Failing PCI Scans - How do I disable TLS 1.0 and block DES & 3DES?

Question

On our XG running 16.01.02 firmware we are failing our PCI compliance scans due to both TLS 1.0 being enabled and cipher vulnerability called Sweet32 ( https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183) . On my old TMG I could go into the register and disable the " Triple DES 168 " cipher and reboot but I don't see how to do that on the XG nor do I see a way to disable TLS 1.0. How can this be done? 
 
 -Allan

AllanD · Accepted Answer

Support got back to me today and told me how to manually edit the httpd file on the XG to remove the insecure cyphers (3DES mainly) and protocols (TLS 1.0 and 1.1). While I was in there I also disabled Trace/Track which was failing me also. I wrote a blog post about it here: http://allandynes.com/2017/04/sophos-xg-firewall-pci-compliance-woes/ . 
 
 Long story short the TLS enable/disable will be added to the UI in v17 but only for 1.0 it seems, not 1.1 or the cyphers. Also the changes I manually made to the httpd file will need to be done each time there is a firmware update which is a PITA. 
 
 But long story short I now pass my PCI compliance scans fully. 
 
 -Allan

AllanD · Answer

As of the latest update, "HW-SFOS_17.0.6_MR-6.SF300-181", this is what is still in the config files: 
 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS SSLProtocol all -SSLv2 -SSLv3 
 Sooooooo...... you still have to manually remove the 3DES ciphers and also add in the -TLSv1 -TLSv1.1 to the SSLProtocols line to disable them. Also every time you do a firmware update this file gets overwritten and turns those all back on so you have to go back and manually fix it each time. 
 
 I don't know why this hasn't been fixed or at least the option to turn it on and off added to the UI.

AllanD · Answer

First what I got back from support: "Unfortunately, it's not possible to change TLS version from GUI as well as from CLI in XG v16.05(MR 1 & 2), cause it is hard coded and changed from proxy binary. I confirmed same with senior team." So I have to have them make the change to disable TLS v1.0, currently waiting for that to happen so I can re-try my PCI compliance scan. There is a suggestion on this for the UTM ( ideas.sophos.com/.../8039499-remove-support-for-tls-1-0-allow-it-to-be-disabled) but there wasn't one for the XG. I added it if anyone cares to upvote it: ideas.sophos.com/.../18624847-remove-support-for-tls-v1-0-and-insecure-cyphers-o 
 
 -Allan