Configure Authentication Using Custom Certificates on Panorama
Complete the following procedure to configure
the server side (Panorama) to use custom certificates instead of
predefined certificates for mutual authentication with managed devices
in your deployment. See Set Up Authentication Using Custom Certificates Between HA Peers to
configure custom certificates on a Panorama HA pair.
- Deploy the server certificate.You candeploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
- On Panorama, configure a certificate profile This certificate profile defines what certificate to use and what certificate field to look for the IP address or FQDN in.
- Select.PanoramaCertificate ManagementCertificate Profile
- If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
- Configure an SSL/TLS service profile.
- Select.PanoramaCertificate ManagementSSL/TLS Service Profile
- Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services.
- Configure Secure Server Communication on Panorama or a Log Collector in the server role.
- Select one of the following navigation paths:
- For Panorama:andPanoramaSetupManagementEditthe Secure Communications Settings
- For a Log Collector:PanoramaManaged CollectorsAddCommunication
- Verify that theAllow Custom Certificate Onlycheck box is not selected. This allows you to continue managing all devices while migrating to custom certificates.When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
- Select theSSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
- Select theCertificate Profilethat identifies the certificate to use to establish secure communication with clients such as firewalls.
- (Optional) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.You can also authorize client devices based on their serial number.
- Addan Authorization List.
- Select theSubjectorSubject Alt Nameconfigured in the certificate profile as the Identifier type.
- Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
- ClickOK.
- SelectCheck Authorization Listto enforce the authorization list.
- SelectAuthorize Client Based on Serial Numberto have the server authenticate client based on the serial numbers of managed devices. The CN or subject in the client certificate must have the special keyword $UDID to enable this type of authentication.
- InDisconnect Wait Time (min), specify how long Panorama should wait before terminating the current session and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes. Leaving this field blank is the same as setting it to 0.The disconnect wait time does not begin counting down until you commit the new configuration.
- ClickOK.
- Commityour changes.
Recommended For You
Recommended Videos
Recommended videos not found.