Configure Authentication with Custom Certificates on the PAN-DB Private Cloud
Focus
Focus
Advanced URL Filtering

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Table of Contents

Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your PAN-DB server and your firewalls.
Where can I use this?What do I need?
  • NGFW (Managed by PAN-OS or Panorama)
Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
By default, a PAN-DB server uses predefined certificates for mutual authentication to establish the SSL connections used for management access and interdevice communication. However, you can configure authentication using custom certificates instead. Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between your PAN-DB server and firewalls. In the case of a PAN-DB private cloud, the firewall acts as the client and the PAN-DB server acts as the server.
  1. Obtain key pairs and certificate authority (CA) certificates for the PAN-DB server and firewall.
  2. Import the CA certificate to validate the certificate on the firewall.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-600> configure
    2. Use TFTP or SCP to import the CA certificate.
      admin@M-600# {tftp | scp} import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format {pkcs12 | pem}
  3. Use TFTP or SCP to import the key pair that contains the server certificate and private key for the private cloud appliance.
    admin@M-600# {tftp | scp} import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format {pkcs12 | pem}
  4. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the device authentication between the PAN-DB server and the firewall.
    1. In the CLI of the PAN-DB server, enter configuration mode.
      admin@M-600> configure
    2. Name the certificate profile.
      admin@M-600# set shared certificate-profile <name>
    3. (Optional) Set the user domain.
      admin@M-600# set shared certificate-profile <name> domain <value>
    4. Configure the CA.
      Default-ocsp-url and ocsp-verify-cert are optional parameters.
      admin@M-600# set shared certificate-profile <name> CA <name>
      admin@M-600# set shared certificate-profile <name> CA <name> [default-ocsp-url <value>]
      admin@M-600# set shared certificate-profile <name> CA <name> [ocsp-verify-cert <value>]
  5. Configure an SSL/TLS service profile for the appliance. This profile defines the certificate and protocol range that PAN-DB and client devices use for SSL/TLS services.
    1. Identify the SSL/TLS service profile.
      admin@M-600# set shared ssl-tls-service-profile <name>
    2. Select the certificate.
      admin@M-600# set shared ssl-tls-service-profile <name> certificate <value>
    3. Define the SSL/TLS range.
      PAN-OS 8.0 and later releases support TLSv1.2 and later TLS versions only. You must set the max version to TLS 1.2 or max.
      admin@M-600# set shared ssl-tls-service-profile <name> protocol-settings min-version {tls1-0 | tls1-1 | tls1-2
      admin@M-600# set shared ssl-tls-service-profile <name> protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max
  6. Configure secure server communication on PAN-DB.
    1. Set the SSL/TLS service profile. This profile applies to all SSL connections between PAN-DB and firewalls.
      admin@M-600# set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
    2. Set the certificate profile.
      admin@M-600# set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
    3. Set the disconnect wait time. This is the number of minutes that PAN-DB waits before breaking and reestablishing the connection with its firewall (range is 0 to 44,640).
      admin@M-600# set deviceconfig setting management secure-conn-server disconnect-wait-time <0-44640
  7. Import the CA certificate to validate the certificate for the appliance.
    1. Log in to the firewall web interface.
  8. Configure a local or a SCEP certificate for the firewall.
    1. If you are configuring a local certificate, import the key pair for the firewall.
    2. If you are configuring a SCEP certificate, configure a SCEP profile.
  9. Configure the certificate profile for the firewall. You can configure this on each firewall individually or you can push the configuration from Panorama to the firewalls as part of a template.
    1. Select DeviceCertificate ManagementCertificate Profile for firewalls or PanoramaCertificate ManagementCertificate Profile for Panorama.
  10. Deploy custom certificates on each firewall. You can either deploy certificates centrally from Panorama or configure them manually on each firewall.
    1. Log in to the firewall web interface.
    2. Select DeviceSetupManagement for a firewall or PanoramaSetupManagement for Panorama and Edit the Secure Communication settings.
    3. Select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs.
    4. In the Customize Communication settings, select PAN-DB Communication.
    5. Click OK.
    6. Commit your changes.
      After committing your changes, the firewalls don't terminate their current sessions with the PAN-DB server until after the Disconnect Wait Time. The disconnect wait time begins counting down after you enforce the use of custom certificates in the next step.
  11. Enforce custom certificate authentication.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-600> configure
    2. Enforce the use of custom certificates.
      admin@M-600# set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
    After committing this change, the disconnect wait time begins counting down (if you configured this setting on PAN-DB). When the wait time ends, PAN-DB and its firewall connect using only the configured certificates.
  12. You have two choices when adding new firewalls or Panorama to your PAN-DB private cloud deployment.
    • If you did not enable Custom Certificates Only, you can add a new firewall to the PAN-DB private cloud and then deploy the custom certificate.
    • If you enabled Custom Certificates Only on the PAN-DB private cloud, you must deploy the custom certificates on the firewalls before connecting them to the PAN-DB private cloud.