We used Nessus to run security scan on the PA-5220 we are trying out and it came back with the following medium vulnerability:
The remote SSH server is configured to allow weak encryption algorithms or no algorithm at all.
Nessus has detected that the remote SSH server is configured to use the Arcfour stream cipher or no cipher at all. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Contact the vendor or consult product documentation to remove the weak ciphers
Any idea how to remove/disable the weak ciphers?
This might help.
Starting from PAN-OS 8.0 we have introduced the capability to select Ciphers for admin SSH connections. Run the following commands to disable weak Cipher Suits:
#delete deviceconfig system ssh
#set deviceconfig system ssh ciphers mgmt aes128-cbc
#set deviceconfig system ssh ciphers mgmt aes192-cbc
#set deviceconfig system ssh ciphers mgmt aes256-cbc
#set deviceconfig system ssh ciphers mgmt aes128-ctr
#set deviceconfig system ssh ciphers mgmt aes192-ctr
#set deviceconfig system ssh ciphers mgmt aes256-ctr
#set deviceconfig system ssh ciphers mgmt aes128-gcm
#set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048
# set deviceconfig system ssh session-rekey mgmt interval 3600
Exit from config mode by typing 'exit'
> set ssh service-restart mgmt
Having tried the manual cipher configuration on PAN VMs it then renders SSH useless from the client side. The error seen then is:
"no hostkey alg"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!