Deploy Custom Certificates
Complete the following procedure to obtain custom certificates and deploy them on your Panorama and its managed devices.
- Generate or obtain your server and client certificates.Based in the needs of your organization, choose one of the supported methods for generating or obtaining your custom certificates.
- Configure the server certificate profile and SSL/TLS service profile for Panorama or server Log Collector.
- Configure Secure Server Communication on Panorama
or Log Collector.
- Select the SSL/TLS service and certificate profiles for secure server communication.
- Optionally, you can add another layer of security
by authorizing clients.
- You can configure an authorization list. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.
- You can configure Panorama can also authorize firewalls and Log Collectors based on their serial number.
- Do not check Allow Custom Certificates Only until you have deployed custom certificates on your managed devices.
- Set the Disconnect Wait Time in minutes. This is the amount of time Panorama waits to terminate its current connection with managed devices before breaking that connection and reestablishing it using custom certificates for authentication. When you commit your configuration, the wait time count down begins.
- Configure the client certificate profile on the firewall
or Panorama (and push it applicable managed devices).Configure a certificate profile or profiles for the device or devices managed by Panorama. You can configure a unique certificate profile for each managed device or push the certificate profile to manged devices as part of a template.You can use a local certificate or obtain a certificate from a Simple Certificate Enrollment Protocol (SCEP) server.
- Deploy the client certificates on firewalls or
- On the firewall or client Log Collector, configure the Secure Client Connection settings. Assign the certificate or SCEP profile and certificate profile for the firewall to use for authentication. Additionally, the firewall can verify the server’s identity by checking matching the server’s IP address or FQDN with common name in the server certificate.
- Commit your changes. After committing your changes, the firewall will begin using the custom certificate when the disconnect wait time is complete and the server has terminated its current connection to the client.
- Enforce the use of custom certificates.
- Return to Panorama or the server Log Collector. By selecting, Allow Customer Certificate Only, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the firewall or Log Collector fails.
- To add additional managed devices, you must deploy the certificates on the firewall or Log Collector before adding it to Panorama or disable custom-certificate enforcement until the certificate is deployed.
Configure Authentication Using Custom Certificates on Panorama
Configure Authentication Using Custom Certificates on Panorama Complete the following procedure to configure the server side (Panorama) to use custom certificates instead of predefined certificates ...
Configure Authentication Using Custom Certificates on Managed Devices
Configure Authentication Using Custom Certificates on Managed Devices Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
Deploy Custom Certificates for Panorama HA
Deploy Custom Certificates for Panorama HA You can configure mutual authentication using custom certificates for securing the HA connection between Panorama HA peers. Complete the ...
Set Up Authentication Using Custom Certificates Between HA Peers
Set Up Authentication Using Custom Certificates Between HA Peers You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA ...
Communication Settings Panorama > Managed Collectors > Communication To configure custom certificate-based authentication between Log Collectors and Panorama, firewalls, and other Log Collectors, configure the ...
Change a Root or Intermediate CA Certificate
Change a Root or Intermediate CA Certificate Complete the following task to replace a root or intermediate CA certificate. Configure the server to accept predefined ...
How Are SSL/TLS Connections Mutually Authenticated?
How Are SSL/TLS Connections Mutually Authenticated? In a regular SSL connection, only the server need to identify itself to the client by presenting its certificate. ...
Configure a Managed Collector
Configure a Managed Collector To enable the Panorama management server to manage a Log Collector, you must add it as a managed collector. You can ...