topic Re: Disable weak cipher suites for SSL/TLS and SSH in General Topics

Disable weak cipher suites for SSL/TLS and SSH

shafi021 — Fri, 26 Feb 2021 20:55:41 GMT

Hi Team,

I want to Disable weak cipher suites for SSL/TLS and SSH

my question is, are the below commands correct ?

Do I need to run below commands on Active and Passive firewalls separately ?

I am using data port as management ( I do have dedicated management port with IP but not using it) so below commands are still valid.

Also, I am on PAN OS 9.0.9.

for SSL/TLS to disable weak Algorithm-

set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no

HOW TO FIX WEAK CIPHERS AND KEYS ON THE MANAGEMENT INTERFACE

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit

# exit
> set ssh service-restart mgmt

Reference:

Disable weak cipher suites for SSL/TLS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

Disable weak cipher for SSH
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG&lang=en_US%E2%80%A9

@OwenFuller @BPry Can you please help ?

Re: Disable weak cipher suites for SSL/TLS and SSH

BPry — Fri, 26 Feb 2021 21:17:23 GMT

@shafi021,

From a quick glance, that all looks correct and like you pulled it off of the linked KBs. Some commands referenced may not do anything if you are using default settings (delete deviceconfig system ssh as an example) but it'll just tell you the object doesn't exist. I would recommend against doing this change without direct console access to the device however.

As for the Active/Passive, yes this needs to be done on both as some of what you are changing is device specific and won't be replicated to the peer unit.

Re: Disable weak cipher suites for SSL/TLS and SSH

shafi021 — Fri, 26 Feb 2021 21:24:01 GMT

Thank you so much @BPry Yes, I am going to have console.

Just in case, if something goes wrong, how should I delete the given commands? Just put Delete in front of them ?

Re: Disable weak cipher suites for SSL/TLS and SSH

shafi021 — Wed, 03 Mar 2021 14:20:05 GMT

@BPry I applied the above config and all went well. Thank you.

Re: Disable weak cipher suites for SSL/TLS and SSH

pieters — Tue, 08 Jun 2021 13:35:33 GMT

I was able to remove weak ciphers but it is now impossible to SSH into the device at all.

When looking at config audit in GUI I see this:

Are you still able to use putty to connect to cli? Did you have to make changes in putty to be able to?

Re: Disable weak cipher suites for SSL/TLS and SSH

shafi021 — Tue, 08 Jun 2021 21:17:47 GMT

Yes @pieters , I believe you must have had end the session after making changes and didn't restart the ssh service using "set ssh service-restart mgmt"

You should not close the SSH session until you restart it.

You need to console now to restart the SSH service and Cli will start working.

Always make sure you have console connected while making changes.

Thanks

Re: Disable weak cipher suites for SSL/TLS and SSH

pieters — Wed, 09 Jun 2021 07:15:03 GMT

Hey Shafi01, thanks for the quick reply.
I don't think that is it because the change only becomes in effect after restarting the service (which I definately did).

Since I locked myself out of CLI, you would think I indeed need console access but I did the following to revert the change:

1. export the running config as xml from GUI and delete the ssh section mentioned under <deviceconfig> <system>

2. import the modified config back into the fw and commit

3. login to the fw with a browser and go to /api

4. browse to > Operational Commands > set > ssh > service-restart > mgmt and click the submit button

Step 1 and 2 can also be achieved through api by browsing to > Configuration Commands > devices > entry[@name='localhost.localdomain'] > deviceconfig > system > ssh and then copy paste the restAPI url shown at the bottom but replace "action=get" with "action=delete"

Re: Disable weak cipher suites for SSL/TLS and SSH

nfsfantasy — Thu, 22 Jul 2021 04:44:29 GMT

If we use this command "HOW TO FIX WEAK CIPHERS AND KEYS ON THE MANAGEMENT INTERFACE"

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit

# exit
> set ssh service-restart mgmt

afterthat i still ssh to Palo alto right, I don't know if i will configuration this after that i can ssh.

thank you

Re: Disable weak cipher suites for SSL/TLS and SSH

JHALL3 — Fri, 07 Jul 2023 07:52:49 GMT

After running the command to disable the identified weak ciphers, how can you tell its turned off because when you go back and issue the command set shared ssl-tls-service-profile FW-MGMT protocol-settings <tab>, they are all still there in the list...