Replace the Certificate for Inbound Management Traffic
Focus
Focus

Replace the Certificate for Inbound Management Traffic

Table of Contents

Replace the Certificate for Inbound Management Traffic

When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS access to the web interface and XML API over the management (MGT) interface and (on the firewall only) over any other interface that supports HTTPS management traffic (for details, see Use Interface Management Profiles to Restrict Access). To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization.
You cannot view, modify, or delete the default certificate.
To secure management traffic, you must also Configure Administrative Accounts and Authentication.
  1. Obtain the certificate that will authenticate the firewall or Panorama to the client systems of administrators.
    You can simplify your Certificate Deployment by using a certificate that the client systems already trust. Therefore, we recommend that you Import a Certificate and Private Key from your enterprise certificate authority (CA) or Obtain a Certificate from an External CA; the trusted root certificate store of the client systems is likely to already have the associated root CA certificate that ensures trust.
    If you Generate a Certificate on the firewall or Panorama, administrators will see a certificate error because the root CA certificate is not in the trusted root certificate store of client systems. To prevent this, deploy the self-signed root CA certificate to all client systems.
    Regardless of how you obtain the certificate, we recommend a
    Digest
    algorithm of
    sha256
    or higher for enhanced security.
  2. Select the
    Certificate
    you just obtained.
    For enhanced security, we recommend that you set the
    Min Version
    (earliest allowed TLS version) to
    TLSv1.2
    for inbound management traffic. We also recommend that you use a different SSL/TLS Service Profile for each firewall or Panorama service instead of reusing this profile for all services.
  3. Apply the SSL/TLS Service Profile to inbound management traffic.
    1. Select
      Device
      Setup
      Management
      and edit the General Settings.
    2. Select the
      SSL/TLS Service Profile
      you just configured.
    3. Click
      OK
      and
      Commit
      .

Recommended For You