cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Cyber Elite
Cyber Elite

I assume you refer to GlobalProtect ciphers.

To get A- score in SSLLabs test run following 4 commands (adjust template and profile name to match your environment)

 

If config is managed inside firewall

set shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

 

If config is pushed from Panorama
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings auth-algo-sha1 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-3des no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings enc-algo-rc4 no
set template Template-name config shared ssl-tls-service-profile GlobalProtect protocol-settings keyxchg-algo-rsa no

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

Who rated this post