1. Home
    2. PAN-OS
    3. PAN-OS 7.1 Web Interface Reference Guide
    4. Device
    5. Device > Certificate Management > SSL/TLS Service Profile
    Previous
    Next
    Device > Certificate Management > SSL/TLS Service Profile Panorama > Certificate Management > SSL/TLS Service Profile
    SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for firewall services that use SSL/TLS. By defining the protocol versions, the profiles enable you to restrict the cipher suites that are available for securing communication with the client systems requesting the services.
    		 In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.
    To add a profile, click Add, complete the fields in the following table, and then click OK. To clone a profile, select it, click Clone, and then click OK. To delete a profile, select it and click Delete.
    The following table describes SSL/TLS service profile settings.
    SSL/TLS Service Profile Setting Description
    Name Enter a name to identify the profile (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
    Shared If the firewall has more than one virtual system (vsys), you can select this option to make the profile available on all virtual systems. By default, this option is cleared and the profile is available only in the vsys selected in the Device tab, Location drop-down.
    Certificate Select, import, or generate a server certificate to associate with the profile. See Manage Firewall and Panorama Certificates. Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.
    Min Version Select the earliest ( Min Version) and latest ( Max Version) version of TLS that services can use: TLSv1.0, TLSv1.1, TLSv1.2, or Max (the latest available version). Client certificates that are used when requesting firewall services that rely on TLSv1.2 cannot have SHA384 (in releases before PAN-OS 7.1.8) or SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm or you must limit the Max Version to TLSv1.1 for the services.
    Max Version
    Previous
    Next

    Related Documentation

    Configure an SSL/TLS Service Profile

    Configure an SSL/TLS Service Profile Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for ...

    Generate a Certificate

    Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...

    Device > Certificate Management > Certificates

    Device > Certificate Management > Certificates Select Device > Certificate Management > Certificates > Device Certificates to manage (generate, import, renew, delete, and revoke) certificates, ...

    Replace the Certificate for Inbound Management Traffic

    Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...

    Enable SSL Between GlobalProtect LSVPN Components

    Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...

    Deploy Server Certificates to the GlobalProtect Components

    Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...

    GlobalProtect Certificate Best Practices

    GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: GlobalProtect Certificate Requirements ...

    Device > Certificate Management

    Device > Certificate Management Device > Certificate Management > Certificates Device > Certificate Management > Certificate Profile Device > Certificate Management > OCSP Responder Device ...

    Enable Two-Factor Authentication Using Certificate and Auth...

    Enable Two-Factor Authentication Using Certificate and Authentication Profiles The following workflow describes how to configure GlobalProtect client authentication requiring the user to authenticate both to ...

    Deploy Machine Certificates for Authentication

    Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo