Configure Authentication Using Custom Certificates on Managed Devices

Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment.
  1. Upgrade each managed firewall or Log Collector. All managed devices must be running PAN-OS 8.0 or later to enforce custom certificate authentication.
    Upgrade the firewall to PAN-OS 8.0 or later. After upgrade, each firewall connects to Panorama using the default predefined certificates.
  2. Obtain or generate the device certificate.
    You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
    Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing client devices based on serial number.
    • You can generate a self-signed certificate on Panorama or obtain a certificate from your enterprise CA or a trusted third-party CA.
    • If you are using SCEP for the device certificate, configure a SCEP profile. SCEP allows you to automatically deploy certificates to managed devices. When a new client devices with a SCEP profile attempts to authenticate with Panorama, the certificate is sent by the SCEP server to the device.
  3. Configure the certificate profile for the client device.
    You can configure this on each client device individually or you can push this configuration to the managed device as part of a template.
    1. Select one of the following navigation paths:
      • For firewalls—Select
        Device
        Certificate Management
        Certificate Profile
        .
      • For Log Collectors—Select
        Panorama
        Certificate Management
        Certificate Profile
        .
  4. Deploy custom certificates on each firewall or Log Collector.
    1. Select one of the following navigation paths:
      • For firewalls: Select
        Device
        Setup
        Management
        and
        Edit
        the Panorama Settings
      • For Log Collectors: Select
        Panorama
        Managed Collectors
        and
        Add
        a new Log Collector or select an existing one. Select
        Communication
        .
    2. Select the
      Secure Client Communication
      check box (firewall only).
    3. Select the
      Certificate Type
      .
      • If you are using a local device certificate, select the
        Certificate
        and
        Certificate Profile
        .
      • If you are using SCEP to deploy device certificate, select the
        SCEP Profile
        and
        Certificate Profile
        .
    4. (
      Optional
      ) Enable
      Check Server Identity
      . The firewall or Log Collector checks the CN in the server certificate against Panorama’s IP address or FQDN to verify its identity.
    5. Click
      OK
      .
    6. Commit
      your changes.
      After committing your changes, the managed device does not terminate its current session with Panorama until the Disconnect Wait Time is complete.
  5. After deploying custom certificates on all managed devices, enforce authentication using custom certificates.
    The WildFire appliance does not currently support custom certificates. If your Panorama is managing a WildFire appliance, do not select
    Allow Custom Certificates Only
    .
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Panorama settings.
    2. Select
      Allow Custom Certificate Only
      .
    3. Click
      OK
      .
    4. Commit
      your changes.
      After committing this change, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the device fails.

Related Documentation