Configure SSH - Basic Settings


     In Firewall Analyzer, you can use SSH to communicate with your firewall and other security devices. Select Setting > General Settings > SSH Settings. The SSH Settings page opens up. In the SSH Settings page there are two tabs:

    1. SSH Security Settings
    2. SCP/SFTP Server

    SSH Security Settings

    SSH has vulnerabilities, which can be avoided with following configuration:

    Blocked Ciphers

    • Select All
    • aes256-gcm@openssh.com
    • aes128-gcm@openssh.com
    • chacha20-poly1305@openssh.com
    • aes256-ctr
    • aes192-ctr
    • aes128-ctr
    • arcfour256
    • aes256-cbc
    • 3des-cbc
    • 3des-ctr
    • aes192-cbc
    • aes128-cbc
    • blowfish-cbc
    • arcfour128
    • arcfour

    All the selected Ciphers will be blocked, when you use SSH in Firewall Analyzer.

    Allowed Key Exchanges

    • Select All
    • curve25519-sha256
    • rsa2048-sha256
    • curve25519-sha256@libssh.org
    • rsa1024-sha1
    • diffie-hellman-group18-sha512
    • diffie-hellman-group17-sha512
    • diffie-hellman-group16-sha512
    • diffie-hellman-group15-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group-exchange-sha256
    • ecdh-sha2-nistp521
    • ecdh-sha2-nistp384
    • diffie-hellman-group-exchange-sha1
    • diffie-hellman-group1-sha1
    • ecdh-sha2-nistp256

    Only the selected key exchanges will be allowed, when you use SSH in Firewall Analyzer.

    Blocked HMACs

    • Select All
    • hmac-sha2-512-etm@openssh.com
    • hmac-sha2-512-96
    • hmac-sha2-512
    • hmac-sha2-256-etm@openssh.com
    • hmac-sha2-256
    • hmac-sha2-256-96
    • hmac-sha1-etm@openssh.com
    • hmac-sha1
    • hmac-sha1-96
    • hmac-md5
    • hmac-md5-etm@openssh.com
    • hmac-md5-96

    All the selected HMACs will be blocked, when you use SSH in Firewall Analyzer.

    Note: A server restart will be required for these settings to take effect.  

     

    SCP/SFTP Server

    Configure SCP or SFTP server settings to transfer configuration files to and from the devices securely.

    1. Enable SCP/SFTP Server
      Use toggle switch to enable or disable SCP/SFTP server. - Status: Not Running
    2. Bind to [Port : 22]
      Bind to all IP addresses or localahost. Choose the IP address to bind on port number 22.
    3. Server
      The SCP or SFTP server to which the Firewall Analyzer is bound.
    4. SCP/SFTP User name
      The username of the SCP or SFTP server to access the SCP or SFTP server.
    5. Password *
      Set the password for the SCP or SFTP server.
    6. Re-type Password*
      Re-enter the password for the SCP or SFTP server.

    Click Ssve to save the SCP/SFTP configuration.


    Note: A server restart will be required for these settings to take effect.