08-29-2019 10:59 PM
An internal PCI vulnerability scan has revealed the following issues with the PAN-820 appliance:
1. SSH Weak Algorithms Supported: Tester has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys.
Affects management interface 10.32.1.2:22 (tcp)
Also affects management interface of second PAN VM100 appliance.
2. SSL Medium Strength Cipher Suites Supported: The remote host supports the use of SSL ciphers that offer medium strength encryption. PCI Consulting Australia regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.
Affects management interface 10.32.1.2:443 (tcp)
Could you help me disable support for these ciphers?
===================================================
Found some article for them and ran these following commands
>configure
#delete deviceconfig system ssh
#set deviceconfig system ssh ciphers mgmt aes128-cbc
#set deviceconfig system ssh ciphers mgmt aes192-cbc
#set deviceconfig system ssh ciphers mgmt aes256-cbc
#set deviceconfig system ssh ciphers mgmt aes128-ctr
#set deviceconfig system ssh ciphers mgmt aes192-ctr
#set deviceconfig system ssh ciphers mgmt aes256-ctr
#set deviceconfig system ssh ciphers mgmt aes128-gcm
#set deviceconfig system ssh ciphers mgmt aes256-gcm
# set deviceconfig system ssh regenerate-hostkeys mgmt key-type RSA key-length 2048
# set deviceconfig system ssh session-rekey mgmt interval 3600
# commit
Exit from config mode by typing 'exit'
> set ssh service-restart mgmt
I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran:
delete deviceconfig system ssh
commit
set ssh service-restart mgmt.
and after a few minutes the tunnel came back up.
Would running those commands have disabled a cipher suite used by this tunnel?
