Replace the Certificate for Inbound Management Traffic
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Replace the Certificate for Inbound Management Traffic
When you first boot up the firewall or Panorama,
it automatically generates a default certificate that enables HTTPS
access to the web interface and XML API over the management (MGT)
interface and (on the firewall only) over any other interface that
supports HTTPS management traffic (for details, see Use Interface Management Profiles
to Restrict Access). To improve the security of inbound management
traffic, replace the default certificate with a new certificate
issued specifically for your organization.
You cannot
view, modify, or delete the default certificate.
To secure
management traffic, you must also Configure
Administrative Accounts and Authentication.
- Obtain the certificate that will authenticate the firewall or Panorama to the client systems of administrators.You can simplify your Certificate Deployment by using a certificate that the client systems already trust. Therefore, we recommend that you Import a Certificate and Private Key from your enterprise certificate authority (CA) or Obtain a Certificate from an External CA; the trusted root certificate store of the client systems is likely to already have the associated root CA certificate that ensures trust.If you Generate a Certificate on the firewall or Panorama, administrators will see a certificate error because the root CA certificate is not in the trusted root certificate store of client systems. To prevent this, deploy the self-signed root CA certificate to all client systems.Regardless of how you obtain the certificate, we recommend a Digest algorithm of sha256 or higher for enhanced security.Configure an SSL/TLS Service Profile.Select the Certificate you just obtained.For enhanced security, we recommend that you set the Min Version (earliest allowed TLS version) to TLSv1.2 for inbound management traffic. We also recommend that you use a different SSL/TLS Service Profile for each firewall or Panorama service instead of reusing this profile for all services.Apply the SSL/TLS Service Profile to inbound management traffic.
- Select DeviceSetupManagement and edit the General Settings.Select the SSL/TLS Service Profile you just configured.Click OK and Commit.