Configure Authentication Using Custom Certificates on Managed Devices

Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment.
  1. Upgrade each managed firewall or Log Collector. All managed devices must be running PAN-OS 8.0 or later to enforce custom certificate authentication.
    Upgrade the firewall to PAN-OS 8.0 or later. After upgrade, each firewall connects to Panorama using the default predefined certificates.
  2. Obtain or generate the device certificate.
    You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
    Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing client devices based on serial number.
    • You can generate a self-signed certificate on Panorama or obtain a certificate from your enterprise CA or a trusted third-party CA.
    • If you are using SCEP for the device certificate, configure a SCEP profile. SCEP allows you to automatically deploy certificates to managed devices. When a new client devices with a SCEP profile attempts to authenticate with Panorama, the certificate is sent by the SCEP server to the device.
  3. Configure the certificate profile for the client device.
    You can configure this on each client device individually or you can push this configuration to the managed device as part of a template.
    1. Select one of the following navigation paths:
      • For firewalls—Select DeviceCertificate ManagementCertificate Profile.
      • For Log Collectors—Select PanoramaCertificate ManagementCertificate Profile.
    2. Configure the certificate profile.
  4. Deploy custom certificates on each firewall or Log Collector.
    1. Select one of the following navigation paths:
      • For firewalls: Select DeviceSetupManagement and Edit the Panorama Settings
      • For Log Collectors: Select PanoramaManaged Collectors and Add a new Log Collector or select an existing one. Select Communication.
    2. Select the Secure Client Communication check box (firewall only).
    3. Select the Certificate Type.
      • If you are using a local device certificate, select the Certificate and Certificate Profile.
      • If you are using SCEP to deploy device certificate, select the SCEP Profile and Certificate Profile.
    4. (Optional) Enable Check Server Identity. The firewall or Log Collector checks the CN in the server certificate against Panorama’s IP address or FQDN to verify its identity.
    5. Click OK.
    6. Commit your changes.
      After committing your changes, the managed device does not terminate its current session with Panorama until the Disconnect Wait Time is complete.
  5. After deploying custom certificates on all managed devices, enforce authentication using custom certificates.
    The WildFire appliance does not currently support custom certificates. If your Panorama is managing a WildFire appliance, do not select Allow Custom Certificates Only.
    1. Select PanoramaSetupManagement and Edit the Panorama settings.
    2. Select Allow Custom Certificate Only.
    3. Click OK.
    4. Commit your changes.
      After committing this change, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the device fails.

Related Documentation