Configure Authentication Using Custom Certificates on Panorama

1. Deploy the server certificate.

   You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise certificate authority (CA) or a trusted third-party CA.
2. On Panorama, configure a certificate profile This certificate profile defines what certificate to use and what certificate field to look for the IP address or FQDN in.

   1. Select PanoramaCertificate ManagementCertificate Profile.
   2. Configure a certificate profile.

      If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
3. Configure an SSL/TLS service profile.

   1. Select PanoramaCertificate ManagementSSL/TLS Service Profile.
   2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services.
4. Configure Secure Server Communication on Panorama or a Log Collector in the server role.

   1. Select one of the following navigation paths:

      • For Panorama: PanoramaSetupManagement and Edit the Secure Communications Settings
      • For a Log Collector: PanoramaManaged CollectorsAddCommunication
   2. Select the Customize Secure Server Communication option.
   3. Verify that the Allow Custom Certificate Only check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.

      When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
   4. Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
   5. Select the Certificate Profile that identifies the certificate to use to establish secure communication with clients such as firewalls.
   6. (Optional) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.

      You can also authorize client devices based on their serial number.

      1. Add an Authorization List.
      2. Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
      4. Click OK.
      5. Select Check Authorization List to enforce the authorization list.
   7. Select Authorize Client Based on Serial Number to have the server authenticate client based on the serial numbers of managed devices. The CN or subject in the client certificate must have the special keyword $UDID to enable this type of authentication.
   8. Select the Data Redistribution option in the Customize Communication section to use a custom certificate to secure outgoing communication with data redistribute clients.
   9. In Disconnect Wait Time (min), specify how long Panorama should wait before terminating the current session and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes. Leaving this field blank is the same as setting it to 0.

      The disconnect wait time does not begin counting down until you commit the new configuration.
   10. Click OK.
   11. Commit your changes.