Configure Authentication Using Custom Certificates on Managed
Complete the following procedure to configure
the client side (firewall or Log Collector) to use custom certificates
instead of predefined certificates for mutual authentication with
managed devices in your deployment.
each managed firewall or Log Collector. All managed devices must
be running PAN-OS 8.0 or later to enforce custom certificate authentication.
You can deploy certificates on
Panorama or a server Log Collector by generating a self-signed certificate
on Panorama or obtaining a certificate from your enterprise CA or
a trusted third-party CA.
Set the common name to $UDID or
subject to CN=$UDID (in the SCEP profile) if authorizing client
devices based on serial number.
You can generate a self-signed
certificate on Panorama or obtain a certificate from your enterprise
CA or a trusted third-party CA.
If you are using SCEP for the device certificate, configure a SCEP profile.
SCEP allows you to automatically deploy certificates to managed
devices. When a new client devices with a SCEP profile attempts
to authenticate with Panorama, the certificate is sent by the SCEP
server to the device.
Configure the certificate profile for the client device.
You can configure this on each client device individually
or you can push this configuration to the managed device as part
of a template.