How do I select which ciphers are used in the GlobalProtect connection negotiation?
26089
Created On 04/15/19 19:57 PM - Last Modified 05/09/23 15:55 PM
Question
How do I select which ciphers are used in the GlobalProtect connection negotiation?
Environment
- PAN-OS 8.1 and above
- Palo Alto Networks Firewall
- SSL TLS profile.
Answer
It is now possible to choose which ciphers are used to negotiate the connection to the GlobalProtect Portal/Gateway.
This selection can only be done via the CLI.
Here are the commands:
> configure
# set shared ssl-tls-service-profile <name> protocol-settings
+ auth-algo-sha1 Allow authentication SHA1
+ auth-algo-sha256 Allow authentication SHA256
+ auth-algo-sha384 Allow authentication SHA384
+ enc-algo-3des Allow algorithm 3DES
+ enc-algo-aes-128-cbc Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm Allow algorithm AES-256-GCM
+ enc-algo-rc4 Allow algorithm RC4
+ keyxchg-algo-dhe Allow algorithm DHE
+ keyxchg-algo-ecdhe Allow algorithm ECDHE
+ keyxchg-algo-rsa Allow algorithm RSA
+ max-version max-version
+ min-version min-version
….
NOTE: This feature is available PAN-OS 8.1.0 and higher.