How Do I Choose a Cipher to Negotiate (disable or enable ciphers) in GlobalProtect?
14687
Created On 04/15/19 19:57 PM - Last Modified 10/31/20 00:41 AM
Question
How do I choose which ciphers to be negotiated (disable or enable ciphers) in GlobalProtect on PAN-OS 8.1?
Environment
- PAN-OS 8.1 and above
- Palo Alto Networks Firewall
- SSL TLS profile.
Answer
It is now possible to choose which ciphers to be negotiated (disable or enable ciphers) in GlobalProtect on PAN-OS 8.1.
This can be done only via CLI but not on the web interface.
Here is the command:
> configure
# set shared ssl-tls-service-profile <name> protocol settings
+ auth-algo-sha1 Allow authentication SHA1
+ auth-algo-sha256 Allow authentication SHA256
+ auth-algo-sha384 Allow authentication SHA384
+ enc-algo-3des Allow algorithm 3DES
….
NOTE: This feature was added in PAN-OS 8.1, so it is not available in prior versions.
Additional Information