TLSv1.3 Support for Management Access
Expand all | Collapse all
TLSv1.3 Support for Management Access
In PAN-OS 11.0, you can secure connections to the management
interface with TLSv1.3.
PAN-OS 11.0 introduces two settings that let
you secure web connections to your management interface with TLSv1.3.
The Management TLS Mode setting allows you to set TLSv1.3 as your
preferred TLS protocol, and the Certificate setting accepts a TLSv1.3
certificate. The settings function similarly to an SSL/TLS service
profile but only apply to web interface management connections.
Configuring
an SSL/TLS service profile is the only way to customize individual
TLS protocols and algorithms for other firewall and Panorama services,
such as Authentication Portal and GlobalProtect.
TLSv1.3
delivers several performance and security improvements, including shorter
SSL/TLS handshakes and more secure cipher suites. Palo Alto Networks supports
the following TLSv1.3 cipher suites for management access:
TLS-CHACHA20-POLY1305-SHA256
For the Management
TLS Mode setting, you can choose among three options:
tlsv1.3_only
,
mixed-mode
,
and
exclude_tlsv1.3
.
tlsv1.3_only
allows
web management interface connections secured only by TLSv1.3. If
a client cannot negotiate TLSv1.3 ciphers, the connection fails.
This
mode is ideal for passing PCI audits.
mixed-mode
allows web management interface
connections secured by any TLS protocol version (TLSv1.0-TLSv1.3). For
example, if a client’s browser only supports TLSv1.2, the firewall
negotiates the connection with TLSv1.2 and its associated cipher
suites.
(
Default
)
exclude_tlsv1.3
disables
TLSv1.3 support, allowing web management interface connections secured
by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default configuration
for PAN-OS 11.0 and maintains the functionality of previous releases.
The
Certificate setting is only available for modes that support TLSv1.3.
In
exclude_tlsv1.3
mode,
configure an SSL/TLS service
profile to specify a certificate and restrict TLS protocol
versions and cipher suites.
Log in to your management interface.
Edit the General Settings ().
You can also configure these settings on the Panorama™
web interface ().
For
Management TLS Mode
, select
either
tlsv1.3_only
or
mixed-mode
,
and then click
OK
.
For
Certificate
, select your management server
certificate, and then click
OK
.
Inspect the security details for your server to confirm
that TLSv1.3 is in use.
For example, on Google Chrome, you can click the lock symbol
to the left of the address bar. Then, click
Connection
is secure
. Next, click
Certificate is valid
.
The Details section displays certificate fields, such as the TLS
version and signature algorithm.