: How Are SSL/TLS Connections Mutually Authenticated?
Focus
Focus

How Are SSL/TLS Connections Mutually Authenticated?

Table of Contents

How Are SSL/TLS Connections Mutually Authenticated?

In a regular SSL connection, only the server needs to identify itself to the client by presenting its certificate. However, in mutual SSL authentication, the client presents its certificate to the server as well. Panorama, the primary Panorama HA peer, Log Collectors, WildFire appliances, and PAN-DB appliances can act as the server. Firewalls, Log Collectors, WildFire appliances, and the secondary Panorama HA peer can act as the client. The role that a device takes on depends the deployment. For example, in the diagram below, Panorama manages a number of firewalls and a collector group and acts as the server for the firewalls and Log Collectors. The Log Collector acts as the server to the firewalls that send logs to it.
To deploy custom certificates for mutual authentication in your deployment, you need:
  • SSL/TLS Service Profile—An SSL/TLS service profile defines the security of the connections by referencing your custom certificate and establishing the SSL/TLS protocol versions used by the server device to communicate with client devices.
  • Server Certificate and Profile—Devices in the server role require a certificate and certificate profile to identify themselves to the client devices. You can deploy this certificate from your enterprise public key infrastructure (PKI), purchase one from a trusted third-party CA, or generate a self-signed certificate locally. The server certificate must include the IP address or FQDN of the device’s management interface in the certificate common name (CN) or Subject Alt Name. The client firewall or Log Collector matches the CN or Subject Alt Name in the certificate the server presents against the server’s IP address or FQDN to verify the server’s identity.
    Additionally, use the certificate profile to define certificate revocation status (OCSP/CRL) and the actions taken based on the revocation status.
  • Client Certificates and Profile—Each managed device requires a client certificate and certificate profile. The client device uses its certificate to identify itself to the server device. You can deploy certificates from your enterprise PKI, using Simple Certificate Enrollment Protocol (SCEP), purchase one from a trusted third-party CA, or generate a self-signed certificate locally.
    Custom certificates can be unique to each client device or common across all devices. The unique device certificates uses a hash of the serial number of the managed device and CN. The server matches the CN or the subject alt name against the configured serial numbers of the client devices. For client certificate validation based on the CN to occur, the username must be set to Subject common-name. The client certificate behavior also applies to Panorama HA peer connections.
    You can configure the client certificate and certificate profile on each client device or push the configuration from Panorama to each device as part of a template.
    SSL/TLS Authentication