PAN-OS ® New Features Guide
    : TLSv1.3 Support for Management Access
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Management Features
    5. TLSv1.3 Support for Management Access
    Download PDF

    PAN-OS ® New Features Guide

    TLSv1.3 Support for Management Access

    Table of Contents

    TLSv1.3 Support for Management Access

    In PAN-OS 11.0, you can secure connections to the management interface with TLSv1.3.
    PAN-OS 11.0 introduces two settings that let you secure web connections to your management interface with TLSv1.3. The Management TLS Mode setting allows you to set TLSv1.3 as your preferred TLS protocol, and the Certificate setting accepts a TLSv1.3 certificate. The settings function similarly to an SSL/TLS service profile but only apply to web interface management connections.
    Configuring an SSL/TLS service profile is the only way to customize individual TLS protocols and algorithms for other firewall and Panorama services, such as Authentication Portal and GlobalProtect.
    TLSv1.3 delivers several performance and security improvements, including shorter SSL/TLS handshakes and more secure cipher suites. Palo Alto Networks supports the following TLSv1.3 cipher suites for management access:
    • TLS-AES-128-CCM-SHA256
    • TLS-AES-128-GCM-SHA256
    • TLS-AES-256-GCM-SHA384
    • TLS-CHACHA20-POLY1305-SHA256
    For the Management TLS Mode setting, you can choose among three options:
    tlsv1.3_only
    ,
    mixed-mode
    , and
    exclude_tlsv1.3
    .
    • tlsv1.3_only
       allows web management interface connections secured only by TLSv1.3. If a client cannot negotiate TLSv1.3 ciphers, the connection fails.
      This mode is ideal for passing PCI audits.
    • mixed-mode
       allows web management interface connections secured by any TLS protocol version (TLSv1.0-TLSv1.3). For example, if a client’s browser only supports TLSv1.2, the firewall negotiates the connection with TLSv1.2 and its associated cipher suites.
    • (
      Default
      )
      exclude_tlsv1.3
       disables TLSv1.3 support, allowing web management interface connections secured by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default configuration for PAN-OS 11.0 and maintains the functionality of previous releases.
      The Certificate setting is only available for modes that support TLSv1.3. In
      exclude_tlsv1.3
       mode, configure an SSL/TLS service profile to specify a certificate and restrict TLS protocol versions and cipher suites.
    1. Log in to your management interface.
    2. Edit the General Settings (
      Device
      Setup
      Management
      ).
      You can also configure these settings on the Panorama™ web interface (
      Panorama
      Setup
      Management
      ).
    3. For
      Management TLS Mode
      , select either
      tlsv1.3_only
       or
      mixed-mode
      , and then click
      OK
      .
    4. For
      Certificate
      , select your management server certificate, and then click
      OK
      .
    5. Commit
       your changes.
    6. Inspect the security details for your server to confirm that TLSv1.3 is in use.
      For example, on Google Chrome, you can click the lock symbol to the left of the address bar. Then, click
      Connection is secure
      . Next, click
      Certificate is valid
      . The Details section displays certificate fields, such as the TLS version and signature algorithm.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.