Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Obtain key pairs and certificate authority (CA) certificates for the PAN-DB server and firewall.
Import the CA certificate to validate the certificate on the firewall.
Log in to the CLI on the PAN-DB server and enter configuration mode.

admin@M-600> 
configure

Use TFTP or SCP to import the CA certificate.

admin@M-600# 
{tftp | scp} import certificate from 
<value> file 
<value> remote-port 
<1-65535> source-ip 
<ip/netmask> certificate-name 
<value> passphrase 
<value> format {pkcs12 | pem}
Use TFTP or SCP to import the key pair that contains the server certificate and private key for the PAN-DB M-600 appliance.
admin@M-600#
 {tftp | scp} import keypair from 
<value> file 
<value> remote-port 
<1-65535> source-ip 
<ip/netmask> certificate-name 
<value> passphrase 
<value> format {pkcs12 | pem}
Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the device authentication between the PAN-DB server and the firewall.
In the CLI of the PAN-DB server, enter configuration mode.

admin@M-600> 
configure

Name the certificate profile.

admin@M-600# 
set shared certificate-profile 
<name>

(

Optional

) Set the user domain.

admin@M-600# 
set shared certificate-profile 
<name> domain 
<value>

Configure the CA.

Default-ocsp-url

and

ocsp-verify-cert

are optional parameters.

admin@M-600#

set shared certificate-profile

<name>

CA

<name>

admin@M-600# 
set shared certificate-profile 
<name> CA 
<name> [default-ocsp-url 
<value>]

admin@M-600# 
set shared certificate-profile 
<name> CA 
<name> [ocsp-verify-cert 
<value>]
Configure an SSL/TLS profile for the PAN-DB M-600 appliance. This profile defines the certificate and protocol range that PAN-DB and client devices use for SSL/TLS services.
Identify the SSL/TLS profile.

admin@M-600# 
set shared ssl-tls-service-profile 
<name>

Select the certificate.

admin@M-600# 
set shared ssl-tls-service-profile 
<name> certificate 
<value>

Define the SSL/TLS range.

PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You must set the max version to

TLS 1.2

or

max

.

admin@M-600# 
set shared ssl-tls-service-profile 
<name> protocol-settings min-version {tls1-0 | tls1-1 | tls1-2

admin@M-600# 
set shared ssl-tls-service-profile 
<name> protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max
Configure secure server communication on PAN-DB.
Set the SSL/TLS profile. This SSL/TLS service profile applies to all SSL connections between PAN-DB and firewalls.

admin@M-600# 
set deviceconfig setting management secure-conn-server ssl-tls-service-profile 
<ssltls-profile>

Set the certificate profile.

admin@M-600# 
set deviceconfig setting management secure-conn-server certificate-profile 
<certificate-profile>

Set the disconnect wait time in number of minutes that PAN-DB should wait before breaking and reestablishing the connection with its firewall (range is 0 to 44,640).

admin@M-600# 
set deviceconfig setting management secure-conn-server disconnect-wait-time 
<0-44640
Import the CA certificate to validate the certificate for the PAN-DB M-600 appliance.
Log in to the firewall web interface.
Import the CA certificate.
Configure a local or a SCEP certificate for the firewall.
If you are a local certificate, then import the key pair for the firewall.
If you are a SCEP certificate for the firewall, configure a SCEP profile.
Configure the certificate profile for the firewall. You can configure this on each firewall individually or you can push the configuration from Panorama to the firewalls as part of a template.
Select
Device
Certificate Management
Certificate Profile
for firewalls or
Panorama
Certificate Management
Certificate Profile
for Panorama.
Configure a Certificate Profile.
Deploy custom certificates on each firewall. You can either deploy certificates centrally from Panorama or configure them manually on each firewall.
Log in to the firewall web interface.
Select
Device
Setup
Management
for a firewall or
Panorama
Setup
Management
for Panorama and
Edit
the Secure Communication
Select the
Certificate Type
,
Certificate
, and
Certificate Profile
from the respective drop-downs.
In the Customize Communication settings, select
PAN-DB Communication
.
Click
OK
.
Commit
your changes.
After committing your changes, the firewalls do not terminate their current sessions with the PAN-DB server until after the
Disconnect Wait Time
. The disconnect wait time begins counting down after you enforce the use of custom certificates in the next step.
After deploying custom certificates on all firewalls, enforce custom certificate authentication.
Log in to the CLI on the PAN-DB server and enter configuration mode.

admin@M-600> 
configure

Enforce the use of custom certificates.

admin@M-600# 
set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
After committing this change, the disconnect wait time begins counting down (if you configured setting on PAN-DB). When the wait time ends, PAN-DB and its firewall connect using only the configured certificates.
You have two choices when adding new firewalls or Panorama to your PAN-DB private cloud deployment.
If you did not enable
Custom Certificates Only
then you can add a new firewall to the PAN-DB private cloud and then deploy the custom certificate as described above.
If you enabled
Custom Certificates Only
on the PAN-DB private cloud, then you can must deploy the custom certificates on the firewalls before connecting them to the PAN-DB private cloud.