Configure an SSL/TLS Service Profile
Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. The firewall and Panorama use SSL/TLS for Captive Portal, GlobalProtect portals and gateways, inbound traffic on the management (MGT) interface, the URL Admin Override feature, and the User-ID™ syslog listening service. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling the firewall or Panorama to avoid SSL/TLS versions that have known weaknesses. If a service request involves a protocol version that is outside the specified range, the firewall or Panorama downgrades or upgrades the connection to a supported version.
In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.
- For each desired service, generate or import a
certificate on the firewall (see Obtain
Certificates).Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
- Select DeviceCertificate ManagementSSL/TLS Service Profile.
- If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
- Click Add and enter a Name to identify the profile.
- Select the Certificate you just obtained.
- Define the range of protocols that the service can use:
As a best practice, set the Min Version to TLSv1.2 and the Max Version to Max.On firewalls in FIPS/CC mode running PAN-OS 8.0 or a later release, TLSv1.1 is the earliest supported TLS version; do not select TLSv1.0.Client certificates that are used when requesting firewall services that rely on TLSv1.2 cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the Max Version to TLSv1.1 for the firewall services.
- For the Min Version, select the earliest allowed TLS version: TLSv1.0 (default), TLSv1.1, or TLSv1.2.
- For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or Max (latest available version). The default is Max.
- Click OK and Commit.
Device > Certificate Management > SSL/TLS Service Profile
Device > Certificate Management > SSL/TLS Service Profile Device > Certificate Management > SSL/TLS Service Profile Panorama > Certificate Management > SSL/TLS Service Profile SSL/TLS ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Configure Authentication with Custom Certificates on the WildFire Appliance
Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your WildFire appliance and your firewalls. ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Configure Custom Certificates for the WildFire Appliance wi...
Configure secure server communication for the WildFire® appliance and secure client communication for firewalls and Panorama™ through the Panorama user interface. ...
Configure Authentication with Custom Certificates on the PAN-DB Private Cloud
Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your PAN-DB server and your firewalls. ...
WildFire Appliance Mutual SSL Authentication
You need an SSL/TLS Service Profile, a server Certificate Profile, and a client Certificate Profile to enable mutual authentication using custom certificates between a WildFire ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...