Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0
77568
Created On 04/28/22 13:46 PM - Last Modified 03/11/24 23:43 PM
Symptom
- To fix weak cipher and keys on the mgmt interface for SSH access on version 10.0 and above can NOT apply command through CLI and it's only applicable through GUI.
Environment
- Palo Alto Firewall or Panorama
- PAN-OS 10.0 and newer versions.
Cause
In PAN-OS 10 and above, SSH service profile needs to be created under GUI: Device >Certificate Management >SSH Service Profile to customize management and HA SSH configurations.
Resolution
- Create an SSH service profile. Under GUI: Device >Certificate Management >SSH Service Profile
- Configure the appropriate Ciphers. Refer How To Fix Weak Cipher
2.1 Cipher: aes256-ctr / aes256-gcm
2.2 MAC : hmac-sha2-256 / hmac-sha2-512
2.3 KEX : ecdh-sha2-nistp256 / ecdh-sha2-nistp384 / ecdh-sha2-nistp521
2.4 Host-key : ECDSA 256
2.5 Session: Default
Alternatively, steps can be applied via CLI. Example profile name : "Fix-Cipher"
> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher default-hostkey key-type ECDSA 256
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher ciphers [ aes256-ctr aes256-gcm ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher kex [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher mac [ hmac-sha2-256 hmac-sha2-512 ]
CAUTION: While you can only apply one profile globally, if there are more than one SSH Service Profiles created, the command "delete deviceconfig system ssh" will remove them all.
- Under Device> Setup > Management > SSH Management Profiles Settings, select the previously configured profile.
- CLI equivalent is : "# set deviceconfig system ssh mgmt server-profile Fix-Cipher"
- Commit your configuration in the WebUI or with CLI command "# commit".
- Re-start the management SSH service from the CLI to apply the profile using the commands "# exit" and "> set ssh service-restart mgmt". Refer to the Note below.
- Close all active SSH sessions and open a new connection to start using the new parameters.
Note: The management services get restarted. Although data-plane services are not affected, it is recommended to run the command after hours.
For 9. x.x:
To fix weak ciphers and keys on mgmt interact for SSH access on PAN-OS 9. X.X needs to run the below command from CLI:
note: These are only applicable on PANOS version 9. X.X and on PANOS version 10. X.X needs to do it through the GUI.