Hot to enable recommended SSH ciphers, kex and mac on Firewalls in High-Availability
340
Created On 07/28/22 09:42 AM - Last Modified 11/12/25 23:58 PM
Objective
- To enable recommended SSH ciphers, kex and mac algorithms in order to remediate weak SSH settings.
- Steps to be followed on Active-Passive HA to enable strong SSH settings
Environment
- Palo Alto Firewalls with SSH access
Procedure
- Open SSH sessions to the Active and Passive FWs. Make sure they are not timed-out when you start the procedure. Make sure that the running-config is In-Sync between the Active and Passive FWs.
- Check if any existing SSH settings exist on Active and Passive :-
> set cli config-output-format set > configure # show deviceconfig system ssh
- If SSH configuration exists, you can delete the ciphers, kex and mac algorithms using the following commands. This has to be done only on the Active FW and should sync to the Passive FW:-
# delete deviceconfig system ssh ciphers mgmt # delete deviceconfig system ssh kex mgmt # delete deviceconfig system ssh mac mgmt # show deviceconfig system ssh
- Configure the recommended ciphers, kex and mac on the Active FW. The recommended values have been taken from the following document :-
set deviceconfig system ssh ciphers mgmt aes256-ctr set deviceconfig system ssh ciphers mgmt aes256-gcm set deviceconfig system ssh kex mgmt ecdh-sha2-nistp256 set deviceconfig system ssh kex mgmt ecdh-sha2-nistp384 set deviceconfig system ssh kex mgmt ecdh-sha2-nistp521 set deviceconfig system ssh mac mgmt hmac-sha2-256 set deviceconfig system ssh mac mgmt hmac-sha2-512
- Commit on the Active FW and wait for it to finish :-
# commit
- Check and confirm that the HA-Sync job finishes on the Passive and then check if it has the new SSH configuration :-
Passive> show jobs all Passive> configure Passive# show deviceconfig system ssh
- Once both the FWs have the new SSH config committed and HA-Sync job completes on the Passive, restart the SSH Service on both Active and Passive. Please make sure both the existing SSH sessions are not timed-out before proceeding :-
Active> set ssh service-restart mgmt Passive> set ssh service-restart mgmt