- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to allow or block TLS and SSH ciphers using the Cipher Control feature
05/04/2020 
27 People found this article helpful
35,128 Views
Description
Cipher control feature was introduced in the feature release firmware version 6.5.4.1 and available on all firmware versions post that. It can be used to allow or block any or all TLS and SSH ciphers.
Resolution
TLS Ciphers:
We have around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.
It can be configured from the MANAGE | Security Configuration | Firewall Settings | Cipher Control tab. We can easily filter them and take the decision to whether block or allow certain ciphers. This functionality applies to DPI-SSL, HTTPS management, and SSL control. The following can be used for filtering the ciphers.
- Strength: Recommended, Secure, Weak, Insecure
- Is CBC: Indicates whether the cipher uses CBC (Cipher-Block Chaining) mode
- TLS version: We have toggle switches for TLS version 1.0 through 1.3
- Action:
You can also view all allowed/blocked ciphers using this drop-down
The red 
indicates that the cipher is blocked and the green checkmark 
indicates if the property of the column is true for that cipher. You can use the Action drop-down to filter all the blocked/allowed ciphers.
For Eg: The cipher TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 is a CBC cipher and TLS_ECDH_ECDSA_WITH_RC4_128_SHA is blocked as per the screenshot below.
The expected behavior, when a cipher is blocked, is as below. For example, if cipher X is blocked, the expected behavior is:
- DPI-SSL – Cipher X is no longer a part of the TLS context and is not a part of the client advertised ciphers sent by the firewall handshaking with origin server.
- HTTPS MGMT – Cipher X is not a part of the HTTPS MGMT server application running on the firewall. Thus, if a TLS client negotiates just cipher X, the TLS handshake between client and firewall fails.
- SSL Control – As this refers to traffic (other than DPI-SSL decrypted sessions) passing through the firewall, the firewall blocks any TLS connection between origin client and origin server that uses/negotiates Cipher X.
You can also use the display icon 
to check if the cipher is applicable to DPI-SSL, HTTPS management, or SSL control.
You can select multiple cipher suites after filtering and use the block and unblock buttons to block or allow the cipher respectively.
SSH Ciphers:
The SSH Ciphers page of MANAGE | Security Configuration -> Firewall Settings -> Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked using check/uncheck option based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
YES
NO