How to disable medium strength SSL ciphers for SSL/TLS Service Profile on Firewall
175973
Created On 02/14/19 23:10 PM - Last Modified 06/27/24 14:12 PM
Objective
- To disable medium SSL ciphers like 3DES
Environment
- PAN-OS 8.1 or higher
- Firewall
- Network being tested by Security Scan (Nessus)
- Global Protect Portal Page
Procedure
From the CLI you can disable SSL ciphers from an already configured "SSL/TLS Service Profile" by running the command below in configure mode.
# set shared ssl-tls-service-profile <Name> protocol-settings <tab>
Example.
> configure Entering configuration mode # set shared ssl-tls-service-profile (tab to view available "SSL/TLS Service Profiles") TLSprofileTest TLSprofileTest <value> Profile name # set shared ssl-tls-service-profile TLSprofileTest protocol-settings (tab to view options) + auth-algo-sha1 Allow authentication SHA1 + auth-algo-sha256 Allow authentication SHA256 + auth-algo-sha384 Allow authentication SHA384 + enc-algo-3des Allow algorithm 3DES + enc-algo-aes-128-cbc Allow algorithm AES-128-CBC + enc-algo-aes-128-gcm Allow algorithm AES-128-GCM + enc-algo-aes-256-cbc Allow algorithm AES-256-CBC + enc-algo-aes-256-gcm Allow algorithm AES-256-GCM + enc-algo-rc4 Allow algorithm RC4 + keyxchg-algo-dhe Allow algorithm DHE + keyxchg-algo-ecdhe Allow algorithm ECDHE + keyxchg-algo-rsa Allow algorithm RSA + max-version max-version + min-version min-version <Enter> Finish input # set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des (tab to view options) no no yes yes # set shared ssl-tls-service-profile TLSprofileTest protocol-settings enc-algo-3des no
Additional Information
HOW TO DISABLE WEAK SSL CIPHERS FOR SSL/TLS SERVICE PROFILE WITHIN A PANORAMA TEMPLATE
Applying SSL/TLS profile to the management interface