1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Certificate Management
    5. Configure an SSL/TLS Service Profile

    Configure an SSL/TLS Service Profile

    Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. The firewall and Panorama use SSL/TLS for Captive Portal, GlobalProtect portals and gateways, inbound traffic on the management (MGT) interface, the URL Admin Override feature, and the User-ID™ syslog listening service. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses. If a service request involves a protocol version that is outside the specified range, the firewall or Panorama downgrades or upgrades the connection to a supported version.
    In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.
    1. For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).
      Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
    2. Select
      Device
      Certificate Management
      SSL/TLS Service Profile
      .
    3. If the firewall has more than one virtual system (vsys), select the
      Location
       (vsys or
      Shared
      ) where the profile is available.
    4. Click
      Add
       and enter a
      Name
       to identify the profile.
    5. Select the
      Certificate
       you just obtained.
    6. Define the range of protocols that the service can use:
      • For the
        Min Version
        , select the earliest allowed TLS version:
        TLSv1.0
         (default),
        TLSv1.1
        , or
        TLSv1.2
        .
      • For the
        Max Version
        , select the latest allowed TLS version:
        TLSv1.0
        ,
        TLSv1.1
        ,
        TLSv1.2
        , or
        Max
         (latest available version). The default is
        Max
        .
      As a best practice, set the
      Min Version
       to
      TLSv1.2
       and the
      Max Version
       to
      Max
      .
      On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release,
      TLSv1.1
       is the earliest supported TLS version; do not select
      TLSv1.0
      .
      Client certificates that are used when requesting firewall services that rely on TLSv1.2 cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the
      Max Version
       to
      TLSv1.1
       for the firewall services.
    7. Click
      OK
       and
      Commit
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo