Configure an SSL/TLS Service Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Configure an SSL/TLS Service Profile
Specify a certificate, TLS protocol versions, and ciphers that you want connections
to various Palo Alto Networks services support.
Where Can I Use This? | What Do I Need? |
|---|---|
| For cloud-managed NGFWs: |
Palo Alto Networks firewalls and Panorama appliances use SSL/TLS to secure
connections to the Authentication Portal, GlobalProtect portals and gateways, the
management interface, HTTPS websites that require password access (URL admin
override), and the User-ID™ syslog listening service. You can create an SSL/TLS
service profile to define the server certificate, SSL/TLS protocol versions, and
ciphers supported for connections to these services. Cipher suites are automatically
selected based on the protocol versions chosen. However, you can disable individual
ciphers as needed. If a service request involves a protocol version outside the
specified range, the firewall or Panorama appliance downgrades or upgrades the
connection to a supported version. To activate an SSL/TLS service profile, attach
the profile to the settings for a specific service.
In the client systems that request firewall services, the certificate trust list
(CTL) must include the certificate authority (CA) certificate that issued the
certificate specified in the SSL/TLS service profile. Otherwise, users will see
a certificate error when requesting firewall services. Most third-party CA
certificates are present by default in client browsers. If an enterprise or
firewall-generated CA certificate is the issuer, you must deploy that CA
certificate to the CTL in client browsers.
TLSv1.3 support is limited to administrative access to
management interfaces and GlobalProtect portals and gateways. You can only attach
SSL/TLS service profiles that allow TLSv1.3 to the settings for these
services.
Cloud Management
Configure an SSL/TLS service profile on Strata Cloud Manager.
You can configure an SSL/TLS service profile on Strata Cloud Manager.
- Log in to Strata Cloud Manager.
- For each desired service, generate or import a certificate.
- Select.ManageConfigurationNGFW andPrisma AccessObjectsCertificate ManagementCertificates
- In the Custom Certificates pane,GenerateorImporta certificate.
- Savethe certificate.
- Configure an SSL/TLS service profile.
- Select.ManageConfigurationNGFW andPrisma AccessObjectsCertificate ManagementCertificates
- In the SSL/TLS Service Profiles pane, clickAdd Profile.
- Enter aNamefor the profile.
- Select orImportaCertificate.
- ForProtocol Settings, define the range of TLS versions that the service can use.TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.Administrative Access and GlobalProtect Portals and Gateways:Set theMin VersionandMax VersiontoTLSv1.3.
- For theMin Version, select the earliest allowed TLS version:TLSv1.0,TLSv1.1,TLSv1.2, orTLSv1.3.
- For theMax Version, select the latest allowed TLS version:TLSv1.0,TLSv1.1,TLSv1.2, orTLSv1.3.
All Other Services:Set theMin VersionandMax VersiontoTLSv1.2.- For theMin Version, select the earliest allowed TLS version:TLSv1.0,TLSv1.1, orTLSv1.2.
- For theMax Version, select the latest allowed TLS version:TLSv1.0,TLSv1.1, orTLSv1.2.
- (Optional) Deselect anyKey Exchange Algorithms,Encryption Algorithms, orAuthentication Algorithms.
- Savethe profile.
- Push Config.
PAN-OS & Panorama
PAN-OS: Specify a certificate, TLS protocol versions, and ciphers that you want
connections to various Palo Alto Networks services support.
- For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
- Select.DeviceCertificate ManagementSSL/TLS Service Profile
- If the firewall has more than one virtual system (vsys), select theLocation(vsys orShared) where the profile is available.
- ClickAddand enter aNameto identify the profile.
- Select theCertificateyou obtained in step one.
- UnderProtocol Settings, define the range of TLS versions that the service can use.TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
- Administrative Access and GlobalProtect Portals and Gateways:Set theMin VersionandMax VersiontoTLSv1.3.
- For theMin Version, select the earliest allowed TLS version:TLSv1.0,TLSv1.1,TLSv1.2, orTLSv1.3.
- For theMax Version, select the latest allowed TLS version:TLSv1.0,TLSv1.1,TLSv1.2, orTLSv1.3.
- All Other Services:Set theMin VersionandMax VersiontoTLSv1.2.
- For theMin Version, select the earliest allowed TLS version:TLSv1.0,TLSv1.1, orTLSv1.2.
- For theMax Version, select the latest allowed TLS version:TLSv1.0,TLSv1.1, orTLSv1.2.
- (Optional) Deselect anyKey Exchange Algorithms,Encryption Algorithms, orAuthentication Algorithms.
- ClickOKandCommityour changes.