Global Device Security Settings

The following command displays the security settings that are configured on the SLX devices:

These settings are common across all devices registered on the EFA installation.

efa inventory device secure settings show
+--------------------------+---------------------------------------+
|        NAME              | VALUE                                 |
+--------------------------+---------------------------------------+
| Min-tls-version          | 1.2                                   |
+--------------------------+---------------------------------------+
| Mac-algorithm            | hmac-sha2-512-etm@openssh.com         |
|                          | hmac-sha2-256-etm@openssh.com         |
|                          | hmac-sha2-512                         |
|                          | hmac-sha2-256                         |
+--------------------------+---------------------------------------+
| Key-exchange-algorithm   | curve25519-sha256                     |
|                          | curve25519-sha256@libssh.org          |
|                          | diffie-hellman-group14-sha256         |
|                          | diffie-hellman-group16-sha512         |
|                          | diffie-hellman-group18-sha512         |
|                          | diffie-hellman-group-exchange-sha256  |
+--------------------------+---------------------------------------+
| Cipher                   | non-cbc                               |
+--------------------------+---------------------------------------+
| Telnet                   | Disable                               |
+--------------------------+---------------------------------------+
| Max-password-age         | 365                                   |
+--------------------------+---------------------------------------+

The following command updates a security setting applicable for the SLX devices:

efa inventory device secure settings update --min-tls-version 1.2

efa inventory device secure settings update --mac-algorithm hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256

efa inventory device secure settings update --key-exchange-algorithm curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

efa inventory device secure settings update --telnet enable --cipher non-cbc --max-password-age 365

After updating any of the settings, you must manually apply those settings on the devices or fabric. These changes are not automatically updated on any device.

The following command resets the security setting to the default value on the SLX devices:

efa inventory device secure settings reset --telnet --cipher --max-password-age

      --min-tls-version                 Reset minimum TLS version to the default value
      --mac-algorithm                   Reset MAC Algorithms to the default values
      --key-exchange-algorithm          Reset Key-Exchange Algorithms to the default values
      --cipher                          Reset Ciphers to the default values
      --telnet                          Reset telnet to the default value of disabled
      --max-password-age                Reset the maximum number of days before password expiry to the default value
      --force-default-password-change   Reset force a change in the default password to the default value

The following command enables or disables the security settings on the SLX devices:

If you do not want to configure any security hardening settings on the device, disable the secure settings before device registration.

$ efa inventory device secure settings disable
Device secure settings have been disabled.
--- Time Elapsed: 57.000421492s ---

Note

If you disable the security settings after device registration, there will not be any change done on the device.