How to check which ciphers are enabled in PAN-OS

How to check which ciphers are enabled in PAN-OS

29809
Created On 11/02/22 18:40 PM - Last Modified 02/02/24 18:42 PM


Objective


  • Identify which ciphers are by enabled in PAN-OS for use either before disabling weak ciphers or after enabling strong ciphers.
  • Information can be used to mitigate vulnerabilities. Example: TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)


Environment


  • Palo Alto Networks Firewall
  • Supported PAN-OS
  • Cipher Support


Procedure


Login to a Linux machine and run the nmap command:
user1@ubuntu-182-32:~$ nmap --script ssh2-enum-algos -sV -p 22 10.193.92.68 
Replace the IP address with the one configured on the Firewall management interface or any data plane interface with the management interface profile configured. The output provides all the ciphers supported:
user1@ubuntu-182-32:~$ nmap --script ssh2-enum-algos -sV -p 22 10.193.92.68

Starting Nmap 7.01 ( https://nmap.org ) at 2022-10-20 05:09 PDT
Nmap scan report for 10.193.92.68
Host is up (0.00056s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 12.1 (protocol 2.0)
| ssh2-enum-algos:
|   kex_algorithms: (7)
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group-exchange-sha256
|       diffie-hellman-group14-sha1
|       diffie-hellman-group-exchange-sha1
|       diffie-hellman-group1-sha1
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (15)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       arcfour256
|       arcfour128
|       aes128-gcm@openssh.com
|       aes256-gcm@openssh.com
|       aes128-cbc
|       3des-cbc
|       blowfish-cbc
|       cast128-cbc
|       aes192-cbc
|       aes256-cbc
|       arcfour
|       rijndael-cbc@lysator.liu.se
|   mac_algorithms: (19)
|       hmac-md5-etm@openssh.com
|       hmac-sha1-etm@openssh.com
|       umac-64-etm@openssh.com
|       umac-128-etm@openssh.com
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-512-etm@openssh.com
|       hmac-ripemd160-etm@openssh.com
|       hmac-sha1-96-etm@openssh.com
|       hmac-md5-96-etm@openssh.com
|       hmac-md5
|       hmac-sha1
|       umac-64@openssh.com
|       umac-128@openssh.com
|       hmac-sha2-256
|       hmac-sha2-512
|       hmac-ripemd160
|       hmac-ripemd160@openssh.com
|       hmac-sha1-96
|       hmac-md5-96
|   compression_algorithms: (2)
|       none
|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds


Additional Information



 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kF2eCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language