Create a profile to disable weak SSH ciphers and algorithms
and define rekey thresholds, hardening SSH connections to your management
and HA appliances.
SSH service profiles enable you to customize
SSH parameters to enhance the security and integrity of SSH connections
to your Palo Alto Networks management and high availability (HA)
appliances. By default, SSH supports all ciphers, key exchange algorithms,
and message authentication codes, which leaves your connection vulnerable
to attack. With an SSH service profile, you can restrict the algorithms
your SSH server supports. You can also generate a new host key and
specify data volume, time, and packet-based thresholds for SSH session
key regeneration and exchange.
Depending on the SSH server
instance, configure either a management or HA SSH service profile.
You can configure profiles from the firewall or Panorama™ web interface
(if applying settings across multiple firewalls or appliances) or
the CLI.
You can configure a maximum of four management
and four HA server profiles.
To use the same
SSH connection settings for each Dedicated Log Collector (M-series
or Panorama virtual appliance in Log Collector mode) in a
Collector Group, configure
an SSH service profile from the Panorama management server,
Commit the changes to Panorama, and then
Push the
configuration to the Log Collectors. You can also perform these
steps from the CLI using
set log-collector-group <name> general-setting management ssh commands.