Here is some information that one of our specialist recommended
@Alex BakshteinBefore you do this, test it first in non production, and make the change during a maintenance window.Assuming you are running in reverse proxy:
Enable\Disable ciphers\TLS versions without GW restart Skip to end of metadata
- This configuration affects TLS Handshakes for RP GWs only, as Bridge GW doesn't control the TLS handhake negotiation done between the client and server.
In case of disabling ciphers when in Bridge mode– it means that in case the disabled ciphers were agreed by the client and servers, the GW won't be able to support their SSL session.
- This advanced configuration is supported from v11.5 and above. In case of using older vesrions, try changing the ciphers list to be aligned with the list available in bootstrap.xml file.
Go to Gateway screen > *Gateway group* > Advanced Configuration (Right pane below).
Paste the following in the text box (and edit which ciphers & TLS versions you would like to be enabled\disabled), and save:
<kssl-config>
<kssl dh-key-size="1024">
<TLS_DHE_RSA_WITH_AES_256_CBC_SHA256>false</TLS_DHE_RSA_WITH_AES_256_CBC_SHA256>
<TLS_DHE_RSA_WITH_AES_128_CBC_SHA256>false</TLS_DHE_RSA_WITH_AES_128_CBC_SHA256>
<TLS_RSA_WITH_AES_256_CBC_SHA256>false</TLS_RSA_WITH_AES_256_CBC_SHA256>
<TLS_RSA_WITH_AES_128_CBC_SHA256>false</TLS_RSA_WITH_AES_128_CBC_SHA256>
<TLS_RSA_WITH_AES_128_GCM_SHA256>false</TLS_RSA_WITH_AES_128_GCM_SHA256>
<TLS_RSA_WITH_AES_256_GCM_SHA384>false</TLS_RSA_WITH_AES_256_GCM_SHA384>
<TLS_DHE_RSA_WITH_AES_128_GCM_SHA256>false</TLS_DHE_RSA_WITH_AES_128_GCM_SHA256>
<TLS_DHE_RSA_WITH_AES_256_GCM_SHA384>false</TLS_DHE_RSA_WITH_AES_256_GCM_SHA384>
<TLS_RSA_WITH_AES_256_CBC_SHA>true</TLS_RSA_WITH_AES_256_CBC_SHA>
<TLS_RSA_WITH_NULL_SHA256>false</TLS_RSA_WITH_NULL_SHA256>
<TLS_DHE_RSA_WITH_AES_256_CBC_SHA>false</TLS_DHE_RSA_WITH_AES_256_CBC_SHA>
<TLS_DHE_RSA_WITH_AES_128_CBC_SHA>true</TLS_DHE_RSA_WITH_AES_128_CBC_SHA>
<TLS_RSA_WITH_AES_128_CBC_SHA>true</TLS_RSA_WITH_AES_128_CBC_SHA>
<SSL_RSA_WITH_RC4_128_MD5>false</SSL_RSA_WITH_RC4_128_MD5>
<SSL_RSA_WITH_RC4_128_SHA>false</SSL_RSA_WITH_RC4_128_SHA>
<SSL_DHE_RSA_WITH_DES_CBC_SHA>false</SSL_DHE_RSA_WITH_DES_CBC_SHA>
<SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>false</SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA>
<SSL_RSA_WITH_DES_CBC_SHA>false</SSL_RSA_WITH_DES_CBC_SHA>
<SSL_RSA_WITH_3DES_EDE_CBC_SHA>false</SSL_RSA_WITH_3DES_EDE_CBC_SHA
<SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>false</SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA>
<SSL_RSA_EXPORT_WITH_RC4_40_MD5>true</SSL_RSA_EXPORT_WITH_RC4_40_MD5>
<TLS_RSA_EXPORT1024_WITH_RC4_56_SHA>false</TLS_RSA_EXPORT1024_WITH_RC4_56_SHA>
<TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA>false</TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA>
<TLS_RSA_EXPORT1024_WITH_RC4_56_MD5>true</TLS_RSA_EXPORT1024_WITH_RC4_56_MD5>
<SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>false</SSL_RSA_EXPORT_WITH_DES40_CBC_SHA>
<SSL_RSA_WITH_NULL_MD5>false</SSL_RSA_WITH_NULL_MD5>
<SSL_RSA_WITH_NULL_SHA>false</SSL_RSA_WITH_NULL_SHA>
<TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA>true</TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA>
<TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA>true</TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA>
<TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256>true</TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256>
<TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384>true</TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384>
</kssl>
<tls-supported-versions>
<client>
<SSL_3_0>false</SSL_3_0>
<TLS_1_0>true</TLS_1_0>
<TLS_1_1>true</TLS_1_1>
<TLS_1_2>true</TLS_1_2>
</client>
<server>
<SSL_3_0>false</SSL_3_0>
<TLS_1_0>true</TLS_1_0>
<TLS_1_1>true</TLS_1_1>
<TLS_1_2>true</TLS_1_2>
</server>
</tls-supported-versions>
</kssl-config>
Notes:
The <client> tag responsible for the connection between client and GW.
The <server> tag responsible for the connection between the GW and server.
the kssl enabled ciphers affects the GW's available ciphers for both sides.
That's it.
------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------
Original Message:
Sent: 07-23-2020 11:55
From: Harmesh Yadav
Subject: disable tls version 1.0 and 1.1 imperva
Dear Team,
We have requirement to disable TLS version in existing imperva Devices
Version we are going to disable it = TLS 1.0 and 1.1.
Model information
Imperva WAF , Secure Sphere x2010
We will appreciate if some one give earliest answer .
#Advanced Bot Protection
#API Security
#Account Take Over
#Attack Analytics
#Cloud WAF (formerly Incapsula)
#Cloud Data Security
#Content Delivery Network
#Database Activity Monitoring
#Data Masking (formerly Camouflage)
#Data Risk Analytics (formerly CounterBreach)
#DDoS Protection for Networks
#DDoS Protection for Websites
#Imperva Agent
#Load Balancer
#On-PremisesWAF(formerlySecuresphere)
#RASP
#zOS Agent
#All Imperva
------------------------------
Harmesh Yadav
Velocis Systems PVT LTD
Pune
------------------------------