Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SSL/TLS Service Profile
- Panorama > Certificate Management > SSL/TLS Service Profile
SSL/TLS service profiles specify a server certificate and a protocol version or range of versions for firewall or Panorama services that use SSL/TLS (such as administrative access to the web interface). By defining the protocol versions, the profiles enable you to restrict the cipher suites that are available for securing communication with the client systems requesting the services.
In the client systems that request firewall or Panorama services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting the services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.
To add a profile, click Add, complete the fields in the following table.
SSL/TLS Service Profile Settings
Enter a name to identify the profile (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
If the firewall has more than one virtual system (vsys), selecting this option makes the profile available on all virtual systems. By default, this option is cleared and the profile is available only for the vsys selected in the Device tab, Location drop-down.
Select, import, or generate a server certificate to associate with the profile (see Manage Firewall and Panorama Certificates).
Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.
Select the earliest (Min Version) and latest (Max Version) version of TLS that services can use: TLSv1.0, TLSv1.1, TLSv1.2, or Max (the latest available version).
On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release, TLSv1.1 is the earliest supported TLS version; do not select TLSv1.0.
Client certificates that are used when requesting firewall services that rely on TLSv1.2 cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the Max Version to TLSv1.1 for the services.
Configure an SSL/TLS Service Profile
Configure an SSL/TLS Service Profile Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Set Up Authentication Using Custom Certificates Between HA Peers
Set Up Authentication Using Custom Certificates Between HA Peers You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA ...
How Are SSL/TLS Connections Mutually Authenticated?
How Are SSL/TLS Connections Mutually Authenticated? In a regular SSL connection, only the server need to identify itself to the client by presenting its certificate. ...
Deploy Server Certificates to the GlobalProtect LSVPN Compo...
Deploy Server Certificates to the GlobalProtect LSVPN Components The GlobalProtect LSVPN components use SSL/TLS to mutually authenticate. Before deploying the LSVPN, you must assign an ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...