PAN-OS ® New Features Guide
    : Authentication with Custom Certificates for Redistribution
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. User-ID Features
    5. Authentication with Custom Certificates for Redistribution
    Download PDF

    PAN-OS ® New Features Guide

    Authentication with Custom Certificates for Redistribution

    Table of Contents
    End-of-Life (EoL)

    Authentication with Custom Certificates for Redistribution

    Configure a custom certificate or SSL/TLS profile to secure communication between the redistribution clients and the redistribution agents.
    To establish a unique chain of trust between the devices in your network, you can now configure a certificate profile or SSL/TLS profile to use a custom certificate (instead of a predefined certificate) for mutual authentication during redistribution. The firewall or Panorama uses the certificate profile to validate the client’s certificate during connection. The profile applies globally to all redistribution agents.
    You can also use a custom certificate for the Windows User-ID agent. You must install the Root Certificate Authority (CA) for the custom certificate in the Windows Trust Store of the agent host.

    Authenticate the Firewall with the Redistribution Agent

    1. Create a custom SSL certificate profile for the firewall to use for outgoing connections.
    2. Configure the custom certificate profile for outgoing connections from the firewall.
      1. Select DeviceSetupManagementSecure Communication Settings.
      2. Edit the settings.
      3. Select the Customize Secure Server Communication option.
      4. Select the Certificate Profile you created in Step 1.
      5. Click OK.
    3. (Optional) To use the custom certificate profile for Streamlined and Resilient Redistribution, Customize Communication for Data Redistribution.
    4. Commit your changes.
    5. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent, User-ID agent, or TS agent.

    Authenticate the Redistribution Agent with the Firewall

    1. Create a custom SSL/TLS service profile for the firewall to use for incoming connections.
    2. Configure the custom SSL/TLS service profile for incoming connections to the firewall.
      1. Select DeviceSetupManagementSecure Communication Settings.
      2. Edit the settings.
      3. Select the Customize Secure Server Communication option.
      4. Select the SSL/TLS Service Profile you created in Step 1.
      5. Click OK.
    3. Commit your changes.
    4. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.

    Authenticate Panorama with the Redistribution Agent

    1. Create a custom SSL certificate profile for Panorama to use for outgoing connections.
    2. Configure the custom certificate profile for outgoing connections from Panorama.
      1. Select PanoramaSetupManagementSecure Communication Settings.
      2. Edit the settings.
      3. Select the Customize Secure Server Communication option.
      4. Select the Certificate Profile you created in Step 1.
      5. Click OK.
    3. (Optional) To use the custom certificate profile on Panorama for Streamlined and Resilient Redistribution, Customize Communication for Data Redistribution.
    4. Commit your changes.
    5. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent, User-ID agent, or TS agent.

    Authenticate the Redistribution Agent with Panorama

    1. Create a custom SSL/TLS service profile for Panorama to use for incoming connections.
    2. Configure the custom SSL/TLS service profile for incoming connections to Panorama.
      1. Select PanoramaSetupManagementSecure Communication Settings.
      2. Edit the settings.
      3. Select the Customize Secure Server Communication option.
      4. Select the SSL/TLS Service Profile you created in Step 1.
      5. Click OK.
    3. Commit your changes.
    4. Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.

    © 2024 Palo Alto Networks, Inc. All rights reserved.