A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.
Which profile should be configured in order to achieve this?
A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances.
Which profile should be configured in order to achieve this?
To manage the specific set of ciphers for remote management of Palo Alto Networks appliances, you should configure an SSH Service profile. This profile allows you to add and restrict the ciphers, message authentication codes, and key exchange algorithms that the profile will support, thereby enhancing security. Options such as the SSL/TLS Service profile focus more on defining protocol versions rather than specific ciphers, which aligns better with broader SSL/TLS applications rather than the specific requirement of cipher management.
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssh-service-profile
For GUI (typical option)...SSL/TLS Service Profile, ciphers can be set on CLI... B is Correct For CLI... SSH Service Profile...C is Correct Confusing Question
SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall. There's also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt interface: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2&lang=en_US%E2%80%A9 So it seems C is the winner.
Looking at both options on a FW, only the SSH Service Profile has an option for ciphers.
Go to Device >> Certificate Management >> SSH Service Profile >> Add the ciphers, message authentication codes, or key exchange algorithms the profile will support. So it's C
Im taking B, you can restrict ciphers form CLI...
B. you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses.
They are correct. it should be C.
I think it is B, don't know anyone that is going to manage the FWs via SSH (which is option C).
Changing this to C after further review. You cannot specify ciphers on a SSL/TLS profile, only versions of TLS, so to meet the question requirements it will need to be managed via SSH.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssh-service-profile Step1 4. (Optional) Add the ciphers, message authentication codes, or key exchange algorithms the profile will support.
"use SSL/TLS service profiles...defining the protocol versions, you can use a profile to RESTRICT THE CIPHER SUITES that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses."
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile
Further on this, in Best Practices for Securing Administrative Access there are mentions of both ssh and https but this text seems possibly relevant to this question (in support of C) : "...in the SSL/TLS profile, set the Min version to TLSv1.2 so you use the strongest protocol and set the Max version to Max so that you continue to use the strongest protocol as stronger versions become available." https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/getting-started/best-practices-for-securing-administrative-access#id1817C0G205Q
Correction : I meant in support of B not C. There is no similar recommendation in the best practices doc for ssh ciphers. I'll stick with B on this.
I agree C - for TLS/SSL you need to configure certs etc. rather than encryption protocols.
Certs provide authentication and then use encryption protocols to provide confidentiality and integrity - using ciphers. https://www.ibm.com/docs/en/ibm-mq/9.1?topic=tls-how-provides-identification-authentication-confidentiality-integrity
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmqeCAC
Could be either b or c as both are for remotely managing. Maybe B is better as day to day will usually be via https ? https (B) : Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. The firewall and Panorama use SSL/TLS for Captive Portal, GlobalProtect portals and gateways, inbound traffic on the management (MGT) interface, the URL Admin Override feature, and the User-ID™ syslog listening service. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. ssh (C) By default, SSH supports all ciphers, key exchange algorithms, and message authentication codes, which leaves your connection vulnerable to attack. With an SSH service profile, you can restrict the algorithms your SSH server supports. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-an-ssh-service-profile