Global Device Security Settings
-
The following command displays the security settings that are configured on the SLX devices:
These settings are common across all devices registered on the EFA installation.
efa inventory device secure settings show +--------------------------+---------------------------------------+ | NAME | VALUE | +--------------------------+---------------------------------------+ | Min-tls-version | 1.2 | +--------------------------+---------------------------------------+ | Mac-algorithm | hmac-sha2-512-etm@openssh.com | | | hmac-sha2-256-etm@openssh.com | | | hmac-sha2-512 | | | hmac-sha2-256 | +--------------------------+---------------------------------------+ | Key-exchange-algorithm | curve25519-sha256 | | | curve25519-sha256@libssh.org | | | diffie-hellman-group14-sha256 | | | diffie-hellman-group16-sha512 | | | diffie-hellman-group18-sha512 | | | diffie-hellman-group-exchange-sha256 | +--------------------------+---------------------------------------+ | Cipher | non-cbc | +--------------------------+---------------------------------------+ | Telnet | Disable | +--------------------------+---------------------------------------+ | Max-password-age | 365 | +--------------------------+---------------------------------------+
-
The following command updates a security setting applicable for the SLX devices:
efa inventory device secure settings update --min-tls-version 1.2 efa inventory device secure settings update --mac-algorithm hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 efa inventory device secure settings update --key-exchange-algorithm curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 efa inventory device secure settings update --telnet enable --cipher non-cbc --max-password-age 365
After updating any of the settings, you must manually apply those settings on the devices or fabric. These changes are not automatically updated on any device.
-
The following command resets the security setting to the default value on the SLX devices:
efa inventory device secure settings reset --telnet --cipher --max-password-age --min-tls-version Reset minimum TLS version to the default value --mac-algorithm Reset MAC Algorithms to the default values --key-exchange-algorithm Reset Key-Exchange Algorithms to the default values --cipher Reset Ciphers to the default values --telnet Reset telnet to the default value of disabled --max-password-age Reset the maximum number of days before password expiry to the default value --force-default-password-change Reset force a change in the default password to the default value
-
The following command enables or disables the security settings on the SLX devices:
If you do not want to configure any security hardening settings on the device, disable the secure settings before device registration.
$ efa inventory device secure settings disable Device secure settings have been disabled. --- Time Elapsed: 57.000421492s ---
Note
If you disable the security settings after device registration, there will not be any change done on the device.