SRX Services Gateway
Highlighted
SRX Services Gateway

How to enable TLS for SRX GUI access for the PCI compliance

a week ago

Hi

 

How to disable SSL and enable TLS for the SRX GUI HTTPS access, as its needed for the PCI compliance.

"We use a public certificate for the firewall GUI access"

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
SRX Services Gateway
Solution
Accepted by topic author mahmoud.yasin@ad-tech.com.jo
Saturday

Re: How to enable TLS for SRX GUI access for the PCI compliance

a week ago

AFAIK, there is no configuration knob to disable SSL. SSL is disabled in the the version mentioned in my last post.  The version you are running (12.3X48-D45.6) will have both SSL and TLS. You may verifiy this by disabling ssl in your browser and then access j-web.

 

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
4 REPLIES 4
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

a week ago

Upgrade to 12.3X48-D55, 15.1X49-D100 and later releases. On these releases,  TLS1.0 and TLS1.1 SSL protocols are blocked because of reported security vulnerabilities.

 

Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

a week ago

Hi

 

But we already has version 12.3X48-D45.6, which and based on below KB is supporting for TLS 1.2

https://kb.juniper.net/InfoCenter/index?page=content&id=KB30879

 

But when we did the complince audit we got that the running version is SSL and not TLS.

 

My question is how to enable the TLS and disable the SSL?

 

 

 

SRX Services Gateway
Solution
Accepted by topic author mahmoud.yasin@ad-tech.com.jo
Saturday

Re: How to enable TLS for SRX GUI access for the PCI compliance

a week ago

AFAIK, there is no configuration knob to disable SSL. SSL is disabled in the the version mentioned in my last post.  The version you are running (12.3X48-D45.6) will have both SSL and TLS. You may verifiy this by disabling ssl in your browser and then access j-web.

 

 

Thanks,
Nellikka
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: How to enable TLS for SRX GUI access for the PCI compliance

Thursday

Hi mahmoud

 

The version you are currently using does support TLS1.2 but also supports older SSL versions. There is a shell command for stopping the use of specific SSL versions, however this command wont survive a reboot of the firewall.

 

1. From the root shell:
root@junos% vi /jail/var/etc/httpd.conf
Change the default config, something similar to "SSLProtocol ALL -SSLV2" to "SSLProtocol TLSv1" 2. Find the process ID (pid) of httpd and kill/restart it:
root@junos% ps auxw | grep httpd root@junos% kill -9 (pid of httpd)
OR
root@junos% kill -HUP (pid of httpd) *Note: This change will not survive after reboots. Additionally, executing the 'restart web-management' CLI command will restart the httpd-gk process which will regenerate the default httpd.conf file, and overwrite the manual changes.

 

The best solution is to upgrade to version 12.3X48-D55 or newer because "In SRX devices that run Junos OS releases 12.3X48-D55 and later, Transport Layer Security (TLS) versions prior to TLSv1.2 are not supported."

 

Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB32921&cat=SRX_SERIES&actp=LIST

 

Hope this helps and please mark as "Solution Accepted" if it applies.