Configure Authentication Using Custom Certificates on Panorama

Deploy the server certificate.
You candeploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
On Panorama, configure a certificate profile This certificate profile defines what certificate to use and what certificate field to look for the IP address or FQDN in.
Select
Panorama
Certificate Management
Certificate Profile
.
Configure a certificate profile.
If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
Configure an SSL/TLS service profile.
Select
Panorama
Certificate Management
SSL/TLS Service Profile
.
Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services.
Configure Secure Server Communication on Panorama or a Log Collector in the server role.
Select one of the following navigation paths:
For Panorama:
Panorama
Setup
Management
and
Edit
the Secure Communications Settings
For a Log Collector:
Panorama
Managed Collectors
Add
Communication
Verify that the
Allow Custom Certificate Only
check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
Select the
SSL/TLS Service Profile
. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
Select the
Certificate Profile
that identifies the certificate to use to establish secure communication with clients such as firewalls.
(
Optional
) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.
You can also authorize client devices based on their serial number.
Add
an Authorization List.
Select the
Subject
or
Subject Alt Name
configured in the certificate profile as the Identifier type.
Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
Click
OK
.
Select
Check Authorization List
to enforce the authorization list.
Select
Authorize Client Based on Serial Number
to have the server authenticate client based on the serial numbers of managed devices. The CN or subject in the client certificate must have the special keyword $UDID to enable this type of authentication.
In
Disconnect Wait Time (min)
, specify how long Panorama should wait before terminating the current session and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes. Leaving this field blank is the same as setting it to 0.
The disconnect wait time does not begin counting down until you commit the new configuration.
Click
OK
.
Commit
your changes.