Configure Certificate-Based Administrator Authentication to the Web Interface
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure Certificate-Based Administrator Authentication to the Web Interface
As a more secure alternative to password-based
authentication to the firewall web interface, you can configure
certificate-based authentication for administrator accounts that
are local to the firewall. Certificate-based authentication involves
the exchange and verification of a digital signature instead of
a password.
Configuring certificate-based
authentication for any administrator disables the username/password
logins for all administrators on the firewall; administrators thereafter
require the certificate to log in.
- Generate a certificate authority (CA) certificate on the firewall.You will use this CA certificate to sign the client certificate of each administrator.Alternatively, Import a Certificate and Private Key from your enterprise CA or a third-party CA.Configure a certificate profile for securing access to the web interface.
- Set the Username Field to Subject.
- In the CA Certificates section, Add the CA Certificate you just created or imported.
Configure the firewall to use the certificate profile for authenticating administrators.- Select DeviceSetupManagement and edit the Authentication Settings.Select the Certificate Profile you created for authenticating administrators and click OK.Configure the administrator accounts to use client certificate authentication.For each administrator who will access the firewall web interface, Configure a Firewall Administrator Account and select Use only client certificate authentication.Generate a client certificate for each administrator.Generate a Certificate. In the Signed By drop-down, select a self-signed root CA certificate.Export the client certificate.
- Export a Certificate and Private Key.Commit your changes. The firewall restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.Import the client certificate into the client system of each administrator who will access the web interface.Refer to your web browser documentation.Verify that administrators can access the web interface.
- Open the firewall IP address in a browser on the computer that has the client certificate.When prompted, select the certificate you imported and click OK. The browser displays a certificate warning.Add the certificate to the browser exception list.Click Login. The web interface should appear without prompting you for a username or password.