Configure Certificate-Based Administrator Authentication to the Web Interface
As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based authentication for administrator accounts that are local to the firewall. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on the firewall; administrators thereafter require the certificate to log in.
- Generate a certificate authority (CA) certificate on the firewall.
- Configure a certificate profile for securing access to
the web interface.
- Set the Username Field to Subject.
- In the CA Certificates section, Add the CA Certificate you just created or imported.
- Configure the firewall to use the certificate profile
for authenticating administrators.
- Select DeviceSetupManagement and edit the Authentication Settings.
- Select the Certificate Profile you created for authenticating administrators and click OK.
- Configure the administrator accounts to use client certificate authentication.
a client certificate for each administrator.Generate a Certificate. In the Signed By drop-down, select a self-signed root CA certificate.
- Export the client certificate.
- Export a Certificate and Private Key.
- Commit your changes. The firewall restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
- Import the client certificate into the client system
of each administrator who will access the web interface.Refer to your web browser documentation.
that administrators can access the web interface.
- Open the firewall IP address in a browser on the computer that has the client certificate.
- When prompted, select the certificate you imported and click OK. The browser displays a certificate warning.
- Add the certificate to the browser exception list.
- Click Login. The web interface should appear without prompting you for a username or password.
Configure a Panorama Administrator with Certificate-Based A...
Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface As a more secure alternative to password-based authentication to the Panorama web interface, you ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...
Configure SAML Authentication
Configure SAML Authentication To configure SAML single sign-on (SSO) and single logout (SLO), you must register the firewall and the IdP with each other to ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...