How do I remove diffie-hellman-group1-sha1 from SSH on mgmt port? I've removed the CBC ciphers, but my vulnerability scanner is still showing that diffie-hellman-group1-sha1 is still available for SSH.
I'd also like to know how I enforce SSH server ciphers or other parameters on management ports via Panorama. I have about 60+ firewalls of various Palo models, with 8.1.13 installed. We use Panorama on appliances.
Having to send CLI commands to these devices is going to be an issue. I imagine editing the templates we use for the firewalls to add CLI changes may be possible, but what's the best practice way to push SSH management server changes to a pile of firewalls?
Note: I've seen that with 9.1 (and maybe 9.0) we can modify the kex algorithms available. It doesn't seem to be on 8.1.13. I just upgraded everything to 8.1.13, so I'm disinclined to update them all AGAIN!
I do need to know the best way to get a CLI change to all sites. I'd expect I'd need to modify a template, one of the ones I currently use, but then can I add CLI changes to templates we've created in Panorama, and can the changes be seen on the Pano GUI when someone looks?
Have you tried the following:
I have, thanks. It does work, except i need 9.0 or 9.1 to enable the KEX algorithms to be selected manually, to remove sha1.
My question is now, that I have a number of changes to the management port to do, how do I push them to 60+ firewalls in Panorama? I'd want to add these to an existing template. But maybe a new template that's "related" to some existing template?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!