How to check which ciphers are enabled in PAN-OS
35241
Created On 11/02/22 18:40 PM - Last Modified 02/02/24 18:42 PM
Objective
- Identify which ciphers are by enabled in PAN-OS for use either before disabling weak ciphers or after enabling strong ciphers.
- Information can be used to mitigate vulnerabilities. Example: TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
Environment
- Palo Alto Networks Firewall
- Supported PAN-OS
- Cipher Support
Procedure
Login to a Linux machine and run the nmap command:
user1@ubuntu-182-32:~$ nmap --script ssh2-enum-algos -sV -p 22 10.193.92.68
Replace the IP address with the one configured on the Firewall management interface or any data plane interface with the management interface profile configured. The output provides all the ciphers supported:
user1@ubuntu-182-32:~$ nmap --script ssh2-enum-algos -sV -p 22 10.193.92.68
Starting Nmap 7.01 ( https://nmap.org ) at 2022-10-20 05:09 PDT
Nmap scan report for 10.193.92.68
Host is up (0.00056s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (7)
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group14-sha1
| diffie-hellman-group-exchange-sha1
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (15)
| aes128-ctr
| aes192-ctr
| aes256-ctr
| arcfour256
| arcfour128
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| aes128-cbc
| 3des-cbc
| blowfish-cbc
| cast128-cbc
| aes192-cbc
| aes256-cbc
| arcfour
| rijndael-cbc@lysator.liu.se
| mac_algorithms: (19)
| hmac-md5-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-ripemd160-etm@openssh.com
| hmac-sha1-96-etm@openssh.com
| hmac-md5-96-etm@openssh.com
| hmac-md5
| hmac-sha1
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-ripemd160
| hmac-ripemd160@openssh.com
| hmac-sha1-96
| hmac-md5-96
| compression_algorithms: (2)
| none
|_ zlib@openssh.com
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds