Im in the process of disabling medium strength SSL CIPHERS FOR SSL/TLS SERVICE PROFILE following the doc from Palo Alto :
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC
But I have a question before disabling the weak ciphers,
How can I check what ciphers are in use ?
Is there a best practice or recommendation on what protocol settings for TLS needs to be enabled and also what needs to be disabled ?
Just adding this kb from Palo, way to check ssl-negotiation Details after changing the parameters.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVCCA0
Oh I see . Makes sense now. Thankyou
the default is "everything yes"
the document you linked is intended to narrow down the supported cipher suites to what you are willing to allow
Thankyou for your response.
Is there a command to view in CLI to see what is allowed in security Protocols in ssl-tls-service-profile like
sha1 - yes
3des-no
rca4- yes
Then I can set shared ssl-tls-service-profile name protocol protocol_name yes/no.
Please let me know if there is a way to verify it.
by default 'all' options are available. The browser will normally negotiate a fairly strong cipher, but an older or 'forced' browser may negotiate a weaker cipher
Best practice is to disable anything weak:
- set minimum version to tls 1.2
- disallow sha1, 3des, rca4
in regards to strength you may need to look at your industries' standards: is aes128 considered too weak or not? for regular use-case it should suffice