Next-Generation Firewall
Device > Certificate Management > SSL/TLS Service Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SSL/TLS Service Profile
- Panorama > Certificate Management > SSL/TLS Service Profile
SSL/TLS service profiles specify a server certificate and a protocol version or range of
versions for firewall or Panorama services that use SSL/TLS (such as administrative
access to the web interface). By defining the protocol versions, the profiles enable you
to restrict the cipher suites that are available for securing communication with the
client systems requesting the services.
In the client systems that request firewall or Panorama services,
the certificate trust list (CTL) must include the certificate authority (CA)
certificate that issued the certificate specified in the SSL/TLS service profile.
Otherwise, users will see a certificate error when requesting the services. Most
third-party CA certificates are present by default in client browsers. If an
enterprise or firewall-generated CA certificate is the issuer, you must deploy that
CA certificate to the CTL in client browsers.
To add a profile, click Add, and then complete the fields in the
following table.
|
SSL/TLS Service Profile Settings
|
Description
|
|---|---|
|
Name
|
Enter a name to identify the profile (up to 31 characters). The name
is case-sensitive. It must be unique and use only letters, numbers,
spaces, hyphens, and underscores.
|
|
Shared
|
If the firewall has more than one virtual system (vsys), selecting
this option makes the profile available on all virtual systems. By
default, this option is cleared and the profile is available only
for the vsys selected in the Device tab,
Location drop-down.
|
|
Certificate
|
Select, import, or generate a server certificate to associate with
the profile (see Manage Firewall and Panorama Certificates).
Do not use certificate authority (CA) certificates for SSL/TLS
services; use only signed certificates. Post-quantum
cryptography (PQC) certificates are not available for selection.
They are for experimental use only. |
| Protocol Settings |
Select the minimum (Min Version) and maximum
(Max Version) TLS version that services
can use: TLSv1.0,
TLSv1.1, TLSv1.2,
or TLSv1.3.
To provide the strongest security for your network, use the
strongest version of the protocol you can. If you can, set the
Min Version and Max
Version to TLSv1.3. On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later
release, TLSv1.1 is the earliest
supported TLS version; do not select
TLSv1.0. Client certificates that are used when requesting firewall
services that rely on TLSv1.2 cannot have
SHA512 as a digest algorithm. The client certificates must use a
lower digest algorithm (such as SHA384) or you must limit the
Max Version to
TLSv1.1 for the services. |
| Key Exchange Algorithms |
Classical
Deselect or select classical key exchange algorithms.
RSA, DHE, and
ECDHE are enabled by default. |
|
Post-quantum Cryptography (PQC)
Add, modify, or delete quantum-resistant key exchange algorithms.
PQC support is limited to TLSv1.3
connections. You can only configure PQC algorithms if
TLSv1.3 is supported in the Protocol
Settings.
| |
| Encryption Algorithms |
Deselect or select encryption algorithms. For a list of supported
encryption algorithms, see Supported Cipher
Suites.
All encryption algorithms supported for the
specified range of TLS protocol versions are selected by
default. |
| Authentication Algorithms | Deselect or select authentication algorithms: SHA1, SHA256, or SHA384. For a list of supported authentication algorithms, see Supported Cipher Suites. |