How Are SSL/TLS Connections Mutually Authenticated?
In a regular SSL connection, only the server need to identify itself to the client by presenting its certificate. However, in mutual SSL authentication, the client presents its certificate to the server as well. Panorama and Log Collectors can act as the server. Firewalls, Log Collectors, and the secondary Panorama HA peer can act as the client. The role that a device takes on depends the deployment. For example, in the diagram below, Panorama manages a number of firewalls and a collector group and acts as the server for the firewalls and Log Collectors. The Log Collector acts as the server to the firewalls that send logs to it.
To deploy custom certificates for mutual authentication in your deployment, you need:
- SSL/TLS Service Profile—An SSL/TLS service profile defines the security of the connections by referencing your custom certificate and establishing the of SSL/TLS protocol versions used by Panorama or Log Collector to communicate with client devices.
- Server Certificate and Profile—Panorama and Log Collectors in the server role require a certificate and certificate profile to identify themselves to the client devices. You can deploy this certificate from your enterprise public key infrastructure (PKI), purchase one from a trusted third-party CA, or generate a self-signed certificate locally. The server certificate must include the IP address or FQDN of the Panorama management interface in the certificate common name (CN) or Subject Alt Name. The client firewall or Log Collector matches the CN or Subject Alt Name in the certificate the server presents against the server’s IP address or FQDN to verify the server’s identity.Additionally, use the certificate profile to define certificate revocation status (OCSP/CRL) and the actions taken based on the revocation status.
- Client Certificates and Profile—Each managed device requires a client certificates and certificate profile. The firewall or Log Collector uses its certificate to identify itself to Panorama or server Log Collector. You can deploy certificates from your enterprise PKI using Simple Certificate Enrollment Protocol (SCEP), purchase one from a trusted third-party CA, or generate a self-signed certificate locally.Custom certificates can be unique to each managed device or common across all devices. The unique device certificates uses a hash of the serial number of the managed device and CN. Set the CN or certificate signing request (CSR) to the special keyword $UDID and the generated certificate or CSR contains a hash of the firewall serial number as the Subject. Panorama matches the CN or the subject alt name against the configured serial numbers of the managed devices. For client certificate validation based on the CN to occur, the Username must be set to Subject common-name. The client certificate behavior also applies to Panorama HA peer connections.You can configure the client certificate and certificate profile on each client device or push the configuration from Panorama to each device as part of a template.