Saucepan

User Tools

Site Tools

Trace: edl kerberos certificates panorama globalprotect reporting technical_support_file vpn_monitoring vpn sd_wan
paloaltonetworks:configuration:certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
paloaltonetworks:configuration:certificates [2020/05/18 14:08] – created bstaffordpaloaltonetworks:configuration:certificates [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Certificates ====== ====== Certificates ======
 +You can test ciphers being used with the following
 +<code>nmap --script ssl-enum-ciphers -p 443 1.2.3.4</code>
 +===== Free Certificates with Lets Encrypt =====
 +You can get free certificates for Palo Alto Networks devices using Lets Encrypt.
 +
 +Details are [[networking:ssl_certificate_lets_encrypt|here]].
 +===== Certificate Chains =====
 +If you have a publicly signed certificate for GlobalProtect, make sure that the certificate file starts with server public certificate and then has the intermediate and lastly has the root certificate of the chain.
 +===== Secure SSL Ciphers =====
 +When using SSL Certificate Profiles for management interfaces, GlobalProtect Portals, etc, you can set the minimum TLS version. It is recommended to set TLS 1.2+.
 +
 +You can also restrict certain ciphers using the CLI. Replace ''shared'' with ''panorama'' if you are running this on Panorama rather than a firewall.
 +
 +For Firewall local config:
 +<code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code>
 +For Panorama management:
 +<code>set panorama ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no</code>
 +For Panorama templates:
 +<code>set template TEMPLATE_NAME config shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no</code>
 +The full option list is:
 +  * ''auth-algo-sha1'' - Allow authentication SHA1
 +  * ''auth-algo-sha256'' - Allow authentication SHA256
 +  * ''auth-algo-sha384'' - Allow authentication SHA384
 +
 +  * ''enc-algo-3des'' - Allow algorithm 3DES
 +  * ''enc-algo-aes-128-cbc'' - Allow algorithm AES-128-CBC
 +  * ''enc-algo-aes-128-gcm'' - Allow algorithm AES-128-GCM
 +  * ''enc-algo-aes-256-cbc'' - Allow algorithm AES-256-CBC
 +  * ''enc-algo-aes-256-gcm'' - Allow algorithm AES-256-GCM
 +  * ''enc-algo-rc4'' - Allow algorithm RC4
 +
 +  * ''keyxchg-algo-dhe'' - Allow algorithm DHE
 +  * ''keyxchg-algo-ecdhe'' - Allow algorithm ECDHE
 +  * ''keyxchg-algo-rsa'' - Allow algorithm RSA
 +
 +===== Secure SSH Encryption on Management Interface =====
 +This following will help enhance the SSH security on a Palo Alto Networks firewall.
 +
 +**Note**: PuTTY requires either the CBC or CRT ciphers. So, for PuTTY to work, you need at least once CBT or at least one CRT cipher
 +This is for firewalls and Panorama management.
 +From [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG|here]].
 +<code>configure
 +delete deviceconfig system ssh
 +set deviceconfig system ssh ciphers mgmt aes256-ctr
 +set deviceconfig system ssh ciphers mgmt aes256-gcm
 +set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
 +set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
 +set deviceconfig system ssh session-rekey mgmt interval 3600
 +set deviceconfig system ssh mac mgmt hmac-sha2-256
 +set deviceconfig system ssh mac mgmt hmac-sha2-512</code>
 +
 +Longer list
 +<code>configure
 +set deviceconfig system ssh ciphers mgmt aes128-cbc
 +set deviceconfig system ssh ciphers mgmt aes192-cbc
 +set deviceconfig system ssh ciphers mgmt aes256-cbc
 +
 +set deviceconfig system ssh ciphers mgmt aes128-ctr
 +set deviceconfig system ssh ciphers mgmt aes192-ctr
 +set deviceconfig system ssh ciphers mgmt aes256-ctr
 +
 +set deviceconfig system ssh ciphers mgmt aes128-gcm
 +set deviceconfig system ssh ciphers mgmt aes256-gcm</code>
 +
 +  * aes128-cbc   AES 128 bit cipher with Cipher Block Chaining
 +  * aes192-cbc   AES 192 bit cipher with Cipher Block Chaining
 +  * aes256-cbc   AES 256 bit cipher with Cipher Block Chaining
 +  * aes128-ctr   AES 128 bit cipher with Counter Mode
 +  * aes192-ctr   AES 192 bit cipher with Counter Mode
 +  * aes256-ctr   AES 256 bit cipher with Counter Mode
 +  * aes128-gcm   AES 128 bit cipher with GCM
 +  * aes256-gcm   AES 256 bit cipher with GCM
 +
 +After setting the cipher suite, you will need to run the following command. Or, you can type ''exit'' and then run the above command without the 'run' at the start.
 +<code>run set ssh service-restart mgmt</code>
 +===== Test SSH NMAP =====
 +<code>nmap --script ssh2-enum-algos -sV -p 22 10.1.1.1</code>
 +
 +
 +
 +===== Self-Signed Elliptic Curve Certificates =====
 Be careful when using Elliptic Curve (EC) certificates for the managment interface of a PAN-OS device (tested up to PAN-OS 9.0). Be careful when using Elliptic Curve (EC) certificates for the managment interface of a PAN-OS device (tested up to PAN-OS 9.0).
   * If you generate and use a self-signed EC certificate for the managment interface, your browser will probably refuse to connect.   * If you generate and use a self-signed EC certificate for the managment interface, your browser will probably refuse to connect.
paloaltonetworks/configuration/certificates.1589810889.txt.gz · Last modified: (external edit)