the same applies to the ciphers for the ssl forward proxy. while some ciphers can be disabled in general, one cannot prefer ciphers using ecdhe over plain rsa. for pan-os 9.1 plain rsa is preferred over ecdhe-rsa. from a security perspective, (ec)dhe should be preferred, since they offer forward secrecy. TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) ... TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ... So I would love to see a configuration dialogue for the cipher preference in panos, too!
... View more