When you conduct an internal network vulnerability test using different types of vulnerability scanner, results often indicate that the ProxySG appliance management console on port 8082 has a weak cipher suite and potential vulnerability.
Perform the following tasks to resolve the issue.
Task 1: Determine the keyring that the Management Console uses:
In the Management Console, select Services > Management Services.
On the Management Services tab, select HTTPS Console and then click Edit.
On the dialog that appears, locate the keyring used and record its name.
Task 2: Remove ciphers with Medium or Low strength from the keyring:
In the Management Console, select Configuration > SSL > Device Profiles.
In the Profiles list, select the keyring that is assigned to the Management Console and click Edit.
On the dialog that appears, select Edit Ciphers.
Under Selected Ciphers, select ciphers that have Medium or Low strength and then click > > Remove.
Click OK > OK > Apply.
Task 3: Specify high-strength cipher suites for the HTTPS-Console keyring:
Log in to Command line interface (CLI).
Enter the following commands:
>enable Enable Password: <password> #conf t Enter configuration commands, one per line. End with CTRL-Z. #(config)management-services #(config management-services)edit HTTPS-Console #(config HTTPS-Console)attribute cipher-suite des-cbc3-sha des-cbc3-md5 aes256-sha ok
After you apply these changes, the Management Console will show strong cipher suites with 256-bit encryption using any network vulnerability scanner.
Note: Please make sure that you enable HTTP-Console before making this change. If your browser does not support the selected cipher-suites, you'll need the HTTP-Console to access the ProxySG's Web Console. After the change to the cipher suites has been tested, you can disable the HTTP-Console.
Imported Document ID: 000021562
Subscribing will provide email updates when this Article is updated. Login is required.