall and allow only TLS1.0 ?
Thanks.
10-20-2014 03:10 PM
Hi Mbavishi,
Latest content has fix for vulnerability related sslv3, if management traffic is traversing through the Dataports than it can blocked.
If not, there is no way to block it.
Regards,
Hardik Shah
10-20-2014 03:29 PM
Hi Mbavishi,
Please refer following thread for more detail.
Re: Is it possible to Specifically Disable SSL 3.0 on a Palo Alto Interface
Regards,
Hardik Shah
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
