Created On 02/07/19 23:50 PM - Last Updated 02/07/19 23:50 PM
This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.
In PAN-OS 8.0, enhancements to connection security introduce additional security measures related to management connections among some Palo Alto Networks entities. The connections being protected by this feature are shown in the illustration, and the security measures include support for:
Custom SSL/TLS service profiles
Custom client certificates
Panorama and Log Collector act as a server for management connections initiated by clients such as Firewalls, Log-Collector Client, Panorama HA client
A new configuration space called Secure Server Communication is introduced on Panorama and Log Collector to let users configure various security features for the MGMT connections where devices are acting as servers.
On Panorama: Setup > Management > Panorama Settings > Secure Server Communication
Also, a Log-Collector can act as a server for the MGMT connections originating from the firewalls.
For Log-Collector: Setup>Managed Collectors>Communication > Secure Server Communication
Secure Server Communication (Panorama and Log-Collector)
Custom SSL/TLS profiles
Administrators will have complete control over the SSL ciphers and the certificates used by the Panorama/LC server for the SSL connections when communicating with the clients
Panorama/LC can validate the certificate per certificate profile configuration when accepting connections from clients (FW, LC, or its HA peer)
Panorama/LC can check status of certs via OCSP/CRL when configured in certificate profile, and terminate connections if the cert is expired or revoked
Enabling 'Custom Certificate Only' option will cause Panorama/LC to reject the connections from clients running Pan-OS 7.1 and earlier. These devices will present a default pre-loaded certificate when connecting to the Panorama LC.
The Client Authentication can be further fine tuned with Authorization list.
The Authorization list would have Subject, Subject Alt Name. The Subject Value type can be an IP address or a Domain name. The Subject Alt Name can have types like Email, Domain name, IP address.
Clients can also be authenticated via Serial Numbers.
Secure Client Communication (Firewall, LC clients, Panorama HA client)
Users can select the client certificate to be presented by the client when communicating with the Panorama/LC servers. This client certificate can either reside locally or can be imported via SCEP profile.
Certificate Profile is used to validate the certificate presented by the Panorama/LC server. If OCSP/CRL is configured then clients will check the status of the certs via these methods and will terminate the connection if the certificate is revoked/expired.
The client side configuration part is done via Secure Client Communication space. Since Firewalls, Panorama HA client, LC client can act as a clients in various cases, this configuration space is available on all of these devices
On Firewall: Setup > Management>Panorama Settings > Secure Client Communication
For Panorama HA Client: Panorama > High Availability >Setup
For Log Collector Client: Panorama > Managed Collectors > Communication > Secure Client Communication
System logs on the Firewall and Panorama can be used to troubleshoot MGMT SSL connection issues.
Panorama System Logs
Firewall System Logs
A new column called certificate is introduced under Managed Devices on Panorama which indicates the status of the client certificate presented by the clients.
Here is a possible list of messages for the certificate status column:
Deployed – Client is using a custom certificate that passed the certificate profile check
Pre-defined - Client is using a pre-defined certificate
Certificate Validation Error – Client failed the certificate profile check on the server.
Client Identity check error – Client certificate failed the authentication list checks on the server
No message– Client passed all the checks on the server side. The server cert might have failed the checks done on the client side