09-15-2021 08:51 AM
Hey guys, I have a question regarding to the Cisco IronPort. Based on this article link can we remove the TLS 1.0 and TLS 1.1, and leaving TLS 1.2 enabled? As I understand, we cannot disable TLS 1.1, as it is pre-requisition for TLS 1.0 or TLS 1.2.
Can anyone enlighten me on this matter? I finding a hard time to find any article related to disabling TLS 1.0, TLS 1.1.
Thank you in advance.
09-15-2021 01:44 PM
Hi @jamie6910,
As TLS v1.0 and 1.1 are deprecated for some time now, I believe you should be able to disable them, leaving only TLS v1.2.
I'm not aware of any dependency between versions, and they are protocols for themselves. However, you should approach this carefully - you must confirm that your clients are enabled for TLS v1.2, and you should test your integrations to make sure your other systems are enabled for TLS v1.2 (e.g. your LDAPs integration).
I would try this in off-peak hours, with careful testing.
BR,
Milos
09-15-2021 05:22 PM
Hi Milos,
Thank you for your prompt response. But do you mind if I ask whether you have any kb or documentation about this matter? I would like to look into the reference thoroughly.
Regards,
Jamie.
09-16-2021 03:06 AM
10-03-2021 10:50 PM
Hi Milos,
Thank you for your updates and apologies for the late response.
How can I confirm that users are enabled for TLS v1.2? And the documentation you provided is for WSA and SMA, is it applicable for ESA?
Can you verify that the steps is to uncheck TLS v1.0, TLS v1.1 and check on TLS v1.2
Is there anything to check on cipher suite?
Regards,
Jamie.
10-04-2021 01:10 AM
Hi @jamie6910,
In order to confirm if users are using TLS v1.2, you could do packet capture on your clients and ESA, and to see if you see TLSv1.2 inside packets.
As all three products (WSA, SMA and ESA) are running AsyncOS as operating system, I'm taking this as relevant information.
Yes, I would also uncheck older protocol versions, and leave only v1.2. I would do it one at a time (disable v1.0 in first iteration, and then v1.1 in second).
Regarding cipher suite, I wouldn't configure those, unless I know what I'm targeting specifically (like I want to enable only certain protocols, and disable everything else).
BR,
Milos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide