Sorry, yes this is HTTPS traffic.

I'm not so sure we are worried about granularity at this point, so you are saying I should remove the "NO_TLSv1.3" and add the NO_TLSv1 and NO_TLSv1.1 in the options on the client ssl profile?

But how can find out if there are any other virtual servers using that same clent ssl profile before I make any changes?

Thank you!

Ok lets start from a test. If you can find a device that runs nmap that can get to the external interface try running this,
nmap --script ssl-enum-ciphers -p 443 <Your domain name here.com>

This should show you what you are dealing with and a method to prove that its worked!

Then under your ssl profile you need to chnage the config from "Basic" to "Advanced"
Then you'll see the Options List

Here is mine, it appears its flow down so NO DTLSv1.2 turns off everything below that and leaves TLSv1.3.
I don't know a location to see where a profile is used in a virtual server, but if you get a ucs file or the internal conf files out using the cli you could do a quick word search in the config maybe?

But you can go into the certificates and see which profiles they are used in which might get you "close" to the same place.

Does that help any more?

If that is the case then I'm not sure where the TLS is showing up as being open, in our profile we have NO_TLSv1.3 so that should cover 1 and 1.1.

Does it use the Options if it's greyed out or do I need to actually select the checkbox for the profile to "use" it?

Now, i used the cyphers profile which also controled tls1.0, 1.1 1.2 etc.
And no tls1.3 basically turned it all of.
But i needed that nop dtls1.2 for it to work. So maybe one is covering up the other thinking about it.

The best thing to do, is run that nmap command so you can see what you are playing with and work from there.

That's what I'm saying though.

ours has NO_TLSv1.3 so that should block 1 and 1.1 but our pen test says 1 and 1.1 is open

yeah i think i made a mistake as the cypher profile overrides some of that config and made it work.
no tls1.3 will not enable it, the config is a bit backwards. "enable" NO TLS for example is a positive then a negative.
So if you want tls 1.3 then you need to take that out of enable options.

This issue i thnk i had, is that enable options needs something in there to work.

Have you got a test environment you could look at and test before you do this to see what happens.

yes, let's say we DO NOT want TLS 1, 1.1, 1.2 and 1.3 for this sake, our config has "enabled" NO_TLSv1.3 so that should block 1.3, 1.2, 1.1, and 1 correct?

BUT, if that is the case then I'm not sure where the TLS 1 and 1.1 is showing for the pen test as it shows 1 and 1.1 is active so therefore the above isn't working by blocking all the TLS version.

No, that's the bit i think i've got wrong. Because the cypher profile works slightly different.

NO TLS 1.3 is still letting in SSL, TLS 1 1.1 1.2 etc but Not 1.3

NB - TLS 1, 1.1, 1.2 and 1.3 would block ALL TLS. and NO TLS also blocks all.
You would then be left with just ssl! 

Ohhh ok, so that may be my issue then, I just need to remove 1.3 and add 1 and 1.1 in there.

I'll try that! thank you so much for clarfiying that for me

Now that's useful thanks @Paulius 

Thank you but I'm not sure it's working for me. No matter what SSL Profile name I use, it gives me the same listing of virtual servers that I know aren't using that profile.

@j_hardin80 That is correct, it will output all virtual servers followed by the SSL profile. It would look something like this.

ltm virtual VS_1.1.1.1_443
ltm virtual VS_2.2.2.2_443
    CLIENTSSL-myprofile
ltm virtual VS_3.3.3.3_443

Notice how you have 2 VS back to back and then an indented SSL profile name. You will have to go through the text that shows up in the terminal and grab all VS names that are immediately followed by the SSL profile you are looking for. I don't know of a better way of searching this without doing some complicated regex search.

Unfortunately this is what I'm getting.

I run this command

tmsh list ltm virtual | grep -E "virtual|<name of my ssl profile>"

It returns:

ltm virtual <name of my virtual server> {

but it has all of my virtual servers listed and no duplicates and I don't see any indents with a profile.

@j_hardin80 If those are your results then the text for your SSL profile is not an exact match. You need for the text to be an exact match because "grep" is case sensitive.

hmmm not sure what is going on then, I even opened up the profile and copied and pasted the profile name. 

it does the same thing for all of my profile names I try to put in there.