How to apply the SSL/TLS profile to a management interface

• To apply SSL/TLS profile to management interface.
• Once the SSL-TLS settings are changed (such as disable of weak ciphers), it needs to be applied to the the management interface. 

• Palo Alto Firewalls or Panorama
• PAN-OS 9.1 and above
• SSL-TLS profile

From CLI:

1. Create SSL-TLS profile with the new ciphers. An example of 'fw-mgt-strong-ssl-profile' is created below by removing weak ciphers. The certificate "fw-mgt-rsa-cert" is already created.

admin@FW> configure
admin@FW# set shared ssl-tls-service-profile fw-mgt-strong-ssl-profile protocol-settings min-version tls1-2
admin@FW# set shared ssl-tls-service-profile fw-mgt-strong-ssl-profile protocol-settings max-version max
admin@FW# set shared ssl-tls-service-profile fw-mgt-strong-ssl-profile protocol-settings enc-algo-aes-256-cbc no
admin@FW# set shared ssl-tls-service-profile fw-mgt-strong-ssl-profile protocol-settings enc-algo-aes-128-cbc no
admin@FW# set shared ssl-tls-service-profile fw-mgt-strong-ssl-profile certificate fw-mgt-rsa-cert

2. Apply the above ssl-tls-service-profile to the management interface using the following system command.

admin@FW# set deviceconfig system ssl-tls-service-profile fw-mgt-strong-ssl-profile

3. Commit the configuration changes

admin@FW# commit force
admin@FW> exit

4. To view the configuration, use the following command in config mode.

admin@FW# show shared ssl-tls-service-profile fw-mgt-strong-ssl-profile

• To update the SSL-TLS profile in management using GUI:

1. Go to GUI: Device > Setup > Management > General Settings.
2. Edit and update the "SSL/TLS Service Profile".
3. Commit the changes.

  

• How to disable medium strength SSL ciphers for SSL/TLS Service Profile on Firewall
• Replace the Certificate for Inbound Management Traffic

• To secure the SSH Access to the management interface of the Firewall/Panorama use the following Knowledgebase

          Commands to fix weak ciphers and keys on the mgmt interface for SSH access in PAN-OS 10.0