: TLSv1.3 Support for Management Access
Focus
Focus

TLSv1.3 Support for Management Access

Table of Contents

TLSv1.3 Support for Management Access

In PAN-OS 11.0, you can secure connections to the management interface with TLSv1.3.
PAN-OS 11.0 introduces two settings that let you secure web connections to your management interface with TLSv1.3. The Management TLS Mode setting allows you to set TLSv1.3 as your preferred TLS protocol, and the Certificate setting accepts a TLSv1.3 certificate. The settings function similarly to an SSL/TLS service profile but only apply to web interface management connections.
Configuring an SSL/TLS service profile is the only way to customize individual TLS protocols and algorithms for other firewall and Panorama services, such as Authentication Portal and GlobalProtect.
TLSv1.3 delivers several performance and security improvements, including shorter SSL/TLS handshakes and more secure cipher suites. Palo Alto Networks supports the following TLSv1.3 cipher suites for management access:
  • TLS-AES-128-CCM-SHA256
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
For the Management TLS Mode setting, you can choose among three options: tlsv1.3_only, mixed-mode, and exclude_tlsv1.3.
  • tlsv1.3_only allows web management interface connections secured only by TLSv1.3. If a client cannot negotiate TLSv1.3 ciphers, the connection fails.
    This mode is ideal for passing PCI audits.
  • mixed-mode allows web management interface connections secured by any TLS protocol version (TLSv1.0-TLSv1.3). For example, if a client’s browser only supports TLSv1.2, the firewall negotiates the connection with TLSv1.2 and its associated cipher suites.
  • (Default) exclude_tlsv1.3 disables TLSv1.3 support, allowing web management interface connections secured by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default configuration for PAN-OS 11.0 and maintains the functionality of previous releases.
    The Certificate setting is only available for modes that support TLSv1.3. In exclude_tlsv1.3 mode, configure an SSL/TLS service profile to specify a certificate and restrict TLS protocol versions and cipher suites.
  1. Log in to your management interface.
  2. Edit the General Settings (DeviceSetupManagement).
    You can also configure these settings on the Panorama™ web interface (PanoramaSetupManagement).
  3. For Management TLS Mode, select either tlsv1.3_only or mixed-mode, and then click OK.
  4. For Certificate, select your management server certificate, and then click OK.
  5. Commit your changes.
  6. Inspect the security details for your server to confirm that TLSv1.3 is in use.
    For example, on Google Chrome, you can click the lock symbol to the left of the address bar. Then, click Connection is secure. Next, click Certificate is valid. The Details section displays certificate fields, such as the TLS version and signature algorithm.