Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0
119986
Created On 04/28/22 13:46 PM - Last Modified 08/01/24 21:16 PM
Symptom
- To fix weak cipher and keys on the mgmt interface for SSH access on version 10.0 and above can NOT apply command through CLI and it's only applicable through GUI.
Environment
- Palo Alto Firewall or Panorama
- PAN-OS 10.0 and newer versions.
Cause
In PAN-OS 10 and above, SSH service profile needs to be created under GUI: Device >Certificate Management >SSH Service Profile to customize management and HA SSH configurations.
Resolution
- Create an SSH service profile. Under GUI: Device >Certificate Management >SSH Service Profile
- Configure the appropriate Ciphers. Refer How To Fix Weak Cipher
2.1 Cipher: aes256-ctr / aes256-gcm
2.2 MAC : hmac-sha2-256 / hmac-sha2-512
2.3 KEX : ecdh-sha2-nistp256 / ecdh-sha2-nistp384 / ecdh-sha2-nistp521
2.4 Host-key : ECDSA 256
2.5 Session: Default
Alternatively, steps can be applied via CLI. Example profile name : "Fix-Cipher"
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher default-hostkey key-type ECDSA 256
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher ciphers [ aes256-ctr aes256-gcm ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher kex [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher mac [ hmac-sha2-256 hmac-sha2-512 ]
CAUTION: While you can only apply one profile globally, if there are more than one SSH Service Profiles created, the command "delete deviceconfig system ssh" will remove them all.
- Under Device> Setup > Management > SSH Management Profiles Settings, select the previously configured profile.
- WebUI:
- CLI equivalent is:
# set deviceconfig system ssh mgmt server-profile Fix-Cipher
- Commit your configuration in the WebUI or with CLI command:
# commit
- Re-start the management SSH service from the CLI to apply the profile using the commands:
# exit > set ssh service-restart mgmt
The management services get restarted. Although data-plane services are not affected using this command, it is recommended to run it after hours. If there is no CLI access to be able to run this command, the firewall will need to be rebooted for the changes to apply. - Close all active SSH sessions and open a new connection to start using the new parameters.
For 9. x.x:
To fix weak ciphers and keys on mgmt interact for SSH access on PAN-OS 9. X.X needs to run the below command from CLI:
note: These are only applicable on PANOS version 9. X.X and on PANOS version 10. X.X needs to do it through the GUI.