Focus

Next-Generation Firewall

Replace the Certificate for Inbound Management Traffic

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure an SSH Service Profile

Configure the Key Size for SSL Forward Proxy Server Certificates

Replace the Certificate for Inbound Management Traffic

Use a certificate issued specifically for your organization instead of the default certificate to improve inbound management traffic security.

When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS access to the web interface and XML API over the management (MGT) interface and (on the firewall only) over any other interface that supports HTTPS management traffic (for details, see Use Interface Management Profiles to Restrict Access). To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization.

You cannot view, modify, or delete the default certificate.

To secure management traffic, you must also Configure Administrative Accounts and Authentication.

Obtain the certificate that will authenticate the firewall or Panorama to the client systems of administrators.
You can simplify your Certificate Deployment by using a certificate that the client systems already trust. Therefore, we recommend that you Import a Certificate and Private Key from your enterprise certificate authority (CA) or Obtain a Certificate from an External CA; the trusted root certificate store of the client systems is likely to already have the associated root CA certificate that ensures trust.

If you Generate a Certificate on the firewall or Panorama, administrators will see a certificate error because the root CA certificate is not in the trusted root certificate store of client systems. To prevent this, deploy the self-signed root CA certificate to all client systems.

Regardless of how you obtain the certificate, we recommend a Digest algorithm of sha256 or higher for enhanced security.
Configure an SSL/TLS Service Profile.
Select the Certificate you just obtained.

For enhanced security, we recommend that you set the Min Version (earliest allowed TLS version) to TLSv1.2 for inbound management traffic. We also recommend that you use a different SSL/TLS Service Profile for each firewall or Panorama service instead of reusing this profile for all services.
Apply the SSL/TLS Service Profile to inbound management traffic.
1. Select DeviceSetupManagement and edit the General Settings.
2. Select the SSL/TLS Service Profile you just configured.
3. Click OK and Commit.

Configure an SSH Service Profile

Configure the Key Size for SSL Forward Proxy Server Certificates

Next-Generation Firewall Docs

Replace the Certificate for Inbound Management Traffic

Next-Generation Firewall Docs

Replace the Certificate for Inbound Management Traffic

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner