如何使用CLI从全景模板禁用SSL/TLS 服务配置文件的SSL密码
3801
Created On 06/29/22 23:43 PM - Last Modified 01/07/25 12:30 PM
Objective
- 在某些情况下, SSL/TLS配置文件已在 Panorama 中配置,但未在防火墙中本地配置
- 只能使用CLI修改密码
- 由于在推送全景模板时无法将SSL/TLS配置文件中的密码修改到本地防火墙,因此需要使用全景CLI进行修改并将修改推送到防火墙
Environment
- 全景
- 所有Palo Alto Networks防火墙
- PANOS 9.0.x 及更高版本
Procedure
笔记
- Santa-Clara-PVE = 模板名称
- management = ssl-tls-service配置文件名称
- 在 Panorama CLI中访问配置模式
> configure
- 键入以下命令,并在末尾按 Tab 键以查看SSL密码选项
# set template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings
+ auth-algo-sha1 Allow authentication SHA1
+ auth-algo-sha256 Allow authentication SHA256
+ auth-algo-sha384 Allow authentication SHA384
+ enc-algo-3des Allow algorithm 3DES
+ enc-algo-aes-128-cbc Allow algorithm AES-128-CBC
+ enc-algo-aes-128-gcm Allow algorithm AES-128-GCM
+ enc-algo-aes-256-cbc Allow algorithm AES-256-CBC
+ enc-algo-aes-256-gcm Allow algorithm AES-256-GCM
+ enc-algo-rc4 Allow algorithm RC4
+ keyxchg-algo-dhe Allow algorithm DHE
+ keyxchg-algo-ecdhe Allow algorithm ECDHE
+ keyxchg-algo-rsa Allow algorithm RSA
+ max-version max-version
+ min-version min-version
<Enter> Finish input
- 选择SSL密码,然后选择“否”
# set template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings keyxchg-algo-ecdhe no
- 提交更改
# commit
- 从全景图验证
# show template Santa-Clara-PVE config shared ssl-tls-service-profile management protocol-settings
protocol-settings {
min-version tls1-0;
max-version max;
keyxchg-algo-ecdhe no;
}
[edit]
#
- 使用 GUI推送配置
- 在配置模式下从防火墙的CLI进行验证
> configure
# show template shared ssl-tls-service-profile <name of the SSL-TLS profile> protocol-setting
ex
# show template shared ssl-tls-service-profile management protocol-setting
protocol-settings {
min-version tls1-0;
max-version max;
keyxchg-algo-ecdhe no;
}
[edit] #