Disable weak cipher suites for SSL/TLS and SSH

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
shafi021
L2 Linker

Disable weak cipher suites for SSL/TLS and SSH

Hi Team,

 

I want to Disable weak cipher suites for SSL/TLS and SSH

 

my question is, are the below commands correct ?

 

Do I need to run below commands on Active and Passive firewalls separately ?

 

I am using data port as management ( I do have dedicated management port with IP but not using it)  so below commands are still valid.

 

Also, I am on PAN OS 9.0.9. 

 

for SSL/TLS to disable weak Algorithm-

set shared ssl-tls-service-profile web-gui protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile web-gui protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile web-gui protocol-settings keyxchg-algo-rsa no


HOW TO FIX WEAK CIPHERS AND KEYS ON THE MANAGEMENT INTERFACE

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512

# commit

# exit
> set ssh service-restart mgmt

> configure
# delete deviceconfig system ssh kex mgmt
# set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521
# commit

# exit
> set ssh service-restart mgmt

 

Reference:

 

Disable weak cipher suites for SSL/TLS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC

 

Disable weak cipher for SSH
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG&lang=en_US%E2%80%A...

 

@OwenFuller @BPry Can you please help ?

 


Accepted Solutions
BPry
Cyber Elite

@shafi021,

From a quick glance, that all looks correct and like you pulled it off of the linked KBs. Some commands referenced may not do anything if you are using default settings (delete deviceconfig system ssh as an example) but it'll just tell you the object doesn't exist. I would recommend against doing this change without direct console access to the device however. 

 

As for the Active/Passive, yes this needs to be done on both as some of what you are changing is device specific and won't be replicated to the peer unit. 

View solution in original post


All Replies
BPry
Cyber Elite

@shafi021,

From a quick glance, that all looks correct and like you pulled it off of the linked KBs. Some commands referenced may not do anything if you are using default settings (delete deviceconfig system ssh as an example) but it'll just tell you the object doesn't exist. I would recommend against doing this change without direct console access to the device however. 

 

As for the Active/Passive, yes this needs to be done on both as some of what you are changing is device specific and won't be replicated to the peer unit. 

View solution in original post

shafi021
L2 Linker

Thank you so much @BPry  Yes, I am going to have console. 

Just in case, if something goes wrong, how should I delete the given commands? Just put Delete in front of them ?

shafi021
L2 Linker

@BPry  I applied the above config and all went well. Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!