In a HA pair, secondary Firewall's ssh connectivity(management port ) is lost after disable weak ciphers on Primary Firewall

In a HA pair, secondary Firewall's ssh connectivity(management port ) is lost after disable weak ciphers on Primary Firewall

7285
Created On 09/25/20 05:22 AM - Last Modified 03/23/21 18:45 PM


Question
Why the secondary PA's CLI access is lost after removing the weak TLS cipher on the primary when two PAs are in a HA pair?
 


Environment
  • All PAN-OS
  • PaloAlto Firewall or Panorama in high avialble(HA) pair


Answer
  • Previous steps:
    1. For fixing the sweet-32 vulnerable configuration on PAN following steps are included. 
    2. Remove the weak cipher, such as SHA1, 3DES, and RC4.
    3.  Update the ssl-tls service profile by selecting a secure cipher algorithm such as SHA256, AES-256-GCM. 
    4. Set the key exchange algorithm as ECDHE, and set ssh ciphers for mgmt as aes256-ctr and others. 
    5. The full detail can be found here.
    6. The last step is always to restart the SSH service again (set ssh service-restart mgmt) so the newly configured setting can take place. 
  • Side effect: 
    1. However, sometimes as a side effect PA-FW SSH access is not successful. It could be due to the old SSH client that doesn't support new update keys, hence we recommend all have updated versions of the software, especially putty.  You can always use Teraterm, SecureCRT, or other SSH client software.
    2. The bigger issue occurs if you have an HA-pair, and SSH access to secondary FW is failed. The reason is, although due to configuration sync, the SSH configures from primary is passed to secondary,  but SSH service was not restarted on secondary.  Hence the new SSH related configuration is not applied on the management port, and FW is in hung status
  • Solution: 
    1. On secondary FW, turn off SSH from the WebUI.
    2. Log in through the console, first delete the existing configuration and then make the cipher changes again.
    3. Restart the service "set ssh service-restart mgmt"
    4. Then turned on SSH from the WebUI Or You can change the SSH related configuration on both FW simultaneously and restart SSH service on management together. 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAsiCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language