How to disable SSL ciphers for SSL/TLS Service Profile from Panorama Template using CLI

3789

Created On 06/29/22 23:43 PM - Last Modified 08/22/24 03:12 AM

Management Interface

Templates

Deployment

Device Management

Hardware

9.0

9.1

10.0

10.2

10.1

Hardware

Panorama

Objective

There are scenarios when SSL/TLS Profile has been configured in Panorama and not locally in Firewall
Modifying ciphers can only be accomplished using CLI
Since it is not possible to modify ciphers from SSL/TLS Profile to the local Firewall when Panorama Template has been pushed, then modification needs to be done using Panorama CLI and push modifications to Firewall

Environment

Panorama
All Palo Alto Networks Firewall
PANOS 9.0.x and higher versions

Procedure

NOTE

Santa-Clara-PVE = Template Name
management = ssl-tls-service profile name

Access to configure mode in Panorama CLI

> configure

Type the following command and press the tab key at the end to see the SSL ciphers options

# set template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings
+ auth-algo-sha1         Allow authentication SHA1
+ auth-algo-sha256       Allow authentication SHA256
+ auth-algo-sha384       Allow authentication SHA384
+ enc-algo-3des          Allow algorithm 3DES
+ enc-algo-aes-128-cbc   Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm   Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc   Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm   Allow algorithm AES-256-GCM
+ enc-algo-rc4           Allow algorithm RC4
+ keyxchg-algo-dhe       Allow algorithm DHE
+ keyxchg-algo-ecdhe     Allow algorithm ECDHE
+ keyxchg-algo-rsa       Allow algorithm RSA
+ max-version            max-version 
+ min-version            min-version 
  <Enter>                Finish input

Select the SSL cipher, and then select "no"

# set template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings keyxchg-algo-ecdhe no

Commit changes

# commit

Verify from Panorama

# show template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings
protocol-settings {
  min-version tls1-0;
  max-version max;
  keyxchg-algo-ecdhe no;
 }
[edit]                                                                                                                                                                                   
#

Push configuration using GUI
Verify from Firewall's CLI under configuration mode

> configure
# show template shared ssl-tls-service-profile <name of the SSL-TLS profile> protocol-setting
ex
# show template shared ssl-tls-service-profile management protocol-setting
protocol-settings {   
  min-version tls1-0;
  max-version max; 
  keyxchg-algo-ecdhe no; 
 } 
[edit]                                                                                                                                #

How to disable SSL ciphers for SSL/TLS Service Profile from Panorama Template using CLI

Objective

Environment

Procedure

Other users also viewed: