Configure an SSL/TLS Service Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
Configure an SSL/TLS Service Profile
Palo Alto Networks firewalls and Panorama
use SSL/TLS service profiles to specify a certificate and the allowed
protocol versions for SSL/TLS services. The firewall and Panorama
use SSL/TLS for Authentication Portal, GlobalProtect portals and
gateways, inbound traffic on the management (MGT) interface, the
URL Admin Override feature, and the User-ID™ syslog listening service.
By defining the protocol versions, you can use a profile to restrict
the cipher suites that are available for securing communication
with the clients requesting the services. This improves network
security by enabling the firewall or Panorama to avoid SSL/TLS versions
that have known weaknesses. If a service request involves a protocol
version that is outside the specified range, the firewall or Panorama
downgrades or upgrades the connection to a supported version.
In the client systems that request firewall
services, the certificate trust list (CTL) must include the certificate
authority (CA) certificate that issued the certificate specified
in the SSL/TLS service profile. Otherwise, users will see a certificate
error when requesting firewall services. Most third-party CA certificates
are present by default in client browsers. If an enterprise or firewall-generated
CA certificate is the issuer, you must deploy that CA certificate
to the CTL in client browsers.
- For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).Use only signed certificates, not CA certificates, in SSL/TLS service profiles.Select DeviceCertificate ManagementSSL/TLS Service Profile.If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.Click Add and enter a Name to identify the profile.Select the Certificate you just obtained.Define the range of protocols that the service can use:
- For the Min Version, select the earliest allowed TLS version: TLSv1.0 (default), TLSv1.1, or TLSv1.2.
- For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or Max (latest available version). The default is Max.
As a best practice, set the Min Version to TLSv1.2 and the Max Version to Max.On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release, TLSv1.1 is the earliest supported TLS version; do not select TLSv1.0.Client certificates that are used when requesting firewall services that rely on TLSv1.2 cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the Max Version to TLSv1.1 for the firewall services.Click OK and Commit.