Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
- Generate a certificate authority (CA) certificate on Panorama.
- Configure a certificate profile for securing access to
the web interface.
- Select PanoramaCertificate ManagementCertificate Profile and click Add.
- Enter a Name for the certificate profile and set the Username Field to Subject.
- Select Add in the CA Certificates section and select the CA Certificate you just created.
- Click OK to save the profile.
- Configure Panorama to use the certificate profile for
- Select the PanoramaSetupManagement and edit the Authentication Settings.
- Select the Certificate Profile you just created and click OK.
- Configure the administrator accounts to use client certificate
authentication.Configure a Panorama Administrator Account for each administrator who will access the Panorama web interface. Select the Use only client certificate authentication (Web) check box.
a client certificate for each administrator.Generate a certificate on Panorama. In the Signed By drop-down, select the CA certificate you created.
- Export the client certificates.
- Export the certificates.
- Select CommitCommit to Panorama and Commit your
changes.Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
- Import the client certificate into the client system
of each administrator who will access the web interface.Refer to your web browser documentation as needed to complete this step.
that administrators can access the web interface.
- Open the Panorama IP address in a browser on the computer that has the client certificate.
- When prompted, select the certificate you imported and click OK. The browser displays a certificate warning.
- Add the certificate to the browser exception list.
- Click Login. The web interface should appear without prompting you for a username or password.
Configure Certificate-Based Administrator Authentication to...
Configure Certificate-Based Administrator Authentication to the Web Interface As a more secure alternative to password-based authentication to the firewall web interface, you can configure certificate-based ...
Configure SAML Authentication for Panorama Administrators
Configure SAML Authentication for Panorama Administrators You can use Security Assertion Markup Language (SAML) 2.0 for administrative access to the Panorama web interface (but not ...
Replace the Certificate for Inbound Management Traffic
Replace the Certificate for Inbound Management Traffic When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS ...
Configure SAML Authentication
Configure SAML Authentication To configure SAML single sign-on (SSO) and single logout (SLO), you must register the firewall and the IdP with each other to ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
How Does the App Know Which Certificate to Supply?
How Does the App Know Which Certificate to Supply? When you configure GlobalProtect to use client certificates for authentication on macOS or Windows endpoints, GlobalProtect ...
Device > Setup > Management
Device > Setup > Management Device Setup Management Panorama Setup Management On a firewall, select Device Setup Management to configure management settings. On Panorama™, select ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...