PAN-OS & Panorama

1. For each desired service, generate or import a certificate on the firewall (see Obtain Certificates).

   Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
2. Select DeviceCertificate ManagementSSL/TLS Service Profile.
3. If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where the profile is available.
4. Click Add and enter a Name to identify the profile.
5. Select the Certificate you obtained in step one.
6. Under Protocol Settings, define the range of TLS versions that the service can use.

   TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.

   • Administrative Access and GlobalProtect Portals and Gateways:
     Set the Min Version and Max Version to TLSv1.3.
     • For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
     • For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, TLSv1.2, or TLSv1.3.
   • All Other Services:
     Set the Min Version and Max Version to TLSv1.2.
     • For the Min Version, select the earliest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
     • For the Max Version, select the latest allowed TLS version: TLSv1.0, TLSv1.1, or TLSv1.2.
7. (Optional) Deselect any Key Exchange Algorithms, Encryption Algorithms, or Authentication Algorithms.
8. Click OK and Commit your changes.