Configure Certificate-Based Administrator Authentication to the Web Interface
As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based authentication for administrator accounts that are local to the firewall. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on the firewall; administrators thereafter require the certificate to log in.
- Generate a certificate authority (CA) certificate on the firewall.
- Configure a certificate profile for securing access to
the web interface.
- Set the Username Field to Subject.
- In the CA Certificates section, Add the CA Certificate you just created or imported.
- Configure the firewall to use the certificate profile
for authenticating administrators.
- Select DeviceSetupManagement and edit the Authentication Settings.
- Select the Certificate Profile you created for authenticating administrators and click OK.
- Configure the administrator accounts to use client certificate authentication.
a client certificate for each administrator.Generate a Certificate. In the Signed By drop-down, select a self-signed root CA certificate.
- Export the client certificate.
- Export a Certificate and Private Key.
- Commit your changes. The firewall restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
- Import the client certificate into the client system
of each administrator who will access the web interface.Refer to your web browser documentation.
that administrators can access the web interface.
- Open the firewall IP address in a browser on the computer that has the client certificate.
- When prompted, select the certificate you imported and click OK. The browser displays a certificate warning.
- Add the certificate to the browser exception list.
- Click Login. The web interface should appear without prompting you for a username or password.
Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface As a more secure alternative to password-based authentication to the Panorama web interface, you ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
SAML 2.0 Authentication
SAML 2.0 Authentication You can now use Security Assertion Markup Language ( SAML ) 2.0 to authenticate administrators who access the firewall or Panorama web ...