PAN-OS & Panorama

For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
Select
Device
Certificate Management
SSL/TLS Service Profile
.
If the firewall has more than one virtual system (vsys), select the
Location
(vsys or
Shared
) where the profile is available.
Click
Add
and enter a
Name
to identify the profile.
Select the
Certificate
you obtained in step one.
Under
Protocol Settings
, define the range of TLS versions that the service can use.
TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
Administrative Access and GlobalProtect Portals and Gateways:
Set the
Min Version
and
Max Version
to
TLSv1.3
.
For the
Min Version
, select the earliest allowed TLS version:
TLSv1.0
,
TLSv1.1
,
TLSv1.2
, or
TLSv1.3
.
For the
Max Version
, select the latest allowed TLS version:
TLSv1.0
,
TLSv1.1
,
TLSv1.2
, or
TLSv1.3
.
All Other Services:
Set the
Min Version
and
Max Version
to
TLSv1.2
.
For the
Min Version
, select the earliest allowed TLS version:
TLSv1.0
,
TLSv1.1
, or
TLSv1.2
.
For the
Max Version
, select the latest allowed TLS version:
TLSv1.0
,
TLSv1.1
, or
TLSv1.2
.
(
Optional
) Deselect any
Key Exchange Algorithms
,
Encryption Algorithms
, or
Authentication Algorithms
.
Click
OK
and
Commit
your changes.