Focus

Configure an SSH Service Profile

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure an SSL/TLS Service Profile

Replace the Certificate for Inbound Management Traffic

Configure an SSH Service Profile

Create a profile to disable weak SSH ciphers and algorithms and define rekey thresholds, hardening SSH connections to your management and HA appliances.

SSH service profiles enable you to customize SSH parameters to enhance the security and integrity of SSH connections to your Palo Alto Networks management and high availability (HA) appliances. By default, SSH supports all ciphers, key exchange algorithms, and message authentication codes, which leaves your connection vulnerable to attack. With an SSH service profile, you can restrict the algorithms your SSH server supports. You can also generate a new host key and specify data volume, time, and packet-based thresholds for SSH session key regeneration and exchange.

Depending on the SSH server instance, configure either a management or HA SSH service profile. You can configure profiles from the firewall or Panorama™ web interface (if applying settings across multiple firewalls or appliances) or the CLI.

You can configure a maximum of four management and four HA server profiles.

To use the same SSH connection settings for each Dedicated Log Collector (M-series or Panorama virtual appliance in Log Collector mode) in a Collector Group, configure an SSH service profile from the Panorama management server, Commit the changes to Panorama, and then Push the configuration to the Log Collectors. You can also perform these steps from the CLI using set log-collector-group <name> general-setting management ssh commands.

Create an SSH Management Profile
Create an SSH HA Profile

Create an SSH Management Profile

You must create an SSH management profile to customize SSH settings for management connections.

You can configure or update an existing management profile from your CLI.

Create a Management - Server Profile.
1. Select DeviceCertification ManagementSSH Service Profile.
2. Add a Management - Server Profile.
3. Enter a Name to identify the profile.
4. (Optional) Add the ciphers, message authentication codes, or key exchange algorithms the profile will support.
5. (Optional) Select a Hostkey and key length.
6. (Optional) Enter values for the SSH session rekey parameters: Data, Interval, and Packets.
7. Click OK and Commit.
Select a management profile to apply.
1. Select DeviceSetupManagement. Under SSH Management Profiles Settings, select an existing profile.
2. Click OK and Commit the changes.
Restart management SSH service from the CLI to apply the profile.
You must restart the connection each time you apply a new profile or make changes to a profile in use; this reboots the appliance. The new configurations will not affect active sessions. The profile will apply to subsequent connections (or sessions).
1. admin@PA-3260> set ssh service-restart mgmt

Create an SSH HA Profile

To secure SSH communications between appliances in an HA pair, you should create an SSH HA profile. Before you can create a profile, you must establish an HA connection between the appliances. If an HA connection has not been established, you must enable encryption on the control link connection, export the HA key to a network location, and import the HA key on the peer. (See Configure Active/Passive HA or Configure Active/Active HA.)

You can configure or update an existing HA profile from your CLI.

Create an HA Profile.
1. Select DeviceCertification ManagementSSH Service Profile.
2. Add an HA Profile.
3. Enter a Name to identify the profile.
4. (Optional) Add the ciphers, message authentication codes, or key exchange algorithms the profile will support.
5. (Optional) Select a Hostkey and key length.
6. (Optional) Enter values for the SSH session rekey parameters: Data, Interval, and Packets.
7. Click OK and Commit.
Select an HA Profile to apply.
1. Select DeviceHigh AvailabilityGeneral. Under SSH HA Profile Setting, select an existing profile.
2. Click OK and Commit the changes.
Restart HA1 SSH service from the CLI to apply the profile.
You must restart the connection each time you apply a new profile or make changes to a profile in use; this reboots the appliance. The new configuration will not affect active sessions. The profile will apply to subsequent connections (or sessions).
1. admin@PA-3260> set ssh service-restart ha
  You can use the following commands if connection between the HA pair has been established and you’d like to minimize the downtime that accompanies an SSH service restart. If no HA connection has been established, you must restart SSH service.
  (HA1 Backup is configured) admin@PA-3260> request high-availability session-reestablish
  (No HA1 Backup is configured or HA1 Backup link is down) admin@PA-3260> request high-availability session-reestablish force
  You can force the firewall to reestablish HA1 sessions if there is no HA1 backup, which causes a brief split-brain condition between the HA peers. (Using the force option when an HA1 backup is configured has no effect.)