In PAN-OS 11.0, you can secure connections to the management
interface with TLSv1.3.
PAN-OS 11.0 introduces two settings that let
you secure web connections to your management interface with TLSv1.3.
The Management TLS Mode setting allows you to set TLSv1.3 as your
preferred TLS protocol, and the Certificate setting accepts a TLSv1.3
certificate. The settings function similarly to an SSL/TLS service
profile but only apply to web interface management connections.
Configuring
an SSL/TLS service profile is the only way to customize individual
TLS protocols and algorithms for other firewall and Panorama services,
such as Authentication Portal and GlobalProtect.
TLSv1.3
delivers several performance and security improvements, including shorter
SSL/TLS handshakes and more secure cipher suites. Palo Alto Networks supports
the following TLSv1.3 cipher suites for management access:
For the Management
TLS Mode setting, you can choose among three options: tlsv1.3_only, mixed-mode,
and exclude_tlsv1.3.
tlsv1.3_only allows
web management interface connections secured only by TLSv1.3. If
a client cannot negotiate TLSv1.3 ciphers, the connection fails.
This
mode is ideal for passing PCI audits.
mixed-mode allows web management interface
connections secured by any TLS protocol version (TLSv1.0-TLSv1.3). For
example, if a client’s browser only supports TLSv1.2, the firewall
negotiates the connection with TLSv1.2 and its associated cipher
suites.
(Default) exclude_tlsv1.3 disables
TLSv1.3 support, allowing web management interface connections secured
by either TLSv1.0, TLSv1.1, or TLSv1.2. This mode is the default configuration
for PAN-OS 11.0 and maintains the functionality of previous releases.
The
Certificate setting is only available for modes that support TLSv1.3.
In
exclude_tlsv1.3 mode,
configure an SSL/TLS service
profile to specify a certificate and restrict TLS protocol
versions and cipher suites.