How to remove SSH weak algorithms?

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L3 Networker

How to remove SSH weak algorithms?

An internal PCI vulnerability scan has revealed the following issues with the PAN-820 appliance:

1. SSH Weak Algorithms Supported: Tester has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Affects management interface 10.32.1.2:22 (tcp)
Also affects management interface of second PAN VM100 appliance.

2. SSL Medium Strength Cipher Suites Supported: The remote host supports the use of SSL ciphers that offer medium strength encryption. PCI Consulting Australia regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Affects management interface 10.32.1.2:443 (tcp)

Could you help me disable support for these ciphers?

===================================================

Found some article for them and ran these following commands 

>configure

#delete deviceconfig system ssh

#set deviceconfig system ssh ciphers mgmt aes128-cbc

#set deviceconfig system ssh ciphers mgmt aes192-cbc

#set deviceconfig system ssh ciphers mgmt aes256-cbc

#set deviceconfig system ssh ciphers mgmt aes128-ctr

#set deviceconfig system ssh ciphers mgmt aes192-ctr

#set deviceconfig system ssh ciphers mgmt aes256-ctr

#set deviceconfig system ssh ciphers mgmt aes128-gcm

#set deviceconfig system ssh ciphers mgmt aes256-gcm

# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048

# set deviceconfig system ssh session-rekey mgmt interval 3600

# commit

Exit from config mode by typing 'exit'

> set ssh service-restart mgmt

 

I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran:

delete deviceconfig system ssh
commit
set ssh service-restart mgmt.

and after a few minutes the tunnel came back up.

 

Would running those commands have disabled a cipher suite used by this tunnel?


Accepted Solutions
Highlighted
L7 Applicator

Re: How to remove SSH weak algorithms?

those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh

 

to set the cipher suites only on the management interface, you can use a profile

 

# set shared ssl-tls-service-profile <profile name> protocol-settings 
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
  <Enter>                Finish input

and then set that in management

reaper - PANgurus.com
I drink and I know things

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: How to remove SSH weak algorithms?

those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh

 

to set the cipher suites only on the management interface, you can use a profile

 

# set shared ssl-tls-service-profile <profile name> protocol-settings 
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
  <Enter>                Finish input

and then set that in management

reaper - PANgurus.com
I drink and I know things

View solution in original post

Highlighted
L0 Member

Re: How to remove SSH weak algorithms?

Does the palo alto device need rebooted to make the ssh changes take affect?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!