How to configure and apply SSH Server Profile to the Management Interface of Dedicated Log Collector
6744
Created On 03/18/24 15:52 PM - Last Modified 12/18/25 15:27 PM
Objective
- The mitigation step for CVE-2023-48795 requires an SSH Server profile with at least one cipher and at least one MAC algorithm.
- For Dedicated Log Collectors managed via Panorama, there is no menu in the GUI to configure an SSH Server profile and apply it to the management interface of Dedicated Log Collectors.
- This article provides the steps to configure the same.
Environment
- PAN-OS 10.0 and above.
- Management Panorama with a Collector Group.
- Dedicated Log Collector(s) in the Collector Group.
Procedure
This configuration steps must be done on the Management Panorama of the Collector Group.
If the configuration is done locally on the Dedicated Log Collector(s), the next Collector Group push will override the configuration.
- Login to Panorama and create SSH Server profile for the collector group.
> configure
# set log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name>
- Apply the options such as ciphers, algorithms, etc. to the SSH Server Profile you created above. Using "tab" will give the list of options. An example is given below:
# set log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name> ciphers [ aes256-cbc aes256-ctr aes256-gcm ] mac [ hmac-sha2-256 hmac-sha2-512 ]
- A space is required in between the square brackets [ ] and the values as well as between the values.
- For example, [hmac-sha2-256 hmac-sha2-512] will return an Invalid syntax error.
- Apply the SSH Server Profile to the management interface and exit the configuration.
# set log-collector-group <insert collector group name> general-setting management ssh mgmt server-profile <insert SSH Server Profile name>
# exit
- To verify the configuration:
> configure
# show log-collector-group <insert collector group name> general-setting management ssh
# exit
- Commit the configuration to the Management Panorama in the GUI using Commit > Commit to Panorama
- Push the configuration to the Collector Group in the GUI. using Commit > Push to Devices
- Select the push scope to the collector group. Refer to below:
- To apply the change log into each Log Collector of the Collector Group and restart the Management interface SSH service using CLI command:
> set ssh service-restart mgmt
Note: Refer to the Additional Information section for delete commands.
Additional Information
- Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0
- Configure an SSH Service Profile
- Commands of step 2 can also be applied separately. Example below:
# set log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name> ciphers [ aes256-cbc ]
# set log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name> mac [ hmac-sha2-256 hmac-sha2-512 ]
- To delete any values for the options the command is structured as below:
# delete log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name> mac hmac-sha2-512
# delete log-collector-group <collector group name> general-setting management ssh profiles mgmt-profiles server-profiles <SSH Server Profile name> ciphers aes256-cbc
Note: Only one value can be deleted per delete command.