How do I select which ciphers are used in the GlobalProtect connection negotiation?

How do I select which ciphers are used in the GlobalProtect connection negotiation?

21643
Created On 04/15/19 19:57 PM - Last Modified 05/09/23 15:55 PM


Question


How do I select which ciphers are used in the GlobalProtect connection negotiation?

Environment


  • PAN-OS 8.1 and above
  • Palo Alto Networks Firewall 
  • SSL TLS profile.
 
 

Answer


It is now possible to choose which ciphers are used to negotiate the connection to the GlobalProtect Portal/Gateway.

This selection can only be done via the CLI.
 
Here are the commands:  
> configure
# set shared ssl-tls-service-profile <name> protocol-settings
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
….


NOTE: This feature is available PAN-OS 8.1.0 and higher.
 

Additional Information


 
 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLbL&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language