https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/408828#M1160 <H3><SPAN>For SSH</SPAN></H3> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; configure # delete deviceconfig system ssh # set deviceconfig system ssh ciphers mgmt aes256-ctr # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 # set deviceconfig system ssh session-rekey mgmt interval 3600 # set deviceconfig system ssh mac mgmt hmac-sha2-256 # commit # exit &gt; set ssh service-restart mgmt</LI-CODE> <P>&nbsp;</P> <P><SPAN>If you need to move away from using the diffie-hellman key exchange algorithm, you need to upgrade to PAN-OS 9.0 or above.</SPAN><BR /><SPAN>After upgrading, to modify the key-exchange algorithm for SSH please execute:</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; configure # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp256 # commit # exit &gt; set ssh service-restart mgmt</LI-CODE> <P>&nbsp;</P> <P><SPAN>Please note that stronger versions are also available, so you can pick the one that you prefer, additional options include ecdh-sha2-nistp384 or ecdh-sha2-nistp521.</SPAN><BR /><BR /><SPAN>The command for those would instead be:</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup"># set deviceconfig system ssh kex mgmt ecdh-sha2-nistp384 # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521</LI-CODE> <P>&nbsp;</P> <P>Special note for SSH:</P> <P class="p1">If you are in HA, make sure you have an open SSH session to the secondary firewall prior to running those commands on a primary member in a cluster, because once you commit, and the config gets synced to the secondary, it won't let you SSH in until the SSH service is restarted. If you do forget, a simple way around it is to enable Telnet through GUI, jump in via Telnet, run the restart command and then disable Telnet again. Otherwise you have to get console access.</P> <H3>For SSL/TLS:</H3> <P>&nbsp;</P> <LI-CODE lang="markup">set shared ssl-tls-service-profile TLS-PROFILE protocol-settings min-version tls1-2 set shared ssl-tls-service-profile TLS-PROFILE protocol-settings max-version max set shared ssl-tls-service-profile TLS-PROFILE protocol-settings auth-algo-sha1 no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings enc-algo-3des no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings enc-algo-rc4 no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings keyxchg-algo-dhe no</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P class="p2">Special note for SSL:</P> <P class="p2">If you move to using a ECDSA self-signed certificate for management, make sure you deploy a chained certificate. If you instead used a standalone ECDSA CA certificate it won't work and you will lose access to the WebUI. If you want to be careful, enable the HTTP service temporarily until you verify that the HTTPS access is working properly.</P> <P class="p1">&nbsp;</P> <P class="p1">You can verify which algorithms the firewall is running by using these NMAP commands:</P> <P class="p1">&nbsp;</P> <P class="p1">SSH</P> <P>&nbsp;</P> <LI-CODE lang="markup">nmap --script ssh2-enum-algos -sV -p 22 [TARGET_IP]</LI-CODE> <P>&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1">SSL</P> <P>&nbsp;</P> <LI-CODE lang="markup">nmap --script ssl-enum-ciphers -p 443 [TARGET_IP]</LI-CODE> <P>&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1">Here are official KBs which cover this topic as well.</P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG" target="_self">HOW TO FIX WEAK CIPHERS AND KEYS ON THE MANAGEMENT INTERFACE FOR SSH ACCESS</A>&nbsp;</P> <P class="p2"><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection.html" target="_self">Refresh SSH Keys and Configure Key Options for Management Interface Connection</A></P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC" target="_self">INFORMATION ON SWEET32 FOR PALO ALTO NETWORKS CUSTOMERS</A>&nbsp;</P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC" target="_self">HOW TO DISABLE MEDIUM STRENGTH SSL CIPHERS FOR SSL/TLS SERVICE PROFILE</A><SPAN class="s1">&nbsp;</SPAN></P> Mon, 24 May 2021 22:40:42 GMT mivaldi 2021-05-24T22:40:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/408655#M1159 <P>Is there anyway to solve those VA issue?</P><P>&nbsp;</P><P>1) 90317 - SSH Weak Algorithms Supported</P><P>2) 42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)</P><P>3) 70658 - SSH Server CBC Mode Ciphers Enabled</P><P>4) 71049 - SSH Weak MAC Algorithms Enabled</P><P>&nbsp;</P><P>Kindly help please..Thank you</P> Mon, 24 May 2021 08:12:05 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/408655#M1159 Vector 2021-05-24T08:12:05Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/408828#M1160 <H3><SPAN>For SSH</SPAN></H3> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; configure # delete deviceconfig system ssh # set deviceconfig system ssh ciphers mgmt aes256-ctr # set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 # set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 # set deviceconfig system ssh session-rekey mgmt interval 3600 # set deviceconfig system ssh mac mgmt hmac-sha2-256 # commit # exit &gt; set ssh service-restart mgmt</LI-CODE> <P>&nbsp;</P> <P><SPAN>If you need to move away from using the diffie-hellman key exchange algorithm, you need to upgrade to PAN-OS 9.0 or above.</SPAN><BR /><SPAN>After upgrading, to modify the key-exchange algorithm for SSH please execute:</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup">&gt; configure # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp256 # commit # exit &gt; set ssh service-restart mgmt</LI-CODE> <P>&nbsp;</P> <P><SPAN>Please note that stronger versions are also available, so you can pick the one that you prefer, additional options include ecdh-sha2-nistp384 or ecdh-sha2-nistp521.</SPAN><BR /><BR /><SPAN>The command for those would instead be:</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="markup"># set deviceconfig system ssh kex mgmt ecdh-sha2-nistp384 # set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521</LI-CODE> <P>&nbsp;</P> <P>Special note for SSH:</P> <P class="p1">If you are in HA, make sure you have an open SSH session to the secondary firewall prior to running those commands on a primary member in a cluster, because once you commit, and the config gets synced to the secondary, it won't let you SSH in until the SSH service is restarted. If you do forget, a simple way around it is to enable Telnet through GUI, jump in via Telnet, run the restart command and then disable Telnet again. Otherwise you have to get console access.</P> <H3>For SSL/TLS:</H3> <P>&nbsp;</P> <LI-CODE lang="markup">set shared ssl-tls-service-profile TLS-PROFILE protocol-settings min-version tls1-2 set shared ssl-tls-service-profile TLS-PROFILE protocol-settings max-version max set shared ssl-tls-service-profile TLS-PROFILE protocol-settings auth-algo-sha1 no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings enc-algo-3des no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings enc-algo-rc4 no set shared ssl-tls-service-profile TLS-PROFILE protocol-settings keyxchg-algo-dhe no</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P class="p2">Special note for SSL:</P> <P class="p2">If you move to using a ECDSA self-signed certificate for management, make sure you deploy a chained certificate. If you instead used a standalone ECDSA CA certificate it won't work and you will lose access to the WebUI. If you want to be careful, enable the HTTP service temporarily until you verify that the HTTPS access is working properly.</P> <P class="p1">&nbsp;</P> <P class="p1">You can verify which algorithms the firewall is running by using these NMAP commands:</P> <P class="p1">&nbsp;</P> <P class="p1">SSH</P> <P>&nbsp;</P> <LI-CODE lang="markup">nmap --script ssh2-enum-algos -sV -p 22 [TARGET_IP]</LI-CODE> <P>&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1">SSL</P> <P>&nbsp;</P> <LI-CODE lang="markup">nmap --script ssl-enum-ciphers -p 443 [TARGET_IP]</LI-CODE> <P>&nbsp;</P> <P class="p1">&nbsp;</P> <P class="p1">Here are official KBs which cover this topic as well.</P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG" target="_self">HOW TO FIX WEAK CIPHERS AND KEYS ON THE MANAGEMENT INTERFACE FOR SSH ACCESS</A>&nbsp;</P> <P class="p2"><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/get-started-with-the-cli/refresh-ssh-keys-mgt-port-connection.html" target="_self">Refresh SSH Keys and Configure Key Options for Management Interface Connection</A></P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5mCAC" target="_self">INFORMATION ON SWEET32 FOR PALO ALTO NETWORKS CUSTOMERS</A>&nbsp;</P> <P class="p2"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC" target="_self">HOW TO DISABLE MEDIUM STRENGTH SSL CIPHERS FOR SSL/TLS SERVICE PROFILE</A><SPAN class="s1">&nbsp;</SPAN></P> Mon, 24 May 2021 22:40:42 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/408828#M1160 mivaldi 2021-05-24T22:40:42Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/596029#M2264 <P>HI,</P> <P>&nbsp;</P> <P>Any impact on taking ssh access of palo alto, if we apply the ssh cli commands given by you. if yes, what precaution we can take.</P> <P>&nbsp;</P> Tue, 27 Aug 2024 09:36:27 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/va-issue/m-p/596029#M2264 vishalrsshah 2024-08-27T09:36:27Z