Palo Alto Networks firewalls and Panorama
use SSL/TLS service profiles to specify a certificate and the allowed
protocol versions for SSL/TLS services. The firewall and Panorama
use SSL/TLS for Captive Portal, GlobalProtect portals and gateways, inbound
traffic on the management (MGT) interface, the URL Admin Override feature,
and the User-ID™ syslog listening service. By defining the protocol
versions, you can use a profile to restrict the cipher suites that
are available for securing communication with the clients requesting
the services. This improves network security by enabling the firewall
or Panorama to avoid SSL/TLS versions that have known weaknesses.
If a service request involves a protocol version that is outside the
specified range, the firewall or Panorama downgrades or upgrades
the connection to a supported version.
the client systems that request firewall services, the certificate
trust list (CTL) must include the certificate authority (CA) certificate
that issued the certificate specified in the SSL/TLS service profile.
Otherwise, users will see a certificate error when requesting firewall
services. Most third-party CA certificates are present by default
in client browsers. If an enterprise or firewall-generated CA certificate
is the issuer, you must deploy that CA certificate to the CTL in
For each desired service, generate or import a
certificate on the firewall (see Obtain Certificates).
Use only signed certificates, not
CA certificates, in SSL/TLS service profiles.
SSL/TLS Service Profile
If the firewall has more than one virtual system (vsys),
where the profile is available.
and enter a
identify the profile.
Define the range of protocols that the service can use:
the earliest allowed TLS version:
, select the latest
allowed TLS version:
(latest available version). The default
that are used when requesting firewall services that rely on TLSv1.2
cannot have SHA384 (in releases before PAN-OS 7.1.8) or SHA512 as
a digest algorithm. The client certificates must use a lower digest
algorithm or you must limit the