This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How do I remove diffie-hellman-group1-sha1 from SSH on mgmt port? And how to push it via Panorama?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How do I remove diffie-hellman-group1-sha1 from SSH on mgmt port? And how to push it via Panorama?

Ambidexter6
L1 Bithead

‎04-07-2020 08:45 AM - edited ‎04-08-2020 08:52 AM

Hi,

How do I remove diffie-hellman-group1-sha1 from SSH on mgmt port? I've removed the CBC ciphers, but my vulnerability scanner is still showing that diffie-hellman-group1-sha1 is still available for SSH.

 

I'd also like to know how I enforce SSH server ciphers or other parameters on management ports via Panorama. I have about 60+ firewalls of various Palo models, with 8.1.13 installed. We use Panorama on appliances. 

 

Having to send CLI commands to these devices is going to be an issue. I imagine editing the templates we use for the firewalls to add CLI changes may be possible, but what's the best practice way to push SSH management server changes to a pile of firewalls?

 

Note: I've seen that with 9.1 (and maybe 9.0) we can modify the kex algorithms available. It doesn't seem to be on 8.1.13. I just upgraded everything to 8.1.13, so I'm disinclined to update them all AGAIN! 😄 

 

I do need to know the best way to get a CLI change to all sites. I'd expect I'd need to modify a template, one of the ones I currently use, but then can I add CLI changes to templates we've created in Panorama, and can the changes be seen on the Pano GUI when someone looks?

 

Regards,

Ambi

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎04-10-2020 10:40 AM

Hello,

Have you tried the following:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMNPCA4

 

Regards,

0 Likes Likes

Ambidexter6
L1 Bithead
In response to OtakarKlier

‎04-10-2020 10:45 AM

I have, thanks. It does work, except i need 9.0 or 9.1 to enable the KEX algorithms to be selected manually, to remove sha1.

 

My question is now, that I have a number of changes to the management port to do, how do I push them to 60+ firewalls in Panorama? I'd want to add these to an existing template. But maybe a new template that's "related" to some existing template?

 

Thanks,


Ambi

0 Likes Likes

rodill
L2 Linker
In response to OtakarKlier

‎02-19-2021 05:31 AM

the link you provided shows that it has been deleted when you go to it.

  • 6222 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks