Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS 1.2 - block specific cipher suite on WAN

Hello,

we use a XG430 - is there any way to block the cipher suite

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

on wan for a webserver keeping only TLS 1.2 with

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

for external connections?

We need TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for internal connections but have problems with external users who are blocked on webservers using this cipher suite because its classified as week.

I tried with the SSL/TLS inspection rules but dont find any config to block this cipher suite for external connections.

Thank you and best regards Thomas



This thread was automatically locked due to age.
Parents Reply Children
  • As LuCar Toni wrote, TLS settings for WAF can be configured.

    Since v20.0 there is a "Custom TLS" choice under "Web server" > "General settings" > "TLS version settings".

    Using that you can specify custom protocol and ciphersuite strings.

    BTW, on the same page you can choose "TLS v1.2 (strict)" which does not allow ECDHE-RSA-AES256-SHA.