TLSv1.3 Support for Management Access

Configure TLSv1.3 to secure management connections.
PAN-OS 11.0 introduces two management configuration options that let you define TLSv1.3 as your preferred TLS protocol and select a TLSv1.3 certificate. TLSv1.3 delivers several performance and security improvements, including shorter SSL/TLS handshakes, simplified cipher suites, and support for only secure cipher suites. Palo Alto Networks supports the following TLSv1.3 cipher suites:
  • TLS-AES-128-CCM-SHA256
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
The Management TLS Mode setting and Certificate setting function similarly to SSL/TLS service profiles but only apply to web interface management connections. You can choose among three TLS modes:
tlsv1.3_only
,
mixed-mode
,
exclude_tlsv1.3
.
  • tlsv1.3_only
    allows web interface management connections secured only by TLSv1.3. If a client cannot negotiate TLSv1.3 ciphers, the connection fails.
    This mode is ideal for passing PCI audits.
  • mixed-mode
    allows web interface management connections secured by any TLS protocol version (TLSv1.0-TLSv1.3). For example, if a client’s browser only supports TLSv1.2, the firewall negotiates the connection with TLSv1.2 and its associated cipher suites.
  • (
    Default
    )
    exclude_tlsv1.3
    disables TLSv1.3 support, allowing web interface management connections secured by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default configuration for PAN-OS 11.0 and maintains the same functionality as previous releases.
The Certificate setting is only available for modes that support TLSv1.3. To restrict TLS protocol versions, cipher suites, and manually specify certificates while in
exclude_tlsv1.3
mode, use an SSL/TLS service profile.
Configuring an SSL/TLS service profile is the only way to customize individual TLS protocols and algorithms for other firewall and Panorama services such as Authentication Portal and GlobalProtect.
  1. Log in to your management interface.
  2. Select
    Device
    Management
    General settings
    and select edit.
  3. For
    Management TLS Mode
    , select either
    tlsv1.3_only
    or
    mixed-mode
    , and click
    OK
    .
  4. For
    Certificate
    , select your management server certificate and then click
    OK
    .
  5. Commit
    your changes.
  6. Inspect the security details for your server to confirm that TLSv1.3 is in use.
    For example, on Google Chrome, you can click the lock symbol to the left of the address bar. Next, click
    Connection is secure
    . Then, click
    Certificate is valid
    . The Details section displays certificate fields, such as the TLS version and signature algorithm.

Recommended For You