Saucepan

User Tools

Site Tools

Trace: globalprotect edl bgp lacp testing_panos user_id logs technical_support_file
paloaltonetworks:configuration:certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:certificates [2020/09/25 09:40] – [Secure SSL Ciphers] bstaffordpaloaltonetworks:configuration:certificates [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Certificates ====== ====== Certificates ======
-You can test ciphers being used with the foloowing+You can test ciphers being used with the following
 <code>nmap --script ssl-enum-ciphers -p 443 1.2.3.4</code> <code>nmap --script ssl-enum-ciphers -p 443 1.2.3.4</code>
 +===== Free Certificates with Lets Encrypt =====
 +You can get free certificates for Palo Alto Networks devices using Lets Encrypt.
 +
 +Details are [[networking:ssl_certificate_lets_encrypt|here]].
 ===== Certificate Chains ===== ===== Certificate Chains =====
 If you have a publicly signed certificate for GlobalProtect, make sure that the certificate file starts with server public certificate and then has the intermediate and lastly has the root certificate of the chain. If you have a publicly signed certificate for GlobalProtect, make sure that the certificate file starts with server public certificate and then has the intermediate and lastly has the root certificate of the chain.
Line 36: Line 40:
 **Note**: PuTTY requires either the CBC or CRT ciphers. So, for PuTTY to work, you need at least once CBT or at least one CRT cipher **Note**: PuTTY requires either the CBC or CRT ciphers. So, for PuTTY to work, you need at least once CBT or at least one CRT cipher
 This is for firewalls and Panorama management. This is for firewalls and Panorama management.
 +From [[https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN5bCAG|here]].
 <code>configure <code>configure
-set deviceconfig system ssh ciphers mgmt aes256-cbc +delete deviceconfig system ssh 
-set deviceconfig system ssh ciphers mgmt aes256-gcm</code>+set deviceconfig system ssh ciphers mgmt aes256-ctr 
 +set deviceconfig system ssh ciphers mgmt aes256-gcm 
 +set deviceconfig system ssh default-hostkey mgmt key-type ECDSA 256 
 +set deviceconfig system ssh regenerate-hostkeys mgmt key-type ECDSA key-length 256 
 +set deviceconfig system ssh session-rekey mgmt interval 3600 
 +set deviceconfig system ssh mac mgmt hmac-sha2-256 
 +set deviceconfig system ssh mac mgmt hmac-sha2-512</code>
  
 Longer list Longer list
Line 64: Line 75:
 After setting the cipher suite, you will need to run the following command. Or, you can type ''exit'' and then run the above command without the 'run' at the start. After setting the cipher suite, you will need to run the following command. Or, you can type ''exit'' and then run the above command without the 'run' at the start.
 <code>run set ssh service-restart mgmt</code> <code>run set ssh service-restart mgmt</code>
 +===== Test SSH NMAP =====
 +<code>nmap --script ssh2-enum-algos -sV -p 22 10.1.1.1</code>
 +
  
  
paloaltonetworks/configuration/certificates.1601026825.txt.gz · Last modified: (external edit)