https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/520722#M1793 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/237306">@GlobalAxis</a>&nbsp;what PAN-OS version are you running?</P> Tue, 08 Nov 2022 23:02:58 GMT mivaldi 2022-11-08T23:02:58Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327515#M817 <P>Hi Team ,</P><P>&nbsp; PA 500 with 8.1.14 (latest OS )&nbsp; is having the Vulnerability&nbsp;SSH protocol uses Weak key exchange algorithms. I understand we can change algorithm values with set deviceconfig system ssh kex&nbsp; to stronger algorithm post 9.0 unfortunately PA 500 do not have 9.0 release in software download.</P><P>So how do we close this one , is there any alternative way we can change Kex values , or else we need&nbsp; to compromise with this Vulnerability.</P><P>&nbsp;</P> Tue, 12 May 2020 11:10:51 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327515#M817 Shashihm 2020-05-12T11:10:51Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327518#M818 <P>If you do not expose your management interface to an untrusted network (make it accessible inside MGMT network, set an ACL,..) you will be able to mitigate most exposure</P><P>If you must make the interface available, ensure connections need to traverse the firewall so you can apply security profiles to the connection</P> Tue, 12 May 2020 11:15:21 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327518#M818 reaper 2020-05-12T11:15:21Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327541#M819 <P>TAC Engineer is suggesting to change the Firewall mode into FIPS-CC. Is it viable to change the Firewalls which are in production to FIPS-CC to mitigate this Vulnerability.</P> Tue, 12 May 2020 14:17:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327541#M819 Shashihm 2020-05-12T14:17:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327599#M820 <P>Hello,</P><P>You might want to read up on what is truly disabled via FIPS mode. Also here is an article on disabling weak ciphers.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMNPCA4" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMNPCA4</A></P><P>&nbsp;</P><P>Cheers!</P> Tue, 12 May 2020 18:39:39 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327599#M820 OtakarKlier 2020-05-12T18:39:39Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327669#M821 <P>Try this:<BR /><BR /></P> <P><FONT face="courier new,courier"># configure</FONT><BR /><FONT face="courier new,courier"># delete deviceconfig system ssh</FONT><BR /><FONT face="courier new,courier"># set deviceconfig system ssh ciphers mgmt aes256-ctr</FONT><BR /><FONT face="courier new,courier"># set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256</FONT><BR /><FONT face="courier new,courier"># set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256</FONT><BR /><FONT face="courier new,courier"># set deviceconfig system ssh session-rekey mgmt interval 3600</FONT><BR /><FONT face="courier new,courier"># set deviceconfig system ssh mac mgmt hmac-sha2-256</FONT><BR /><FONT face="courier new,courier"># commit</FONT><BR /><FONT face="courier new,courier"># exit</FONT><BR /><FONT face="courier new,courier">&gt; set ssh service-restart mgmt</FONT></P> Tue, 12 May 2020 23:51:53 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/327669#M821 mivaldi 2020-05-12T23:51:53Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/520405#M1792 <P>Dear all ,</P> <P>&nbsp;</P> <P>Can I have GUI tips for fixing the same&nbsp;</P> Sat, 05 Nov 2022 05:16:59 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/520405#M1792 GlobalAxis 2022-11-05T05:16:59Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/520722#M1793 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/237306">@GlobalAxis</a>&nbsp;what PAN-OS version are you running?</P> Tue, 08 Nov 2022 23:02:58 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/ssh-protocol-uses-weak-key-exchange-algorithms-in-pa-500-for-pan/m-p/520722#M1793 mivaldi 2022-11-08T23:02:58Z