Palo Alto Networks Knowledgebase: PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2

PCI compliance scan failed for Globalprotect IP address not using version TLS 1.2

4165
Created On 02/07/19 23:36 PM - Last Updated 02/07/19 23:36 PM
VPNs
Resolution

Issue

PCI compliance scan failed for GlobalProtect IP address not using minimum version of TLS 1.2

 

Cause

Running PAN-OS 6.1.4 and below, by default the GlobalProtect Agent connects using TLS 1.0.

 

Resolution

To resolve this, we have to configure a minimum version of TLS to be used to secure the connection between the GlobalProtect agent and the firewall.

 

Steps

  1. Go to Device > Certificate Management > SSL/TLS Service Profile > Create a new profile.User-added image
  2. Go to the GlobalProtect configuration under Network > GlobalProtect.
  3. Map the newly created SSL/TLS service profile to both the portal and the gateway configuration.User-added imageUser-added image
  4. Commit the configuration.
  5. Reconnect to the GlobalProtect from the client machine.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8hCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language