HA1 SSH Key Refresh

Refresh SSH host keys and set other SSH key options for an HA1 control link and re-establish HA1 sessions between HA peers so the new keys and settings take effect without restarting the HA peers.
When you configure Active/Passive HA or Active/Active HA, you can enable encryption for the HA1 (control link) connection between HA firewalls. HA peers use public and private Secure Shell (SSH) host keys to authenticate each other. When you enable encryption and generate a new pair of host keys or configure other HA1 encryption settings, you can now enable the new host keys and other settings without restarting the HA firewalls, thus avoiding the firewalls going offline. The firewall re-establishes HA1 sessions with its peer and generates system logs (subtype is ha) for re-establishing HA1 and HA1-backup sessions.
  • (Optional) Set the HA1 link to use a specific key type (known as the default host key type). The HA1 link uses only the default host key type to authenticate the HA peers (before an encrypted session is established between them). The choices are ECDSA 256, 384, or 521, or RSA 2048, 3072, or 4096. By default, the default host key type is RSA 2048.
  • Establish when automatic rekeying of the session keys occurs for the HA1 link by setting data, time, and/or packet count parameters. After any one rekeying parameter reaches its configured value, SSH uses the new session encryption keys.
  • (Optional) Set the SSH server to use the specified encryption ciphers for the HA1 sessions. HA1 SSH allows all supported ciphers by default. When you set one or more ciphers, the SSH server advertises only those ciphers while connecting, and if the client (the HA peer) tries to connect using a different cipher, the server terminates the connection.
  • (Optional) Delete a cipher from the set of ciphers you selected for the HA1 link.
  • (Optional) Set the session key exchange algorithm for HA1 SSH. By default the server advertises all the key exchange algorithms to the client.
  • (Optional) Set the message authentication code (MAC) for HA1 SSH. By default the server advertises all the MAC algorithms to the client.
  • Regenerate ECDSA or RSA host keys for HA1 SSH to replace the existing keys. Do this at the frequency you determine necessary for security purposes.

Related Documentation