禁用用于 Web 访问的弱密码 GUI 不起作用
51721
Created On 10/21/20 14:32 PM - Last Modified 03/15/21 18:03 PM
Symptom
禁用弱密码 SSL / TLS 服务配置文件不会禁用用于 Web GUI 访问的密码。
这可以通过使用 nmap 工具使用命令来列举 ssl 密码来验证:
nmap --script ssl-enum-ciphers -p 443 <Firewall IP Address>
示例:
1. 在尝试禁用弱密码之前:
admin@FW1# show shared ssl-tls-service-profile Cert_Profile protocol-settings
set shared ssl-tls-service-profile Cert_Profile protocol-settings min-version tls1-2
set shared ssl-tls-service-profile Cert_Profile protocol-settings max-version max
[edit]
|
nmap --script ssl-enum-ciphers -p 443 <IP of the FW>
Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-29 12:05 CET
Nmap scan report for x.x.x.x
Host is up (0.011s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds
|
admin@FW1# configure
admin@FW1# show shared ssl-tls-service-profile Cert_Profile protocol-settings
set shared ssl-tls-service-profile Cert_Profile protocol-settings min-version tls1-2
set shared ssl-tls-service-profile Cert_Profile protocol-settings max-version max
set shared ssl-tls-service-profile Cert_Profile protocol-settings auth-algo-sha1 no
set shared ssl-tls-service-profile Cert_Profile protocol-settings auth-algo-sha256 no
set shared ssl-tls-service-profile Cert_Profile protocol-settings enc-algo-3des no
set shared ssl-tls-service-profile Cert_Profile protocol-settings enc-algo-aes-128-cbc no
set shared ssl-tls-service-profile Cert_Profile protocol-settings enc-algo-aes-128-gcm no
set shared ssl-tls-service-profile Cert_Profile protocol-settings enc-algo-rc4 no
set shared ssl-tls-service-profile Cert_Profile protocol-settings keyxchg-algo-dhe no
set shared ssl-tls-service-profile Cert_Profile protocol-settings keyxchg-algo-rsa no
admin@FW1# commit
[edit]
|
3. Nmap 测试结果显示提交后密码没有更改:
nmap --script ssl-enum-ciphers -p 443 <IP of the FW>
Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-29 12:12 CET
Nmap scan report for x.x.x.x
Host is up (0.00034s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
|
Environment
- 任何帕洛阿尔托 Firewall 。
- 任何 Panorama .
- PAN-OS 版本低于 9.0.11 (9.0.x)。
- PAN-OS 版本低于9.1.5(9.1.x)。
- PAN-OS 版本低于 10.0.1 (10.0.x)。
Cause
这些命令仅适用于 GlobalProtect SSL 正在使用/配置文件的接口(门户/网关 TLS )。
Resolution
升级到 PAN-OS 9.0.11版本(或9.1.5/10.0.1)及以上。
从 PAN-OS 版本 10.0.1、9.1.5 和 9.0.11 开始,这些命令也将应用于管理界面。
此更改已记录在 以下发布说明 中 PAN-115541 。
Additional Information
如何修复访问管理接口上的弱密码和密钥 SSH