No TLSv1: Will this Disable only TLS1.0 while allow TLS1.1/TLS1.2/TLS1.3 ?

On an 11.6 image, the above lists 0 ciphers.Attempting to add it to a client profile yields the following: tmsh modify ltm profile client-ssl mySecureProfile ciphers "-TLSv1" 01070311:3: Ciphers list '-TLSv1' for profile /Common/mySecureProfile denies all clients Is there no method to limit TLS support to only TLSv1_1 or TLSv1_2?

You have to give it ~something~ to start with. The above is saying "you can use no ciphers, and also disable TLSv1" Try tmm --clientciphers 'DEFAULT:!TLSv1' That should yield: tmm --clientciphers 'DEFAULT:!TLSv1' ID SUITE BITS PROT METHOD CIPHER MAC KEYX 0: 61 AES256-SHA256 256 TLS1.2 Native AES SHA256 RSA 1: 53 AES256-SHA 256 TLS1.1 Native AES SHA RSA 2: 53 AES256-SHA 256 TLS1.2 Native AES SHA RSA 3: 53 AES256-SHA 256 DTLS1 Native AES SHA RSA 4: 60 AES128-SHA256 128 TLS1.2 Native AES SHA256 RSA 5: 47 AES128-SHA 128 TLS1.1 Native AES SHA RSA 6: 47 AES128-SHA 128 TLS1.2 Native AES SHA RSA 7: 47 AES128-SHA 128 DTLS1 Native AES SHA RSA 8: 10 DES-CBC3-SHA 192 TLS1.1 Native DES SHA RSA 9: 10 DES-CBC3-SHA 192 TLS1.2 Native DES SHA RSA 10: 10 DES-CBC3-SHA 192 DTLS1 Native DES SHA RSA 11: 5 RC4-SHA 128 TLS1.1 Native RC4 SHA RSA 12: 5 RC4-SHA 128 TLS1.2 Native RC4 SHA RSA 13: 49192 ECDHE-RSA-AES256-SHA384 256 TLS1.2 Native AES SHA384 ECDHE_RSA 14: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.1 Native AES SHA ECDHE_RSA 15: 49172 ECDHE-RSA-AES256-CBC-SHA 256 TLS1.2 Native AES SHA ECDHE_RSA 16: 49191 ECDHE-RSA-AES128-SHA256 128 TLS1.2 Native AES SHA256 ECDHE_RSA 17: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.1 Native AES SHA ECDHE_RSA 18: 49171 ECDHE-RSA-AES128-CBC-SHA 128 TLS1.2 Native AES SHA ECDHE_RSA 19: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.1 Native DES SHA ECDHE_RSA 20: 49170 ECDHE-RSA-DES-CBC3-SHA 192 TLS1.2 Native DES SHA ECDHE_RSA But I would get rid of RC4 as well. So tmm --clientciphers 'DEFAULT:!SSLv3:!TLSv1:!RC4' (note I'm on 11.5.1, so my default will be different than yours). Look at SOL13163 mentioned above for version default differences.

note: the string within the ' (single quotes) would go into your client ssl profile

I need to allow only TLS1.0 what string should I use?

(11.4.1) It seems like the best place to disable TLS 1.0 accross the board on LTM would be to enable option "No TLSv1" on the default clientssl profile. If I recall correctly, it was not recommended to edit the default clientssl profile. Is this still the case? If so, is the recommended method to enable "No TLSv1" on each ssl profile client or create a custom parent profile (custom_clientssl) with "No TSLv1" enabled and then associate the parent profile with existing and new ssl profile clients? If editing the default clientssl profile is not recommended, what is the reason and why are options available to edit default profiles?

If want you can edit default profile, but if there will be an error it affected other profiles based on default profile. I think that is the reson to don't modify default profile.