Identify Weak Protocols and Cipher Suites
Updated on
Jul 17, 2024
Focus
Download PDF
Updated on
Jul 17, 2024
Focus
- Home
- PAN-OS
- Decryption
- Troubleshoot and Monitor Decryption
- Decryption Troubleshooting Workflow Examples
- Identify Weak Protocols and Cipher Suites
Download PDF
Table of Contents
Find sites that use weak encryption, authentication,and key exchange algorithms and weak TLS protocols to make informeddecisions about allowed traffic.
Weak TLS protocols and weak cipher suites(encryption algorithms, authentication algorithms, key exchangealgorithms, and negotiated EC curves) weaken your security postureand are easier for bad actors to exploit than strong TLS protocolsand strong cipher suites.
Five fields in the Decryption logentries show the protocol and cipher suites for a decryption session:
Track downold, vulnerable TLS versions and cipher suites so that you can make informeddecisions about whether to allow connections with servers and applications thatmay compromise your security posture.
The examples in thistopic show how to:
Identify traffic that uses lesssecure TLS protocol versions.
Identify traffic that uses a particular key exchange algorithm.
Identify traffic that uses a particular authentication algorithm.
Identify traffic that uses a particular encryption algorithm.
Theseexamples show you how to use the decryption troubleshooting toolsin various ways so that you can learn to use them to troubleshootany decryption issues you may encounter.
You can useWireshark or other packet analyzers to double-check whether theclient or the server caused an issue, TLS client and server versions,and other cipher suite information. This can help analyze versionmismatches and other issues.
TLS Protocols
—Identify trafficthat uses older, less secure versions of the TLS protocol so thatyou can evaluate whether to allow access to servers and applicationsthat use weak protocols.Start by checking the Application CommandCenter (ACC) to see if the firewall allows weak protocols (
)and to get an overall view of activity.ACC
SSL Activity
Successful TLS Version Activity
The majorityof successful TLS activity in this example is TLSv1.2 and TLSv1.3activity. However, there are a few instances of allowed TLSv1.0traffic. Let’s click the number
49
to drilldown into the TLSv1.0 activity and see which applications are makingsuccessful TLSv1.0 connections:We seethat the firewall is allowing traffic identified as web-browsingtraffic. To gain insight into what that TLSv1.0 web-browsing trafficis and why it’s allowed, we go next to the Decryption logs.
Filter the Decryption log to check TLSv1.0 activity details.
Use the query
(tls_version eq TLS1.0) and (err_index eq ‘None’)
toshow successful TLSv1.0 Decryption sessions.Decryptionlogs show successful TLS activity only if you enable logging successfulTLS handshakes in Decryption policy when you Configure Decryption Logging. If loggingsuccessful TLS handshakes is disabled, you can’t check this information.
The Decryption log shows us that the name of the Decryptionpolicy that controls the traffic is
Inner Eye
andthat the name of the host ishq-screening.mt.com
.Now we know the site that uses TLSv1.0 and we can check the Decryptionpolicy (
)to find the Decryption profile that controls the traffic and learnwhy the traffic is allowed:Policies
Decryption
We seethat the Decryption profile associated with the policy is
oldTLS versions support
. We check the profile (
) and lookat the SSL Protocol Settings to find out exactly what traffic theprofile allows:Objects
Decryption
Decryption Profile
The profileallows TLSv1.0 traffic. The next thing to do is to decide if you wantto allow access to the site (do you need access for business purposes?)or if you want to block it.
Another common scenario that resultsin the firewall allowing traffic that uses less secure protocolsis when that traffic is not decrypted. When you filter the Decryptionlog for TLSv1.0 traffic, if the
Proxy Type
columncontains the valueNo Decrypt
, then a NoDecryption policy controls the traffic, so the firewall does notdecrypt or inspect it. If you don’t want to allow the weak protocol,modify the Decryption profile so that it blocks TLSv1.0 traffic.Thereare many ways you can filter the Decryption log to find applications andsites that use weak protocols, for example:
Insteadof filtering only for successful TLSv1.0 handshakes, filter forboth successful and unsuccessful TLSv1.0 handshakes using the query
(tls_version eq TLS1.0).
Filter only for unsuccessful TLSv1.0 handshakes using thequery
(tls_version eq TLS1.0) and (err_index neq ‘None’)
.Filter for all less secure protocols (TLSv1.1 and earlier)using the query
(tls_version leq tls1.1)
.
Ifyou want to filter the logs for other TLS versions, simply replace
TLS1.0
orTLS1.1
withanother TLS version.Decide what action to take for sites that use weakTLS protocols.
If you don’t need to access the site for business purposes,the safest action is to block access to the site by editing the Decryptionpolicy and Decryption profile that control the traffic. The Decryptionlog
Policy Name
column provides the policy nameand the Decryption policy shows the attached Decryption profile (Options
tab).If you need to access the site for business purposes, consider creatinga Decryption policy and Decryption profile that apply only to thatsite (or to that site and other similar sites) and block all othertraffic that uses less secure protocols.
Key Exchange
—Identify traffic that uses less secure keyexchange algorithms.Start by checking the Application CommandCenter (ACC) to see which key exchange algorithms the firewall allows (
)and to get an overall view of activity.ACC
SSL Activity
Successful Key Exchange Activity
The majorityof the key exchanges use the secure ECDHE key exchange algorithm.However, some key exchange sessions use the less secure RSA algorithmand a few use another key algorithm. To begin investigating trafficthat uses RSA key exchanges, for example, click the number
325
to drilldown into the data.The drill-downshows the applications that use RSA key exchanges. We can also clickthe
SNI
radio button to view the RSA key exchangesby SNI:Armed withthis information, we can go to the logs to gain more context aboutRSA key exchange usage.
Go to the Decryption log (
)and filter them for decryption sessions that use the RSA key exchangeusing the queryMonitor
Logs
Decryption)
(tls_keyxchg eq RSA)
:From the
PolicyName
column in the log, we see that theNoDecrypt
Decryption policy controls most of the trafficthat uses RSA key exchanges and can infer that the firewall doesnot decrypt the traffic and allows it without inspection. Becausethe traffic isn’t decrypted, the firewall can’t identify the applicationand lists it asssl
. If you don’t want toallow traffic that uses RSA key exchanges, modify the Decryptionprofile attached to the Decryption policy that controls the traffic.Youcan add to the query to further filter the results for a particularSNI or application that you saw in the ACC or in the first Decryptionlog query.
Decide what action to take for traffic that uses lesssecure key exchange algorithms.
Block access to sites that use less secure key exchangeprotocols unless you need to access them for business purposes.For those sites, consider creating a Decryption policy and Decryptionprofile that apply only to that site (or to that site and othersimilar sites) and block all other traffic that uses less secure keyexchange algorithms.
Use the Decryption logs to identify sessions that usesolder, less secure authentication algorithms.
Filter the Decryption log to identify older, less secureauthentication algorithms.
For example, to identify all sessions that use the SHA1algorithm, use the query
(tls_auth eq SHA)
:You can add to the queryto further drill down into the results. For example, you can adda particular SNI, a key exchange version (such as filtering forSHA1 sessions that also use RSA key exchanges), a TLS version, orany other metric found in a Decryption log column.
Use the Decryption logs to identify sessions that usea particular encryption algorithm.
For example, to identify all sessions that use the AES-128-CBCencryption algorithm, use the query
(tls_enc eq AES_128_CBC)
:You canadd to the query to further drill down into the results.
Examplesof queries to find other older encryption algorithms include:
(tls_enc eq DES_CBC)
,(tls_enc eq 3DES_EDE_CBC)
,and(tls_enc eq DES40_CBC)
.Use this methodology and the log filter builder to createqueries to investigate negotiated ECC curves and any other informationyou find in the Decryption log.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}