1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Set Up Administrative Access to Panorama
    6. Configure Administrative Accounts and Authentication
    7. Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

    Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

    As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
    Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
    1. Generate a certificate authority (CA) certificate on Panorama.
      You will use this CA certificate to sign the client certificate of each administrator.
      Alternatively, you can import a certificate from your enterprise CA.
    2. Configure a certificate profile for securing access to the web interface.
      1. Select
        Panorama
        Certificate Management
        Certificate Profile
         and click
        Add
        .
      2. Enter a
        Name
         for the certificate profile and set the
        Username Field
         to
        Subject
        .
      3. Select
        Add
         in the CA Certificates section and select the
        CA Certificate
         you just created.
      4. Click
        OK
         to save the profile.
    3. Configure Panorama to use the certificate profile for authenticating administrators.
      1. Select the
        Panorama
        Setup
        Management
         and edit the Authentication Settings.
      2. Select the
        Certificate Profile
         you just created and click
        OK
        .
    4. Configure the administrator accounts to use client certificate authentication.
      Configure a Panorama Administrator Account for each administrator who will access the Panorama web interface. Select the
      Use only client certificate authentication (Web)
       check box.
      If you have already deployed client certificates that your enterprise CA generated, skip to Step 8. Otherwise, continue with Step 5.
    5. Generate a client certificate for each administrator.
      Generate a certificate on Panorama. In the
      Signed By
       drop-down, select the CA certificate you created.
    6. Export the client certificates.
      2. Select
        Commit
        Commit to Panorama
         and
        Commit
         your changes.
        Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
    7. Import the client certificate into the client system of each administrator who will access the web interface.
      Refer to your web browser documentation as needed to complete this step.
    8. Verify that administrators can access the web interface.
      1. Open the Panorama IP address in a browser on the computer that has the client certificate.
      2. When prompted, select the certificate you imported and click
        OK
        . The browser displays a certificate warning.
      3. Add the certificate to the browser exception list.
      4. Click
        Login
        . The web interface should appear without prompting you for a username or password.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo