https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558032#M1844 <P>Thanks for sharing if follow the KB steps to disable the weak cipher . Require to reboot the firewall ? what is the impact if currently I have certificate is using one of the weak cipher ?</P> Fri, 15 Sep 2023 00:29:59 GMT JiaXiang 2023-09-15T00:29:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/557861#M1835 <P>Due to VA Scanner scan my firewall having vulnerabilities of&nbsp;SSL Certificate Chain Contains RSA Keys Less Than 2048 bits .</P> <P>So I plan to follow below KB to change the key size.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-the-key-size-for-ssl-forward-proxy-server-certificates" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-the-key-size-for-ssl-forward-proxy-server-certificates</A></P> <P>&nbsp;</P> <P>In the KB mentioned as below, may I know clear the certificate cache will have any impact ?&nbsp; and change the keysize require to reboot firewall ?&nbsp;</P> <DIV> <DIV class="itemgroup info" data-label="ADDITIONAL INFORMATION"> <DIV> <DIV class="note caution" data-label="CAUTION"> <DIV> <DIV> <DIV class="p"> <DIV>Changing the key size setting clears the current certificate cache.</DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Thu, 14 Sep 2023 06:04:08 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/557861#M1835 JiaXiang 2023-09-14T06:04:08Z https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/557900#M1839 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195025">@JiaXiang</a> ,</P> <P>I believe you are not interperting the findings from your VA scan properly.</P> <P>The link you mentioned will effect how PAN firewall is performing SSL decryption, while I am expecting your VA scan to have report that PAN firewall admin WebUI is&nbsp; using server cert with short key. What you are probably looking for&nbsp; is here - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC</A></P> Thu, 14 Sep 2023 09:20:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/557900#M1839 aleksandar.astardzhiev 2023-09-14T09:20:49Z https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558032#M1844 <P>Thanks for sharing if follow the KB steps to disable the weak cipher . Require to reboot the firewall ? what is the impact if currently I have certificate is using one of the weak cipher ?</P> Fri, 15 Sep 2023 00:29:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558032#M1844 JiaXiang 2023-09-15T00:29:59Z https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558085#M1851 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195025">@JiaXiang</a> ,</P> <P>I haven't done this procedure yet,&nbsp; so I am not completely sure. But I am almost certain that it doesn't require reboot, why:</P> <P>- WebUI is controlled by the management plane.</P> <P>- Here you can see the process responsible for serving the admin webui - <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUeCAO" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLUeCAO</A></P> <P>- I would assume changing the ciphers will require restart only for that particular process, which has nothing to do with the dataplane - which is reponsible for processing traffic.</P> <P>&nbsp;</P> <P>Based on the above I am almost certain that applying the changes will not have any effect on forwarded traffic. Only the current admin sessions using the WebUI will be closed (while process restart). Admin SSH sessions probably wouldn't be affected as well.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 15 Sep 2023 07:03:19 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558085#M1851 aleksandar.astardzhiev 2023-09-15T07:03:19Z https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558090#M1852 <P>Thank you, I test first .</P> Fri, 15 Sep 2023 07:25:24 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/impact-after-changing-the-key-size-setting-clears-the-current/m-p/558090#M1852 JiaXiang 2023-09-15T07:25:24Z