Why is SSL/TLS profile not blocking TLS version 1.1 using destination port 5007on Management Interface?

Why is SSL/TLS profile not blocking TLS version 1.1 using destination port 5007on Management Interface?

23757
Created On 06/28/20 01:53 AM - Last Modified 07/02/20 17:36 PM


Question


Why is SSL/TLS profile not blocking TLS version 1.1 with destination port 5007 when SSL/TLS Service Profile is configured with Min Version TLSv1.2  on Management Interface?

Example: 
  • Tcpdump on Firewall Management Interface:
User-added image
  • Vulnerability Scanner result:
User-added image

 

Environment


  • PANOS versions: 7.1.x, 8.1.x, 9.0.x, 9.1.x and 10.0.x
  • SSL/TLS Service Profile is configured for Min Version TLSv1.2
User-added image
  • Management Interface Settings is configured with SSL/TLS profile shown above
User-added image

Answer


This behavior is due to User-ID checkbox under the Management Interface Settings profile is checked.  To resolve it, uncheck  the user-id checkbox as shown below:
 
User-added image

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UaTCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language