Device > Certificate Management > Certificate Profile
- Device > Certificate Management > Certificate Profile
- Panorama > Certificate Management > Certificate Profiles
Certificate profiles define which certificate authority (CA)
certificates to use for verifying client certificates, how to verify
certificate revocation status, and how that status constrains access.
You select the profiles when configuring certificate authentication
for Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web
interface access to firewalls and Panorama. You can configure a
separate certificate profile for each of these services.
Certificate Profile Settings | Description |
|---|---|
Name | (Required) Enter a name to identify
the profile (up to 63 characters on the firewall or up to 31 characters
on Panorama). The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the profile is
available. In the context of a firewall that has more than one virtual
system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location;
its value is predefined as Shared (firewalls) or as Panorama.
After you save the profile, you can’t change its Location. |
Username Field | If GlobalProtect only uses certificates
for portal and gateway authentication, PAN-OS uses the certificate
field you select in the Username Field drop-down
as the username and matches it to the IP address for the User-ID
service:
|
Domain | Enter the NetBIOS domain so PAN-OS can map
users through User-ID. |
CA Certificates | (Required) Click Add and
select a CA Certificate to assign to the
profile. Optionally, if the firewall uses Online Certificate
Status Protocol (OCSP) to verify certificate revocation status,
configure the following fields to override the default behavior.
For most deployments, these fields do not apply.
|
Use CRL | Select this option to use a certificate
revocation list (CRL) to verify the revocation status of certificates. |
Use OCSP | Select this option to use OCSP to verify
the revocation status of certificates. If you select
both OCSP and CRL, the firewall first tries OCSP and only falls
back to the CRL method if the OCSP responder is unavailable. |
CRL Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the CRL service. |
OCSP Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the OCSP responder. |
Certificate Status Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from any certificate
status service and applies any session blocking logic you define. |
Block session if certificate status is unknown | Select this option if you want the firewall
to block sessions when the OCSP or CRL service returns a certificate
revocation status of unknown. Otherwise, the firewall proceeds
with the sessions. |
Block sessions if certificate
status cannot be retrieved within timeout | Select this option if you want
the firewall to block sessions after it registers an OCSP or CRL
request timeout. Otherwise, the firewall proceeds with the sessions. |
Block sessions if the certificate was not
issued to the authenticating device | (GlobalProtect only) Select this
option if you want the firewall to block sessions when the serial
number attribute in the subject of a client certificate does not
match the host ID that the GlobalProtect agent reports
for the client endpoint. Otherwise, the firewall allows the sessions. This
option applies only to GlobalProtect certificate authentication authentication. |
Related Documentation
Configure a Certificate Profile
Configure a Certificate Profile Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec VPN, Mobile Security Manager, and web interface access ...
Decryption Settings: Certificate Revocation Checking
Decryption Settings: Certificate Revocation Checking Select Session , and in Decryption Settings, select Certificate Revocation Checking to set the parameters described in the following table. ...
Configure Revocation Status Verification of Certificates Us...
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption The firewall decrypts inbound and outbound SSL/TLS traffic to apply security rules and rules, then ...
Set Up Verification for Certificate Revocation Status
Set Up Verification for Certificate Revocation Status To verify the revocation status of certificates, the firewall uses Online Certificate Status Protocol (OCSP) and/or certificate revocation ...
Device > Certificate Management > OCSP Responder
Device > Certificate Management > OCSP Responder Select Device Certificate Management OCSP Responder to define an Online Certificate Status Protocol (OCSP) responder (server) to verify ...
Online Certificate Status Protocol (OCSP)
Online Certificate Status Protocol (OCSP) When establishing an SSL/TLS session, clients can use Online Certificate Status Protocol (OCSP) to check the revocation status of the ...
Certificate Revocation
Certificate Revocation Palo Alto Networks firewalls and Panorama use digital certificates to ensure trust between parties in a secure communication session. Configuring a firewall or ...
SSL Forward Proxy Decryption Profile
The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...