Select the earliest (Min Version)
and latest (Max Version) version of TLS that
services can use: TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3,
or Max (the latest available version).
On firewalls in FIPS/CC mode running
PAN-OS 8.0 or a later release, TLSv1.1 is
the earliest supported TLS version; do not select TLSv1.0. Client
certificates that are used when requesting firewall services that
rely on TLSv1.2 cannot have SHA512 as a digest
algorithm. The client certificates must use a lower digest algorithm
(such as SHA384) or you must limit the Max Version to TLSv1.1 for
the services.
Use the strongest
version of the protocol you can to provide the strongest security
for your network. If you can, set the Min Version to TLSv1.2 and set
the Max Version to Max.
|