When using SSL Certificate Profiles for managment interfaces, GlobalProtect Portals, etc, you can set the minimum TLS version. It is recommended to set TLS 1.2+.

You can also restrict certain ciphers uing the CLI. Replace shared with panorama if you are running this on Panorama rather than a firewall.

For Firewall local config:

set shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no

For Panorama managment:

set panorama ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no

For Panorama templates:

set template TEMPLATE_NAME config shared ssl-tls-service-profile SERVICE_PROFILE_NAME protocol-settings auth-algo-sha1 no enc-algo-3des no enc-algo-rc4 no enc-algo-aes-128-cbc no enc-algo-aes-128-gcm no enc-algo-aes-256-cbc no

The full option list is:

• auth-algo-sha1 - Allow authentication SHA1
• auth-algo-sha256 - Allow authentication SHA256
• auth-algo-sha384 - Allow authentication SHA384

• enc-algo-3des - Allow algorithm 3DES
• enc-algo-aes-128-cbc - Allow algorithm AES-128-CBC
• enc-algo-aes-128-gcm - Allow algorithm AES-128-GCM
• enc-algo-aes-256-cbc - Allow algorithm AES-256-CBC
• enc-algo-aes-256-gcm - Allow algorithm AES-256-GCM
• enc-algo-rc4 - Allow algorithm RC4

• keyxchg-algo-dhe - Allow algorithm DHE
• keyxchg-algo-ecdhe - Allow algorithm ECDHE
• keyxchg-algo-rsa - Allow algorithm RSA

This following will help enhance the SSH security on a Palo Alto Networks firewall.

Note: PuTTY requires either the CBC or CRT ciphers. So, for PuTTY to work, you need at least once CBT or at least one CRT cipher This is for firewalls and Panorama management.

configure
set deviceconfig system ssh ciphers mgmt aes256-cbc
set deviceconfig system ssh ciphers mgmt aes256-gcm

Longer list

configure
set deviceconfig system ssh ciphers mgmt aes128-cbc
set deviceconfig system ssh ciphers mgmt aes192-cbc
set deviceconfig system ssh ciphers mgmt aes256-cbc

set deviceconfig system ssh ciphers mgmt aes128-ctr
set deviceconfig system ssh ciphers mgmt aes192-ctr
set deviceconfig system ssh ciphers mgmt aes256-ctr

set deviceconfig system ssh ciphers mgmt aes128-gcm
set deviceconfig system ssh ciphers mgmt aes256-gcm

• aes128-cbc AES 128 bit cipher with Cipher Block Chaining
• aes192-cbc AES 192 bit cipher with Cipher Block Chaining
• aes256-cbc AES 256 bit cipher with Cipher Block Chaining
• aes128-ctr AES 128 bit cipher with Counter Mode
• aes192-ctr AES 192 bit cipher with Counter Mode
• aes256-ctr AES 256 bit cipher with Counter Mode
• aes128-gcm AES 128 bit cipher with GCM
• aes256-gcm AES 256 bit cipher with GCM

After setting the cipher suite, you will need to run the following command. Or, you can type exit and then run the above command without the 'run' at the start.

run set ssh service-restart mgmt

Be careful when using Elliptic Curve (EC) certificates for the managment interface of a PAN-OS device (tested up to PAN-OS 9.0).

• If you generate and use a self-signed EC certificate for the managment interface, your browser will probably refuse to connect.
• You have to have the certificate signed by a trusted authority (RSA or EC). You can even generate and trust a CA certificate on the firewall and then use that CA certificate to sign a new certificate for the managemnt interface certificate.

If you want to enforce validation of the certificate for LDAPS, make sure that the server name you put in the LDAP profile matched the Common Name on the certificate. While it is common to use IP addresses for LDAP profiles, you may have to use the FQDN of the LDAP server as this is likely what will be on the certificiate. It would seem that you also have to have the root CA of the trust chain on the Palo but not necessarily marked as a trusted CA.