Focus

Next-Generation Firewall

Configure an SSL/TLS Service Profile (PAN-OS & Panorama)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure an SSL/TLS Service Profile (PAN-OS & Panorama)

PAN-OS: Specify a certificate, TLS protocol versions, and ciphers that you want connections to various Palo Alto Networks services support.

For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).

Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
Select DeviceCertificate ManagementSSL/TLS Service Profile.
If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
Click Add and enter a Name to identify the profile.
Select the Certificate you obtained in step one.

PQC certificates are not available for selection.
Under Protocol Settings, define the range of TLS versions that the service can use.

TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
- Administrative Access and GlobalProtect Portals and Gateways:
  
  Set the Min Version and Max Version to TLSv1.3.
  - For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
  - For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
- All Other Services:
  
  Set the Min Version and Max Version to TLSv1.2.
  - For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
  - For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
(Optional) Select or deselect any Key Exchange Algorithms, Encryption Algorithms, or Authentication Algorithms.
(PAN-OS 12.1 only) For Key Exchange Algorithms, select the Classical or Post-quantum Cryptography (PQC) tab.

The RSA, DHE, and ECDHE classical key exchange algorithms are enabled by default.

(TLSv1.3 only) To specify PQC key exchange algorithms, click Add, and then configure the following settings:
1. For Algorithm, select ML-KEM.
2. For each algorithm, select at least one Security Level: Level 1, Level 3, Level 5.
  These levels are based on NIST standards of security strength. The higher the security level, the greater the security provided.
3. For each algorithm, define the PQC Supported Groups by selecting one or more curve groups.
  
  The curve groups available for selection differ based on the selected Algorithm and Security Level.
Click OK and Commit your changes.

Next-Generation Firewall Docs

Configure an SSL/TLS Service Profile (PAN-OS & Panorama)

Next-Generation Firewall Docs

Configure an SSL/TLS Service Profile (PAN-OS & Panorama)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner