Configure Authentication with Custom Certificates on the PAN-DB Private Cloud

Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your PAN-DB server and your firewalls.
By default, a PAN-DB server uses predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication. However, you can configure authentication using custom certificates instead. Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between your PAN-DB server and firewalls. In the case of a PAN-DB private cloud, the firewall acts as the client and the PAN-DB server acts as the server.
  1. Obtain key pairs and certificate authority (CA) certificates for the PAN-DB server and firewall.
  2. Import the CA certificate to validate the certificate on the firewall.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-500>
      configure
    2. Use TFTP or SCP to import the CA certificate.
      admin@M-500#
      {tftp | scp} import certificate from
      <value>
      file
      <value>
      remote-port
      <1-65535>
      source-ip
      <ip/netmask>
      certificate-name
      <value>
      passphrase
      <value>
      format {pkcs12 | pem}
  3. Use TFTP or SCP to import the key pair that contains the server certificate and private key for the PAN-DB M-500 appliance.
    admin@M-500#
    {tftp | scp} import keypair from
    <value>
    file
    <value>
    remote-port
    <1-65535>
    source-ip
    <ip/netmask>
    certificate-name
    <value>
    passphrase
    <value>
    format {pkcs12 | pem}
  4. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the device authentication between the PAN-DB server and the firewall.
    1. In the CLI of the PAN-DB server, enter configuration mode.
      admin@M-500>
      configure
    2. Name the certificate profile.
      admin@M-500#
      set shared certificate-profile
      <name>
    3. (
      Optional
      ) Set the user domain.
      admin@M-500#
      set shared certificate-profile
      <name>
      domain
      <value>
    4. Configure the CA.
      Default-ocsp-url
      and
      ocsp-verify-cert
      are optional parameters.
      admin@M-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      admin@M-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      [default-ocsp-url
      <value>
      ]
      admin@M-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      [ocsp-verify-cert
      <value>
      ]
  5. Configure an SSL/TLS profile for the PAN-DB M-500 appliance. This profile defines the certificate and protocol range that PAN-DB and client devices use for SSL/TLS services.
    1. Identify the SSL/TLS profile.
      admin@M-500#
      set shared ssl-tls-service-profile
      <name>
    2. Select the certificate.
      admin@M-500#
      set shared ssl-tls-service-profile
      <name>
      certificate
      <value>
    3. Define the SSL/TLS range.
      PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You must set the max version to
      TLS 1.2
      or
      max
      .
      admin@M-500#
      set shared ssl-tls-service-profile
      <name>
      protocol-settings min-version {tls1-0 | tls1-1 | tls1-2
      admin@M-500#
      set shared ssl-tls-service-profile
      <name>
      protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max
  6. Configure secure server communication on PAN-DB.
    1. Set the SSL/TLS profile. This SSL/TLS service profile applies to all SSL connections between PAN-DB and firewalls.
      admin@M-500#
      set deviceconfig setting management secure-conn-server ssl-tls-service-profile
      <ssltls-profile>
    2. Set the certificate profile.
      admin@M-500#
      set deviceconfig setting management secure-conn-server certificate-profile
      <certificate-profile>
    3. Set the disconnect wait time in number of minutes that PAN-DB should wait before breaking and reestablishing the connection with its firewall (range is 0 to 44,640).
      admin@M-500#
      set deviceconfig setting management secure-conn-server disconnect-wait-time
      <0-44640
  7. Import the CA certificate to validate the certificate for the PAN-DB M-500 appliance.
    1. Log in to the firewall web interface.
  8. Configure a local or a SCEP certificate for the firewall.
    1. If you are a local certificate, then import the key pair for the firewall.
    2. If you are a SCEP certificate for the firewall, configure a SCEP profile.
  9. Configure the certificate profile for the firewall. You can configure this on each firewall individually or you can push the configuration from Panorama to the firewalls as part of a template.
    1. Select
      Device
      Certificate Management
      Certificate Profile
      for firewalls or
      Panorama
      Certificate Management
      Certificate Profile
      for Panorama.
  10. Deploy custom certificates on each firewall. You can either deploy certificates centrally from Panorama or configure them manually on each firewall.
    1. Log in to the firewall web interface.
    2. Select
      Device
      Setup
      Management
      for a firewall or
      Panorama
      Setup
      Management
      for Panorama and
      Edit
      the Secure Communication
    3. Select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      from the respective drop-downs.
    4. In the Customize Communication settings, select
      PAN-DB Communication
      .
    5. Click
      OK
      .
    6. Commit
      your changes.
    After committing your changes, the firewalls do not terminate their current sessions with the PAN-DB server until after the
    Disconnect Wait Time
    . The disconnect wait time begins counting down after you enforce the use of custom certificates in the next step.
  11. After deploying custom certificates on all firewalls, enforce custom certificate authentication.
    1. Log in to the CLI on the PAN-DB server and enter configuration mode.
      admin@M-500>
      configure
    2. Enforce the use of custom certificates.
      admin@M-500#
      set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
    After committing this change, the disconnect wait time begins counting down (if you configured setting on PAN-DB). When the wait time ends, PAN-DB and its firewall connect using only the configured certificates.
  12. You have two choices when adding new firewalls or Panorama to your PAN-DB private cloud deployment.
    • If you did not enable
      Custom Certificates Only
      then you can add a new firewall to the PAN-DB private cloud and then deploy the custom certificate as described above.
    • If you enabled
      Custom Certificates Only
      on the PAN-DB private cloud, then you can must deploy the custom certificates on the firewalls before connecting them to the PAN-DB private cloud.

Related Documentation