Configure TLSv1.3 to secure management connections.
PAN-OS 11.0 introduces two management configuration
options that let you define TLSv1.3 as your preferred TLS protocol
and select a TLSv1.3 certificate. TLSv1.3 delivers several performance
and security improvements, including shorter SSL/TLS handshakes,
simplified cipher suites, and support for only secure cipher suites.
Palo Alto Networks supports the following TLSv1.3 cipher suites:
TLS Mode setting and Certificate setting function similarly to SSL/TLS
service profiles but only apply to web interface management connections.
You can choose among three TLS modes:
allows web interface
management connections secured only by TLSv1.3. If a client cannot
negotiate TLSv1.3 ciphers, the connection fails.
is ideal for passing PCI audits.
allows web interface
management connections secured by any TLS protocol version (TLSv1.0-TLSv1.3).
For example, if a client’s browser only supports TLSv1.2, the firewall
negotiates the connection with TLSv1.2 and its associated cipher
TLSv1.3 support, allowing web interface management connections secured
by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default
configuration for PAN-OS 11.0 and maintains the same functionality
as previous releases.
The Certificate setting is
only available for modes that support TLSv1.3. To restrict TLS protocol versions,
cipher suites, and manually specify certificates while in
use an SSL/TLS service profile.
Configuring an SSL/TLS
service profile is the only way to customize individual TLS protocols
and algorithms for other firewall and Panorama services such as
Authentication Portal and GlobalProtect.
Log in to your management interface.
Management TLS Mode
, select your management
server certificate and then click
Inspect the security details for your server to confirm
that TLSv1.3 is in use.
For example, on Google Chrome, you can click the lock symbol
to the left of the address bar. Next, click
. Then, click
Certificate is valid
The Details section displays certificate fields, such as the TLS
version and signature algorithm.