Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:certificates [2020/05/19 05:48] – [Secure SSH Encryption on Management Interface] bstafford
+++ paloaltonetworks:configuration:certificates [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Certificates ======
+You can test ciphers being used with the following
+<code>nmap --script ssl-enum-ciphers -p 443 1.2.3.4</code>
+===== Free Certificates with Lets Encrypt =====
+You can get free certificates for Palo Alto Networks devices using Lets Encrypt.
+Details are [[networking:ssl_certificate_lets_encrypt|here]].
+===== Certificate Chains =====
+If you have a publicly signed certificate for GlobalProtect, make sure that the certificate file starts with server public certificate and then has the intermediate and lastly has the root certificate of the chain.
 ===== Secure SSL Ciphers =====
-When using SSL Certificate Profiles for managment interfaces, GlobalProtect Portals, etc, you can set the minimum TLS version. It is recommended to set TLS 1.2+.
+When using SSL Certificate Profiles for management interfaces, GlobalProtect Portals, etc, you can set the minimum TLS version. It is recommended to set TLS 1.2+.
-You can also restrict certain ciphers uing the CLI. Replace ''shared'' with ''panorama'' if you are running this on Panorama rather than a firewall.
+You can also restrict certain ciphers using the CLI. Replace ''shared'' with ''panorama'' if you are running this on Panorama rather than a firewall.
 For Firewall local config:
-<code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no</code>
+<code>set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no keyxchg-algo-rsa no</code>
-For Panorama managment:
+For Panorama management:
 <code>set panorama ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no</code>
 For Panorama templates:
@@ Line 32: / Line 40: @@
 **Note**: PuTTY requires either the CBC or CRT ciphers. So, for PuTTY to work, you need at least once CBT or at least one CRT cipher
 This is for firewalls and Panorama management.
+From [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG|here]].
 <code>configure
-set deviceconfig system ssh ciphers mgmt aes256-cbc
+delete deviceconfig system ssh
-set deviceconfig system ssh ciphers mgmt aes256-gcm</code>
+set deviceconfig system ssh ciphers mgmt aes256-ctr
+set deviceconfig system ssh ciphers mgmt aes256-gcm
+set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256
+set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256
+set deviceconfig system ssh session-rekey mgmt interval 3600
+set deviceconfig system ssh mac mgmt hmac-sha2-256
+set deviceconfig system ssh mac mgmt hmac-sha2-512</code>
 Longer list
@@ Line 60: / Line 75: @@
 After setting the cipher suite, you will need to run the following command. Or, you can type ''exit'' and then run the above command without the 'run' at the start.
 <code>run set ssh service-restart mgmt</code>
+===== Test SSH NMAP =====
+<code>nmap --script ssh2-enum-algos -sV -p 22 10.1.1.1</code>