-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Introduction to Cipher Control feature
11/24/2023 
19 People found this article helpful
476,979 Views
Description
Cipher control feature was introduced in the feature release firmware version 6.5.4.1. It can be used to allow or block any or all TLS and SSH ciphers. This functionality applies to:
- DPI-SSL (TLS traffic inspected by the firewall)
- HTTPS MGMT (TLS sessions accessing the firewall)
- SSL Control (inspect TLS traffic passing through the firewall: (non DPI-SSL)
Any change to the TLS ciphers applies to all TLS traffic.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
The list of ciphers displayed in the Network | Firewall | Cipher Control page are a list of known TLS ciphers. The list of ciphers is a superset of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed on the same Cipher Control page.
The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Cipher Control page; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Cipher Control page. The same is true for HTTPS MGMT ciphers.
TLS Ciphers:
- The TLS Ciphers page of Network | Firewall | Cipher Control has around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.
SSH Ciphers:
- The SSH Ciphers page of Network | Firewall | Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
The list of ciphers displayed in the MANAGE | Security Configuration | Firewall Settings | Cipher Control page are a list of known TLS ciphers. The list of ciphers is a superset of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed Cipher Control page.
The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Cipher Control page; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Cipher Control page. The same is true for HTTPS MGMT ciphers.
TLS Ciphers:
- The TLS Ciphers page of MANAGE | Security Configuration | Firewall Settings | Cipher Control has around 333 TLS ciphers in the list which can be allowed/blocked based on strength, CBC mode support, as well as TLS protocol version.
SSH Ciphers:
- The SSH Ciphers page of MANAGE | Security Configuration | Firewall Settings | Cipher Control allows you to specify which cryptographic SSH ciphers SonicOS uses. The SSH ciphers can be allowed/blocked based on key exchange algorithm, Public key algorithm, Encryption algorithm as well as MAC algorithm.
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
YES
NO