How Are SSL/TLS Connections Mutually
Authenticated?
Mutually authenticate SSL/TLS Connections.
| Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Panorama)
|
|
In a regular SSL connection, only the server needs to
identify itself to the client by presenting its certificate. However,
in mutual SSL authentication, the client presents its certificate
to the server as well. Panorama, the primary Panorama HA peer, Log
Collectors, WildFire appliances, and PAN-DB appliances can act as
the server. Firewalls, Log Collectors, WildFire appliances, and
the secondary Panorama HA peer can act as the client. The role that
a device takes on depends the deployment. For example, in the diagram
below, Panorama manages a number of firewalls and a collector group
and acts as the server for the firewalls and Log Collectors. The
Log Collector acts as the server to the firewalls that send logs
to it.
To deploy custom certificates for mutual authentication in your
deployment, you need:
SSL/TLS Service Profile
An
SSL/TLS service profile defines the
security of the connections by referencing your custom certificate and
establishing the SSL/TLS protocol versions used by the server device to
communicate with client devices.
Server Certificate and Profile
Devices in the server role require a certificate and certificate profile to
identify themselves to the client devices. You can
deploy this certificate from your
enterprise public key infrastructure (PKI), purchase one from a trusted
third-party CA, or generate a self-signed certificate locally. The server
certificate must include the IP address or FQDN of the device’s management
interface in the certificate common name (CN) or Subject Alt Name. The client
firewall or Log Collector matches the CN or Subject Alt Name in the certificate
the server presents against the server’s IP address or FQDN to verify the
server’s identity.
Additionally, use the certificate profile to define
certificate revocation status
(OCSP/CRL) and the actions taken based on the revocation status.
Client Certificates and Profile
Each managed device requires a client certificate and
certificate profile. The client device uses its
certificate to identify itself to the server device. You can
deploy certificates from your
enterprise PKI, using Simple Certificate Enrollment Protocol (SCEP), purchase
one from a trusted third-party CA, or generate a self-signed certificate
locally.
Custom certificates can be unique to each client device or common across all
devices. The unique device certificates uses a hash of the serial number of the
managed device and CN. The server matches the CN or the subject alt name against
the configured serial numbers of the client devices. For client certificate
validation based on the CN to occur, the username must be set to Subject
common-name. The client certificate behavior also applies to Panorama HA peer
connections.
You can configure the client certificate and certificate profile on each client
device or push the configuration from Panorama to each device as part of a
template.
SSL/TLS Authentication