This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Which weak cipher suites for SSL/TLS to delete

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Which weak cipher suites for SSL/TLS to delete

Go to solution
PaulBrock
L2 Linker

‎05-21-2023 08:24 PM

Hi All,

I recently had a pen test return the following results:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS   WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS   WEAK 12

 

which of the below cipher suites do I disable to comply ? (enc-algo-3des is already disabled), this is set on my global protect interface, will anything break 🙂

+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version
+ min-version            min-version

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-22-2023 05:38 AM

I assume you refer to GlobalProtect ciphers.

To get A- score in SSLLabs test run following 4 commands (adjust template and profile name to match your environment)

 

If config is managed inside firewall

set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

 

If config is pushed from Panorama
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

(1)
7 REPLIES 7

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-22-2023 05:38 AM

I assume you refer to GlobalProtect ciphers.

To get A- score in SSLLabs test run following 4 commands (adjust template and profile name to match your environment)

 

If config is managed inside firewall

set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

 

If config is pushed from Panorama
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
(1)

Go to solution
BPry
Cyber Elite
Cyber Elite

‎05-22-2023 05:40 AM

@PaulBrock,

I'd really suggest running through this on a non-production portal/gateway before actually making this change on your production portal/gateway ssl-tls-service-profile. While disabling weaker protocol settings generally doesn't cause any issues, I've also run into some very odd client configuration settings that would have broken things had we not tested it prior to making the change.

 

set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no
set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no

Replace "GlobalProtect" with whatever profile you're using. 

0 Likes Likes

Go to solution
PaulBrock
L2 Linker

‎05-22-2023 07:47 PM

Thank you so much, this is so helpful 👍

I wish that when I contacted support, rather than sending KBs they would simply answer like you have.

 

Go to solution
Han.Valk
L2 Linker

‎05-23-2023 09:49 AM

I would recommend the following settings as these will get you an A- on SSL Labs:

 

set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings enc-algo-aes-256-cbc no
set shared ssl-tls-service-profile <SSL/TLS service profile name> protocol-settings keyxchg-algo-rsa no

 

It is very unfortunate that Palo Alto will not fix secure renegotiation as that would get you an A+.

Also sendig the root certificate should be fixed by Palo Alto.

0 Likes Likes

Go to solution
PaulBrock
L2 Linker
In response to Han.Valk

‎05-23-2023 03:10 PM

Hi Han,

You must have received the same report,😀

the Pen testers  flagged Weak ciphers, secure renegotiation, and also Information Disclosure

 

With regard to Information disclosure:

I don't suppose anyone knows how to turn off Palo Alto "Palo Alto GlobalProtect Gateway httpd" 

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to PaulBrock

‎05-23-2023 07:15 PM

Why would you want to turn off gateway access over https?

It is needed for gateway functionality.

 

GlobalProtect agent will try 3 times to connect over udp/4501 to establish IPSec tunnel but if it fails then it will fail back to SSL-VPN over tcp/443 (those are default ports numbers that can be changed).

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
PaulBrock
L2 Linker
In response to Raido_Rattameister

‎05-23-2023 07:26 PM

Hi Raido,

sorry, I probably did not explain myself properly.

I need to turn off Palo Alto disclosing information to a public scan.

 

at the moment you can see the following information "Palo Alto GlobalProtect Gateway httpd"

0 Likes Likes
  • 1 accepted solution
  • 5191 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks