Thanks for replying @ttran ! The issue is, I read the snippet you quoted but don't fully understand what it is saying. Do you have any further insight on these points?

• "testing on a nonproduction system that has console access" - what does this mean? Console access to what, from what? If it means to the cluster from a Windows machine, what do they mean by a nonproduction system? If you've lost access, you've lost access, right? (Whether production or nonproduction). Does this imply that the only effect this change could have would be on SSH access to the cluster via Putty?
• Regarding OpenSSH 5.7, do you know if Putty uses this? That's what I use for SSH access.

The main question, again is: what is the scope of potential risk in making these changes? If it is ONLY the possibility of losing SSH access, I'll do it, because I at least have console access and can reverse the changes. If it's a greater risk, such as affecting CIFS authentication, I may need to think it through a bit more.

Also, I'm not sure if the fact that they are disabling RC4 ciphers for our Kerberos tickets on domain controllers means that I even need to change anything. Any insight?

Thank you @cruxrealm ! That is very helpful. I'll make sure I update to the latest version of Putty and I should be good. I agree it makes sense to disable RC4 anyway, and sounds like that change is the least likely to potentially cause an issue. I'm thinking I will let them make their change, and then disable RC4. Thank you again for the help!

What I would recommend is testing on a non-production filer or one that if you lose access, it isn't a big deal. If you don't have that, you can download an ONTAP simulator or spin up a Cloud Volumes ONTAP instance briefly and see what happens.

If you're testing settings in the future for CIFS/NFS access, you can always set up a new SVM to test that won't impact production as well.

@paul_stejskal , thank you! Great idea about setting up a new CIFS Server. As for losing access, I actually am on premises for our main production cluster, so even if I lost access I could plug in my laptop and re-enable RC4. Once we knew that was working I could do the remaining remote office NetApp's. Having said that, I do have a very old test system I could try this out on first, and will definitely do that once I decide to make this change! Thank you again.

Thanks for the amazing explanation. I have a query : Is it necessary to enable FIPS 140-2 in order to disallow /disable weak ciphers like rc4 on NetApp, on ONTAP 9.x?  As per https://security.netapp.com/advisory/ntap-20150122-0001/ , In clustered Data ONTAP 8.2.2, the RC4 cipher will only be disabled by enabling FIPS 140-2 mode. 

No - ONTAP 9.x includes the "security" command to configure the default SSL and SSH parameters. The advisory guidance was specific to clustered Data ONTAP 8.2.x.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fsecurity__ssh__modify.html

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fsecurity__ssl__modify.html

Thank you for sharing the links. However, in the same advisory, the below is also mentioned:

• clustered Data ONTAP 9.x:
  • Enable FIPS 140-2 compliance mode to disable RC4 cipher support in cluster-wide control plane interfaces:

    ::*> security config modify -is-fips-enabled true	

  • Default ciphers can also be disabled in the 9.x versions of ONTAP using the '-supported-ciphers' option with the 'security config' command:

    ::*> security config modify -supported-ciphers CURRENT_CIPHER_STRING:!RC4

Yes, the shared links correspond to the second option in the advisory. Either of those options can be used in the current Full Support versions of ONTAP (9.5+). The product documentation should be consulted for the proper command syntax since it may have changed over time/versions.

When that advisory was originally posted, cDOT 8.2 & 8.3 were still under Full Support status. The only mitigation for those releases was to enable FIPS 140-2 compliance mode.