Configure Certificate-Based Administrator Authentication
to the Web Interface
As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based authentication for administrator accounts that are local to the firewall. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on the firewall; administrators thereafter require the certificate to log in.
- Configure a certificate profile for securing access to the web interface.
- Set theUsername FieldtoSubject.
- In the CA Certificates section,AddtheCA Certificateyou just created or imported.
- Configure the firewall to use the certificate profile for authenticating administrators.
- Selectand edit the Authentication Settings.DeviceSetupManagement
- Select theCertificate Profileyou created for authenticating administrators and clickOK.
- Configure the administrator accounts to use client certificate authentication.
- Generate a client certificate for each administrator.
- Export the client certificate.
- Commityour changes. The firewall restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
- Import the client certificate into the client system of each administrator who will access the web interface.Refer to your web browser documentation.
- Verify that administrators can access the web interface.
- Open the firewall IP address in a browser on the computer that has the client certificate.
- When prompted, select the certificate you imported and clickOK. The browser displays a certificate warning.
- Add the certificate to the browser exception list.
- ClickLogin. The web interface should appear without prompting you for a username or password.
Configure a Panorama Administrator with Certificate-Based A...
Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface As a more secure alternative to password-based authentication to the Panorama web interface, you ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Configure Administrative Accounts and Authentication
Configure Administrative Accounts and Authentication If you have already configured an authentication profile (see Configure an Authentication Profile and Sequence ) or you don’t require ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
GlobalProtect Certificate Best Practices
GlobalProtect Certificate Best Practices The following table summarizes the SSL/TLS certificates you will need, depending on which features you plan to use: Certificate Usage Issuing ...