Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0

Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0

77568
Created On 04/28/22 13:46 PM - Last Modified 03/11/24 23:43 PM


Symptom


  • To fix weak cipher and keys on the mgmt interface for SSH access on version 10.0 and above can NOT apply command through CLI and it's only applicable through GUI.

Environment


  • Palo Alto Firewall or Panorama
  • PAN-OS 10.0 and newer versions.

Cause


In PAN-OS 10 and above, SSH service profile needs to be created under GUI: Device >Certificate Management >SSH Service Profile to customize management and HA SSH configurations. 
 

Resolution


  1. Create an SSH service profile. Under GUI: Device >Certificate Management >SSH Service Profile
  2. Configure the appropriate Ciphers. Refer How To Fix Weak Cipher
        Steps to apply configuration in FW GUI :
         2.1 Cipher: aes256-ctr / aes256-gcm
         2.2 MAC : hmac-sha2-256 / hmac-sha2-512
         2.3 KEX : ecdh-sha2-nistp256 / ecdh-sha2-nistp384 / ecdh-sha2-nistp521
         2.4 Host-key : ECDSA 256
         2.5 Session: Default

        Screenshot 2023-09-28 at 9.28.34 AM.png

Alternatively, steps can be applied via CLI. Example profile name : "Fix-Cipher"

> configure
# delete deviceconfig system ssh
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher default-hostkey key-type ECDSA 256
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher ciphers [ aes256-ctr aes256-gcm ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher kex [ ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 ]
# set deviceconfig system ssh profiles mgmt-profiles server-profiles Fix-Cipher mac [ hmac-sha2-256 hmac-sha2-512 ] 

CAUTION: While you can only apply one profile globally, if there are more than one SSH Service Profiles created, the command "delete deviceconfig system ssh" will remove them all.
 

  1. Under Device> Setup > Management > SSH Management Profiles Settings, select the previously configured profile.
    • CLI equivalent is : "# set deviceconfig system ssh mgmt server-profile Fix-Cipher"
  2. Commit your configuration in the WebUI or with CLI command "# commit".
  3. Re-start the management SSH service from the CLI to apply the profile using the commands "# exit" and "> set ssh service-restart mgmt". Refer to the Note below.
  4. Close all active SSH sessions and open a new connection to start using the new parameters.


Note:  The management services get restarted. Although data-plane services are not affected, it is recommended to run the command after hours.

 

For 9. x.x:

To fix weak ciphers and keys on mgmt interact for SSH access on PAN-OS 9. X.X needs to run the below command from CLI:

note: These are only applicable on PANOS version 9. X.X and on PANOS version 10. X.X needs to do it through the GUI.

Screenshot 2024-02-02 at 2.11.33 PM.png


Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language