Hello, good evening. Thank you very much in advance for your help and support as always. Checking this link: https://live.paloaltonetworks.com/t5/general-topics/how-to-remove-ssh-weak-algorithms/td-p/285933#:~:text=Next%20Topic-,1%20ACCEPTED%20SOLUTION, -Reaper
Fair, but fair (murphy) I need to apply these settings at the SSH and SSL/TLS level in some PCI firewalls, which have a lot of IPSEC vpn tunnels, site to site (a lot I'm talking about more than 50 tunnels with a mix of suite of algorithms). Reviewing what a colleague/colleague comments, when applying the settings, he had problems with his vpn-site-to-site tunnels: This is in the Live Community Link: https://live.paloaltonetworks.com/t5/general-topics/how-to-remove-ssh-weak-algorithms/td-p/285933:
... Exit from config mode by typing 'exit' > set ssh service-restart mgmt I ran these commands and it appeared to work, however shortly afterwards our VPN site to site tunnel dropped out. I connected to our PA-820 again, ran: delete deviceconfig system ssh commit set ssh service-restart mgmt. and after a few minutes the tunnel came back up. Would running those commands have disabled a cipher suite used by this tunnel?"""""
I have the same case... where an asset vulnerability management tool detected these ssh encryption issues: SSH Weak Algorithms Supported: Has detected that the remote SSH server is configured to use the Arcfour stream. RFC 4253 advises against using Arcfour due to an issue with weak keys. I assure you that in the total number of ipsec tunnels of these firewalls, a mix, there will be everything, 3DES, SHA1, MD5... a little of everything, the issue is how do I make sure that the SSH and SSL/TLS configuration, when making the adjustments, remove the weak algorithms, especially in ssh, do not impact the ipsec tunnels, as happened to the colleague, who published in the live community, who had to choose to cancel/delete the adjustments made and go back to restart the ssh service and then the ipsec tunnels are working again.
Just these firewalls that I have to intervene are critical but very critical, effectively because of the multiple ipsec tunnels.
I look forward to your comments, support and/or suggestions.
Thank you Best regards
Some of the cipher suites are shared and will also become unavailable for IPsec once you disable weak ciphers. The best (not easiest) way forward is upgrading the suites used by your VPN tunnels so they also use better encryption