Palo Alto Networks firewalls and Panorama
use SSL/TLS service profiles to specify a certificate and the allowed
protocol versions for SSL/TLS services. The firewall and Panorama
use SSL/TLS for Captive Portal, GlobalProtect portals and gateways,
inbound traffic on the management (MGT) interface, the URL Admin
Override feature, and the User-ID™ syslog listening service. By
defining the protocol versions, you can use a profile to restrict
the cipher suites that are available for securing communication
with the clients requesting the services. This improves network
security by enabling the firewall or Panorama to avoid SSL/TLS versions that
have known weaknesses. If a service request involves a protocol
version that is outside the specified range, the firewall or Panorama
downgrades or upgrades the connection to a supported version.