>
    Strata Copilot
    Configure an SSL/TLS Service Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Configure an SSL/TLS Service Profile
    Download PDF
    Next-Generation Firewall

    Configure an SSL/TLS Service Profile

    Table of Contents

    Configure an SSL/TLS Service Profile

    Specify the certificate, TLS protocol versions, and cipher suites used to secure connections to various Palo Alto Networks services.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    For cloud-managed NGFWs:
    Palo Alto Networks firewalls and Panorama appliances use SSL/TLS to secure connections to the Authentication Portal, GlobalProtect portals and gateways, the management interface, HTTPS websites that require password access (URL Admin Override), and the User-ID™ syslog listening service. You can create an SSL/TLS service profile to define the server certificate, SSL/TLS protocol versions, and ciphers supported for connections to these services. Cipher suites are automatically selected based on the protocol versions chosen. However, you can disable individual ciphers as needed. If a service request involves a protocol version outside the specified range, the firewall or Panorama appliance downgrades or upgrades the connection to a supported version. To activate an SSL/TLS service profile, attach the profile to the settings for a specific service.
    In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.
    TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
    Post-quantum cryptography (PQC) certificates are not yet available for selection in SSL/TLS service profiles as they are for testing purposes only.

    Configure an SSL/TLS Service Profile (Strata Cloud Manager)

    Configure an SSL/TLS service profile on Strata Cloud Manager.
    1. Log in to Strata Cloud Manager.
    2. For each desired service, generate or import a certificate.
      1. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
      2. In the Custom Certificates pane, Generate or Import a certificate.
      3. Save the certificate.
    3. Configure an SSL/TLS service profile.
      1. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
      2. In the SSL/TLS Service Profiles pane, click Add Profile.
      3. Enter a Name for the profile.
      4. Select or Import a Certificate.
        PQC certificates are not available for selection or import.
      5. For Protocol Settings, define the range of TLS versions that the service can use.
        TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
        Administrative Access and GlobalProtect Portals and Gateways:
        Set the Min Version and Max Version to TLSv1.3.
        • For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
        • For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
        All Other Services:
        Set the Min Version and Max Version to TLSv1.2.
        • For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
        • For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
    4. (Optional) Select or clear Key Exchange Algorithms, Encryption Algorithms, or Authentication Algorithms.
      Starting in PAN-OS 12.1.2, you can enable post-quantum key exchange algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the Protocol Settings.
      To configure Key Exchange Algorithms, select the algorithm type:
      • For classical algorithms (RSA, DHE, or ECDHE): Select the Classical tab, and then select or clear algorithms.
        By default, RSA, DHE, and ECDHE are enabled.
      • (TLSv1.3 only) For PQC algorithms:
        1. Select the Post Quantum Cryptography (PQC) tab, and then click Add.
        2. For Algorithm, select ML-KEM (Module-Lattice-based Key Encapsulation Mechanism).
        3. Select at least one Security Level:
          Each security level corresponds to one of three ML-KEM parameter sets specified in FIPS 203. Higher security levels offer greater protection but reduced performance.
          • Level 1—ML-KEM-512
          • Level 3—ML-KEM-768
          • Level 5—ML-KEM-1024
        4. Select one or more PQC Supported Groups.
          The available curve groups change based on Algorithm and Security Level. You can generate session keys using post-quantum or hybrid post-quantum key exchange. Hybrid key exchange pairs Elliptic Curve Cryptography (ECC) with ML-KEM to protect against both classical and quantum threats. The following curves are supported for hybrid key agreement: x25519, x448, p256, p384, and p512.
        5. Save the PQC algorithms.
    5. Save the profile.
    6. To commit your changes, click Push ConfigPush.

    Configure an SSL/TLS Service Profile (PAN-OS & Panorama)

    PAN-OS: Specify a certificate, TLS protocol versions, and ciphers that you want connections to various Palo Alto Networks services support.
    1. For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).
      Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
    2. Select DeviceCertificate ManagementSSL/TLS Service Profile, and then click Add.
    3. Enter a Name for the profile.
    4. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
    5. Select the Certificate you obtained in step one.
      PQC certificates are not available for selection.
    6. Under Protocol Settings, define the range of TLS versions the service can use.
      TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
      • Administrative Access and GlobalProtect Portals and Gateways:
        Set the Min Version and Max Version to TLSv1.3.
        • For Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
        • For Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
      • All Other Services:
        Set the Min Version and Max Version to TLSv1.2.
        • For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
        • For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
    7. (Optional) Configure Key Exchange Algorithms, Encryption Algorithms, and Authentication Algorithms.
      Starting in PAN-OS 12.1.2, you can enable post-quantum key exchange algorithms for TLSv1.3 sessions. You must enable TLSv1.3 in the Protocol Settings.
      • To configure classical key exchange algorithms (RSA, DHE, and ECDHE):
        By default, RSA, DHE, and ECDHE are enabled.
        • (PAN-OS 11.2 and earlier) Enable or disable algorithms as needed.
        • (PAN-OS 12.1.2 and later) Select the Classical tab, and then enable or disable algorithms as needed.
      • (PAN-OS 12.1.2 and later) To specify PQC key exchange algorithms for TLSv1.3 sessions:
        1. Select the Post-quantum Cryptography (PQC) tab, and then click Add.
        2. For Algorithm, select ML-KEM (Module-Lattice-based Key Encapsulation Mechanism).
        3. For each algorithm, select at least one Security Level:
          Each security level corresponds to one of three ML-KEM parameter sets specified in FIPS 203. Higher security levels offer greater protection but reduced performance.
          • Level 1—ML-KEM-512
          • Level 3—ML-KEM-768
          • Level 5—ML-KEM-1024
        4. For each algorithm, select one or more PQC Supported Groups.
          The available curve groups change based on Algorithm and Security Level. You can generate session keys using post-quantum or hybrid post-quantum key exchange. Hybrid key exchange pairs Elliptic Curve Cryptography (ECC) with ML-KEM to protect against both classical and quantum threats. The following curves are supported for hybrid key agreement: x25519, x448, p256, p384, and p512.
    8. Click OK and Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.