Restrict clients from accessing the ProxySG using low security or weak ciphers.

Specify which ciphers are allowed or denied for incoming connections to the ProxySG.

There are a several different ways to limit what ciphers the ProxySG will accept. There are many different conceivable combinations, but the principles shown in the examples below should offer the necessary guidance in successfully limiting connections to the ProxySG based on cipher type or strength.


CLI:
Management Console Service:
Enable mode (enable <enter>)
Config t <enter>
management-services<enter>
edit https-console<enter>
attribute cipher-suite <insert the ciphers you want>

Reverse Proxy Service:
Enable mode (enable <enter>)
Config t <enter>
proxy-services<enter>
edit <service_name><enter>
attribute cipher-suite <insert the ciphers you want>

Example:
SGOS#(config HTTPS-Console) attribute cipher-suite rc4-md5 rc4-sha des-cbc3-sha aes128-sha aes256-sha

VPM:
Web Access Layer
Right click in "Source", then Set > New
Client Negotiate Cipher Strengh
Choose the desired strength (Export, High, Medium, Low)
Choose to DENY or ALLOW depending on your need.

CPL:
Example_1: Deny ciphers by security level:
<Proxy>
    DENY client.connection.negotiated_cipher.strength=low

Example_2: Allow based on a specified list of ciphers:
<Proxy>
    ALLOW client.connection.negotiated_cipher=(EXP-RC4-MD5 || EXP1024-RC4-MD5 || EXP1024-RC4-SHA || EXP1024-RC2-CBC-MD5 || EXP1024-DES-CBC-SHA)