How Are SSL/TLS Connections Mutually
In a regular SSL connection, only the server needs to
identify itself to the client by presenting its certificate. However,
in mutual SSL authentication, the client presents its certificate
to the server as well. Panorama, the primary Panorama HA peer, Log
Collectors, WildFire appliances, and PAN-DB appliances can act as
the server. Firewalls, Log Collectors, WildFire appliances, and
the secondary Panorama HA peer can act as the client. The role that
a device takes on depends the deployment. For example, in the diagram
below, Panorama manages a number of firewalls and a collector group
and acts as the server for the firewalls and Log Collectors. The
Log Collector acts as the server to the firewalls that send logs
To deploy custom certificates for mutual authentication in your
deployment, you need:
SSL/TLS Service Profile
—An SSL/TLS service profile defines
the security of the connections by referencing your custom certificate
and establishing the SSL/TLS protocol versions used by the server
device to communicate with client devices.
Server Certificate and Profile
—Devices in the server
role require a certificate and certificate profile to identify themselves
to the client devices. You can deploy this certificate from
your enterprise public key infrastructure (PKI), purchase one from
a trusted third-party CA, or generate a self-signed certificate
locally. The server certificate must include the IP address or FQDN
of the device’s management interface in the certificate common name
(CN) or Subject Alt Name. The client firewall or Log Collector matches
the CN or Subject Alt Name in the certificate the server presents
against the server’s IP address or FQDN to verify the server’s identity.
use the certificate profile to define certificate revocation status
(OCSP/CRL) and the actions taken based on the revocation status.
Client Certificates and Profile
—Each managed device
requires a client certificate and certificate profile. The client device
uses its certificate to identify itself to the server device. You
can deploy certificates from
your enterprise PKI, using Simple Certificate Enrollment Protocol
(SCEP), purchase one from a trusted third-party CA, or generate
a self-signed certificate locally.
Custom certificates can
be unique to each client device or common across all devices. The
unique device certificates uses a hash of the serial number of the
managed device and CN. The server matches the CN or the subject
alt name against the configured serial numbers of the client devices.
For client certificate validation based on the CN to occur, the
username must be set to Subject common-name. The client certificate
behavior also applies to Panorama HA peer connections.
can configure the client certificate and certificate profile on
each client device or push the configuration from Panorama to each
device as part of a template.