SSL/TLS Service Profile Settings
Enter a name to identify the profile (up to 31 characters). The name is case-sensitive. It must be unique and use only letters, numbers, spaces, hyphens, and underscores.
If the firewall has more than one virtual system (vsys), selecting this option makes the profile available on all virtual systems. By default, this option is cleared and the profile is available only for the vsys selected in the
Select, import, or generate a server certificate to associate with the profile (see Manage Firewall and Panorama Certificates).
Do not use certificate authority (CA) certificates for SSL/TLS services; use only signed certificates.
Select the earliest (
Min Version) and latest (
Max Version) version of TLS that services can use:
Max(the latest available version).
On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release,
TLSv1.1is the earliest supported TLS version; do not select
Client certificates that are used when requesting firewall services that rely on
TLSv1.2cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the
TLSv1.1for the services.