Enforce TLS 1.2

RonRon
edited July 24 in Firebox - Proxies

M270 with Fireware 12.5.1

I have an HTTPS Proxy that uses the default TLS profile (TLS-Client-HTTPS.Standard). That default profile has a minimum protocol version is TLS 1.0

Everyone is moving away from anything older than TLS 1.2. How do I enforce TLS 1.2 or higher version? I have tried cloning the above default TLS profile and set the minimum protocol version to TLS 1.2 then selecting that cloned profile on my HTTPS Proxy policy.

I got an error when saving the changes. I can't save it. It says:

Error communicating with Firebox
INTERNAL_ERROR: unable to set config Config /full FAILED

Comments

  • Assumming that you are using the Web UI here, you probably need to set your web browser to use TLS 1.2 or higher first, so that the web browser session with the firewall is using TLS 1.2.
    Or use WSM Policy Manager to make this change.

  • I'm using Policy Manager. I never make changes with WebUI.

  • I'm running V12.6.1 on a T20, and I don't have that problem.

    I'm not seeing any fixes in newer than your release with this issue listed as fixed.

    Either try a newer XTM or WSM version or open a support incident.

  • I have a T35 running 12.5.4 build 622768 and just set the minimum protocol version to TLS 1.2 in my HTTPS proxy. I am using WSM 12.6.1 for Policy Manger and had no issues saving the config to the T35.

    Gregg Hill

  • Power cycling M270 fixed it. I can clone TLS profile and save it.

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @Ron
    Sounds like that could have been a low memory problem (Fireware takes everything to RAM, and checks it before committing to storage.)

    If you're not on one of the later firmwares, like 12.5.3 or 12.5.4, I'd suggest considering an upgrade to those versions of this happens again.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.