Focus

Next-Generation Firewall

Configure an SSL/TLS Service Profile (Strata Cloud Manager)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure an SSL/TLS Service Profile (Strata Cloud Manager)

Configure an SSL/TLS service profile on Strata Cloud Manager.

Log in to Strata Cloud Manager.
For each desired service, generate or import a certificate.
1. Select ManageConfigurationNGFW and Prisma AccessObjectsCertificate ManagementConfigurationNGFW and Prisma AccessObjectsCertificate Management.
2. In the Custom Certificates pane, Generate or Import a certificate.
3. Save the certificate.
Configure an SSL/TLS service profile.
1. Select ManageConfigurationNGFW and Prisma AccessObjectsCertificate ManagementConfigurationNGFW and Prisma AccessObjectsCertificate Management.
2. In the SSL/TLS Service Profiles pane, click Add Profile.
3. Enter a Name for the profile.
4. Select or Import a Certificate.
  
  PQC certificates are not available for selection or import.
5. For Protocol Settings, define the range of TLS versions that the service can use.
  TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
  
  Administrative Access and GlobalProtect Portals and Gateways:
  
  Set the Min Version and Max Version to TLSv1.3.
  
  For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
  For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
  
  All Other Services:
  
  Set the Min Version and Max Version to TLSv1.2.
  
  For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
  For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
(Optional) Select any Key Exchange Algorithms, Encryption Algorithms, or Authentication Algorithms.
(PAN-OS 12.1 only) For Key Exchange Algorithms, select the Classical or Post-quantum Cryptography (PQC) tab.

The RSA, DHE, and ECDHE classical key exchange algorithms are enabled by default.

(TLSv1.3 only) To specify PQC key exchange algorithms, click Add, and then configure the following settings:
1. For Algorithm, select ML-KEM.
2. For each algorithm, select at least one Security Level: Level 1, Level 3, Level 5.
  These levels are based on NIST standards of security strength. The higher the security level, the greater the security provided.
3. For each algorithm, define the PQC Supported Groups by selecting one or more curve groups.
  
  The curve groups available for selection differ based on the selected Algorithm and Security Level.
4. Save the PQC key exchange algorithm.
Save the profile.
To commit your changes, click Push ConfigPush.

Next-Generation Firewall Docs

Configure an SSL/TLS Service Profile (Strata Cloud Manager)

Next-Generation Firewall Docs

Configure an SSL/TLS Service Profile (Strata Cloud Manager)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner