• Administrators will have complete control over the SSL ciphers and the certificates used by the Panorama/Log-Collector server for the SSL connections when communicating with the clients

• Panorama/Log-Collector can validate the certificate per certificate profile configuration when accepting connections from clients (firewall, Log-Collector, or its High Availability peer)
• Panorama/Log-Collector can check status of certs via OCSP/CRL when configured in certificate profile, and terminate connections if the cert is expired or revoked

Client Authentication

• Enabling 'Custom Certificate Only' option will cause Panorama/Log-Collector to reject the connections from clients running Pan-OS 7.1 and earlier. These devices will present a default pre-loaded certificate when connecting to the Panorama Log-Collector.

• The Client Authentication can be further fine tuned with Authorization list.
• The Authorization list would have Subject, Subject Alt Name. The Subject Value type can be an IP address or a Domain name. The Subject Alt Name can have types like Email, Domain name, IP address.
• Clients can also be authenticated via Serial Numbers.

Secure Client Communication (Firewall, LC clients, Panorama HA client)

• Users can select the client certificate to be presented by the client when communicating with the Panorama/Log-Collector servers. This client certificate can either reside locally or can be imported via SCEP profile.
• Certificate Profile is used to validate the certificate presented by the Panorama/Log-Collector server. If OCSP/CRL is configured then clients will check the status of the certs via these methods and will terminate the connection if the certificate is revoked/expired.

The client side configuration part is done via Secure Client Communication space. Since Firewalls, Panorama High-Availability client, Log-Collector client can act as a clients in various cases, this configuration space is available on all of these devices

On Firewall: Setup > Management>Panorama Settings > Secure Client Communication

On Panorama HA Client: Panorama > High Availability >Setup

On Log Collector Client: Panorama > Managed Collectors > Communication > Secure Client Communication

Troubleshooting

• System logs on the Firewall and Panorama can be used to troubleshoot MGMT SSL connection issues.

Panorama System Logs

Firewall System Logs

• A new column called certificate is introduced under Managed Devices on Panorama which indicates the status of the client certificate presented by the clients.

Here is a possible list of messages for the certificate status column:

• Deployed – Client is using a custom certificate that passed the certificate profile check
• Pre-defined - Client is using a pre-defined certificate
• Certificate Validation Error – Client failed the certificate profile check on the server.
• Client Identity check error – Client certificate failed the authentication list checks on the server
• No message– Client passed all the checks on the server side. The server cert might have failed the checks done on the client side