Configure Authentication Using Custom Certificates on Panorama

Complete the following procedure to configure the server side (Panorama) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment. See Set Up Authentication Using Custom Certificates Between HA Peers to configure custom certificates on a Panorama HA pair.
  1. Deploy the server certificate.
    You candeploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
  2. On Panorama, configure a certificate profile This certificate profile defines what certificate to use and what certificate field to look for the IP address or FQDN in.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
    2. If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
  3. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services.
  4. Configure Secure Server Communication on Panorama or a Log Collector in the server role.
    1. Select one of the following navigation paths:
      • For Panorama:
        Panorama
        Setup
        Management
        and
        Edit
        the Secure Communications Settings
      • For a Log Collector:
        Panorama
        Managed Collectors
        Add
        Communication
    2. Verify that the
      Allow Custom Certificate Only
      check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
    3. Select the
      SSL/TLS Service Profile
      . This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
    4. Select the
      Certificate Profile
      that identifies the certificate to use to establish secure communication with clients such as firewalls.
    5. (
      Optional
      ) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.
      You can also authorize client devices based on their serial number.
      1. Add
        an Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
      4. Click
        OK
        .
      5. Select
        Check Authorization List
        to enforce the authorization list.
    6. Select
      Authorize Client Based on Serial Number
      to have the server authenticate client based on the serial numbers of managed devices. The CN or subject in the client certificate must have the special keyword $UDID to enable this type of authentication.
    7. In
      Disconnect Wait Time (min)
      , specify how long Panorama should wait before terminating the current session and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes. Leaving this field blank is the same as setting it to 0.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    8. Click
      OK
      .
    9. Commit
      your changes.

Related Documentation