Palo Alto Force TLSv1.2 and TLSv1.3

Palo Alto Networks firewall doesn’t restrict the TLS version directly, but rather it identifies and controls applications regardless of port, protocol, encryption (SSL/TLS), or evasive tactic employed.

To restrict your traffic to only use TLSv1.2 or TLSv1.3, you can use Decryption Policies to manage the SSL/TLS traffic. If traffic isn’t using the specific TLS version, you can drop the session. Here’s how you can do it:

  1. Create a Decryption Profile:
  • Navigate to Objects > Decryption Profile and click on “Add“.
  • Give it a name and scroll down to the section titled “SSL Protocol Settings“.
  • Here, you will find options for “Min Version” and “Max Version“. Set “Min Version” to “TLSv1.2” and “Max Version” to “TLSv1.3“.
  • Also, you will need to set the acceptable Algorithms, which typically includes secure cipher suites compatible with TLSv1.2 and TLSv1.3.
  • Check the box “Block sessions with unsupported versions”. This will block any sessions that don’t use TLSv1.2 or TLSv1.3.  This is located under “Unsupported Mode Checks” under “SSL Decryption“.
  1. Create Decryption Policies:
  • Navigate to Policies > Decryption and click on “Add“.
  • Set the Source Zone to “INSIDE” and the Destination Zone to “EXTERNAL“. In the “Service/URL Category“, set it to “any” or specify the services for which this policy should apply.
  • For the traffic from EXTERNAL TO DMZ, create another policy with Source as “EXTERNAL” and Destination as “DMZ“.
  • Under the “Options” setting, select type as “SSL Forward Proxy“, and apply the Decryption Profile you created in the previous step.

After this, remember to commit your changes for them to take effect.

As always, be aware of the potential performance impacts of SSL/TLS decryption and consider the potential to block access to sites still using older SSL/TLS versions. Legal and privacy considerations associated with decrypting SSL/TLS traffic should also be considered.

When configuring SSL/TLS decryption policies, SSL Offloading or SSL Forward Proxy does indeed need to be set up on the Palo Alto firewall. This allows the firewall to present a certificate to the client, decrypt the SSL/TLS traffic, inspect it, re-encrypt it, and then send it on to its original destination.

SSL Forward Proxy (offloading) is a mechanism where the firewall becomes the ‘man-in-the-middle’ and is able to decrypt and inspect the SSL/TLS traffic going from the client to the server.