08-29-2019 10:59 PM
An internal PCI vulnerability scan has revealed the following issues with the PAN-820 appliance:
1. SSH Weak Algorithms Supported: Tester has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Affects management interface 10.32.1.2:22 (tcp)
Also affects management interface of second PAN VM100 appliance.
2. SSL Medium Strength Cipher Suites Supported: The remote host supports the use of SSL ciphers that offer medium strength encryption. PCI Consulting Australia regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Affects management interface 10.32.1.2:443 (tcp)
Could you help me disable support for these ciphers?
===================================================
Found some article for them and ran these following commands
>configure
#delete deviceconfig system ssh
#set deviceconfig system ssh ciphers mgmt aes128-cbc
#set deviceconfig system ssh ciphers mgmt aes192-cbc
#set deviceconfig system ssh ciphers mgmt aes256-cbc
#set deviceconfig system ssh ciphers mgmt aes128-ctr
#set deviceconfig system ssh ciphers mgmt aes192-ctr
#set deviceconfig system ssh ciphers mgmt aes256-ctr
#set deviceconfig system ssh ciphers mgmt aes128-gcm
#set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048
# set deviceconfig system ssh session-rekey mgmt interval 3600
# commit
Exit from config mode by typing 'exit'
> set ssh service-restart mgmt
I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran:
delete deviceconfig system ssh
commit
set ssh service-restart mgmt.
and after a few minutes the tunnel came back up.
Would running those commands have disabled a cipher suite used by this tunnel?
09-03-2019 01:32 PM - edited 08-25-2020 03:38 AM
those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh
to set the cipher suites only on the management interface, you can use a profile (This is for SSL)
# set shared ssl-tls-service-profile <profile name> protocol-settings + auth-algo-sha1 Allow authentication SHA1 + auth-algo-sha256 Allow authentication SHA256 + auth-algo-sha384 Allow authentication SHA384 + enc-algo-3des Allow algorithm 3DES + enc-algo-aes-128-cbc Allow algorithm AES-128-CBC + enc-algo-aes-128-gcm Allow algorithm AES-128-GCM + enc-algo-aes-256-cbc Allow algorithm AES-256-CBC + enc-algo-aes-256-gcm Allow algorithm AES-256-GCM + enc-algo-rc4 Allow algorithm RC4 + keyxchg-algo-dhe Allow algorithm DHE + keyxchg-algo-ecdhe Allow algorithm ECDHE + keyxchg-algo-rsa Allow algorithm RSA + max-version max-version + min-version min-version <Enter> Finish input
and then set that in management
for SSH (as appropriately pointed out by @mivaldi ) the set of commands is
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512
# commit
# exit
> set ssh service-restart mgmt09-03-2019 01:32 PM - edited 08-25-2020 03:38 AM
those commands set the cipher suite for the entire platform,it masy have an impact on tunnels that depend on a certain suite that is dependent on ssh
to set the cipher suites only on the management interface, you can use a profile (This is for SSL)
# set shared ssl-tls-service-profile <profile name> protocol-settings + auth-algo-sha1 Allow authentication SHA1 + auth-algo-sha256 Allow authentication SHA256 + auth-algo-sha384 Allow authentication SHA384 + enc-algo-3des Allow algorithm 3DES + enc-algo-aes-128-cbc Allow algorithm AES-128-CBC + enc-algo-aes-128-gcm Allow algorithm AES-128-GCM + enc-algo-aes-256-cbc Allow algorithm AES-256-CBC + enc-algo-aes-256-gcm Allow algorithm AES-256-GCM + enc-algo-rc4 Allow algorithm RC4 + keyxchg-algo-dhe Allow algorithm DHE + keyxchg-algo-ecdhe Allow algorithm ECDHE + keyxchg-algo-rsa Allow algorithm RSA + max-version max-version + min-version min-version <Enter> Finish input
and then set that in management
for SSH (as appropriately pointed out by @mivaldi ) the set of commands is
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh ciphers mgmt aes256-ctr
# set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
# set deviceconfig system ssh session-rekey mgmt interval 3600
# set deviceconfig system ssh mac mgmt hmac-sha2-256
# set deviceconfig system ssh mac mgmt hmac-sha2-512
# commit
# exit
> set ssh service-restart mgmt
03-17-2020 11:50 AM
Does the palo alto device need rebooted to make the ssh changes take affect?
08-24-2020 12:30 PM
@reaper those commands are for SSL, not SSH.
I don't see a use case for opening an SSH tunnel to the firewall. The system reference means that it will apply to connections that are host-bound (meaning landing on the firewall on the management interface through either the management port or a data port if a management interface profiles enable SSH service on a data port).
For instructions restricting SSH weak ciphers please refer to:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG
08-24-2020 12:40 PM
@Laura_Strutzel you need to restart the ssh service
set ssh service-restart mgmtFor more information please refer to the above posted Knowledge Base article.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
