Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your PAN-DB server and your firewalls.
By default, a PAN-DB server uses predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication. However, you can configure authentication using custom certificates instead. Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between your PAN-DB server and firewalls. In the case of a PAN-DB private cloud, the firewall acts as the client and the PAN-DB server acts as the server.
  1. Obtain key pairs and certificate authority (CA) certificates for the PAN-DB server and firewall.
  2. Import the CA certificate to validate the certificate on the firewall.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-500> configure
    2. Use TFTP or SCP to import the CA certificate.
      admin@M-500# {tftp | scp} import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format {pkcs12 | pem}
  3. Use TFTP or SCP to import the key pair that contains the server certificate and private key for the PAN-DB M-500 appliance.
    admin@M-500# {tftp | scp} import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format {pkcs12 | pem}
  4. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the device authentication between the PAN-DB server and the firewall.
    1. In the CLI of the PAN-DB server, enter configuration mode.
      admin@M-500> configure
    2. Name the certificate profile.
      admin@M-500# set shared certificate-profile <name>
    3. (Optional) Set the user domain.
      admin@M-500# set shared certificate-profile <name> domain <value>
    4. Configure the CA.
      Default-ocsp-url and ocsp-verify-cert are optional parameters.
      admin@M-500# set shared certificate-profile <name> CA <name>
      admin@M-500# set shared certificate-profile <name> CA <name> [default-ocsp-url <value>]
      admin@M-500# set shared certificate-profile <name> CA <name> [ocsp-verify-cert <value>]
  5. Configure an SSL/TLS profile for the PAN-DB M-500 appliance. This profile defines the certificate and protocol range that PAN-DB and client devices use for SSL/TLS services.
    1. Identify the SSL/TLS profile.
      admin@M-500# set shared ssl-tls-service-profile <name>
    2. Select the certificate.
      admin@M-500# set shared ssl-tls-service-profile <name> certificate <value>
    3. Define the SSL/TLS range.
      PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You must set the max version to TLS 1.2 or max.
      admin@M-500# set shared ssl-tls-service-profile <name> protocol-settings min-version {tls1-0 | tls1-1 | tls1-2
      admin@M-500# set shared ssl-tls-service-profile <name> protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max
  6. Configure secure server communication on PAN-DB.
    1. Set the SSL/TLS profile. This SSL/TLS service profile applies to all SSL connections between PAN-DB and firewalls.
      admin@M-500# set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
    2. Set the certificate profile.
      admin@M-500# set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
    3. Set the disconnect wait time in number of minutes that PAN-DB should wait before breaking and reestablishing the connection with its firewall (range is 0 to 44,640).
      admin@M-500# set deviceconfig setting management secure-conn-server disconnect-wait-time <0-44640
  7. Import the CA certificate to validate the certificate for the PAN-DB M-500 appliance.
    1. Log in to the firewall web interface.
    2. Import the CA certificate.
  8. Configure a local or a SCEP certificate for the firewall.
    1. If you are a local certificate, then import the key pair for the firewall.
    2. If you are a SCEP certificate for the firewall, configure a SCEP profile.
  9. Configure the certificate profile for the firewall. You can configure this on each firewall individually or you can push the configuration from Panorama to the firewalls as part of a template.
    1. Select DeviceCertificate ManagementCertificate Profile for firewalls or PanoramaCertificate ManagementCertificate Profile for Panorama.
    2. Configure a Certificate Profile.
  10. Deploy custom certificates on each firewall. You can either deploy certificates centrally from Panorama or configure them manually on each firewall.
    1. Log in to the firewall web interface.
    2. Select DeviceSetupManagement for a firewall or PanoramaSetupManagement for Panorama and Edit the Secure Communication
    3. Select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs.
    4. In the Customize Communication settings, select PAN-DB Communication.
    5. Click OK.
    6. Commit your changes.
    After committing your changes, the firewalls do not terminate their current sessions with the PAN-DB server until after the Disconnect Wait Time. The disconnect wait time begins counting down after you enforce the use of custom certificates in the next step.
  11. After deploying custom certificates on all firewalls, enforce custom certificate authentication.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-500> configure
    2. Enforce the use of custom certificates.
      admin@M-500# set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
    After committing this change, the disconnect wait time begins counting down (if you configured setting on PAN-DB). When the wait time ends, PAN-DB and its firewall connect using only the configured certificates.
  12. You have two choices when adding new firewalls or Panorama to your PAN-DB private cloud deployment.
    • If you did not enable Custom Certificates Only then you can add a new firewall to the PAN-DB private cloud and then deploy the custom certificate as described above.
    • If you enabled Custom Certificates Only on the PAN-DB private cloud, then you can must deploy the custom certificates on the firewalls before connecting them to the PAN-DB private cloud.

Related Documentation