Which weak cipher suites for SSL/TLS to delete

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Which weak cipher suites for SSL/TLS to delete

L2 Linker

Hi All,

I recently had a pen test return the following results:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS   WEAK 12

 

which of the below cipher suites do I disable to comply ? (enc-algo-3des is already disabled), this is set on my global protect interface, will anything break 🙂

+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version
+ min-version            min-version

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

I assume you refer to GlobalProtect ciphers.

To get A- score in SSLLabs test run following 4 commands (adjust template and profile name to match your environment)

 

If config is managed inside firewall

set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

 

If config is pushed from Panorama
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

I assume you refer to GlobalProtect ciphers.

To get A- score in SSLLabs test run following 4 commands (adjust template and profile name to match your environment)

 

If config is managed inside firewall

set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

 

If config is pushed from Panorama
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

@PaulBrock,

I'd really suggest running through this on a non-production portal/gateway before actually making this change on your production portal/gateway ssl-tls-service-profile. While disabling weaker protocol settings generally doesn't cause any issues, I've also run into some very odd client configuration settings that would have broken things had we not tested it prior to making the change.

 

set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no

Replace "GlobalProtect" with whatever profile you're using. 

L2 Linker

Thank you so much, this is so helpful 👍

I wish that when I contacted support, rather than sending KBs they would simply answer like you have.

 

L2 Linker

I would recommend the following settings as these will get you an A- on SSL Labs:

 

set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings keyxchg-algo-rsa no

 

It is very unfortunate that Palo Alto will not fix secure renegotiation as that would get you an A+.

Also sendig the root certificate should be fixed by Palo Alto.

Hi Han,

You must have received the same report,😀

the Pen testers  flagged Weak ciphers, secure renegotiation, and also Information Disclosure

 

With regard to Information disclosure:

I don't suppose anyone knows how to turn off Palo Alto "Palo Alto GlobalProtect Gateway httpd" 

 

Why would you want to turn off gateway access over https?

It is needed for gateway functionality.

 

GlobalProtect agent will try 3 times to connect over udp/4501 to establish IPSec tunnel but if it fails then it will fail back to SSL-VPN over tcp/443 (those are default ports numbers that can be changed).

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,

sorry, I probably did not explain myself properly.

I need to turn off Palo Alto disclosing information to a public scan.

 

at the moment you can see the following information "Palo Alto GlobalProtect Gateway httpd"

  • 1 accepted solution
  • 2917 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!