In PAN-OS 8.0, enhancements to connection security introduces additional security measures related to management connections among some Palo Alto Networks entities. The connections being protected by this feature are shown in the illustration, and the security measures include support for:
Custom SSL/TLS service profiles
Custom client certificates
SCEP support
CRL/OCSP support
Panorama and Log Collector act as a server for management connections initiated by clients such as Firewalls, Log-Collector Client, and Panorama HA client.
A new configuration space called Secure Server Communication is introduced on Panorama and Log Collector to let users configure various security features for the MGMT connections where devices are acting as servers.
On Panorama: Setup > Management > Panorama Settings > Secure Server Communication
Also, a Log-Collector can act as a server for the MGMT connections originating from the firewalls.
On Log-Collector: Setup>Managed Collectors>Communication > Secure Server Communication
Environment
PAN-OS 8.0
Panorama (or Log-Collector)
Resolution
Secure Server Communication (Panorama and Log-Collector)
Custom SSL/TLS profiles
Administrators will have complete control over the SSL ciphers and the certificates used by the Panorama/Log-Collector server for the SSL connections when communicating with the clients
Panorama/Log-Collector can validate the certificate per certificate profile configuration when accepting connections from clients (firewall, Log-Collector, or its High Availability peer)
Panorama/Log-Collector can check status of certs via OCSP/CRL when configured in certificate profile, and terminate connections if the cert is expired or revoked
Client Authentication
Enabling 'Custom Certificate Only' option will cause Panorama/Log-Collector to reject the connections from clients running Pan-OS 7.1 and earlier. These devices will present a default pre-loaded certificate when connecting to the Panorama Log-Collector.
The Client Authentication can be further fine tuned with Authorization list.
The Authorization list would have Subject, Subject Alt Name. The Subject Value type can be an IP address or a Domain name. The Subject Alt Name can have types like Email, Domain name, IP address.
Clients can also be authenticated via Serial Numbers.
Secure Client Communication (Firewall, LC clients, Panorama HA client)
Users can select the client certificate to be presented by the client when communicating with the Panorama/Log-Collector servers. This client certificate can either reside locally or can be imported via SCEP profile.
Certificate Profile is used to validate the certificate presented by the Panorama/Log-Collector server. If OCSP/CRL is configured then clients will check the status of the certs via these methods and will terminate the connection if the certificate is revoked/expired.
The client side configuration part is done via Secure Client Communication space. Since Firewalls, Panorama High-Availability client, Log-Collector client can act as a clients in various cases, this configuration space is available on all of these devices
On Firewall: Setup > Management>Panorama Settings > Secure Client Communication
On Panorama HA Client: Panorama > High Availability >Setup
On Log Collector Client: Panorama > Managed Collectors > Communication > Secure Client Communication
Troubleshooting
System logs on the Firewall and Panorama can be used to troubleshoot MGMT SSL connection issues.
Panorama System Logs
Firewall System Logs
A new column called certificate is introduced under Managed Devices on Panorama which indicates the status of the client certificate presented by the clients.
Here is a possible list of messages for the certificate status column:
Deployed – Client is using a custom certificate that passed the certificate profile check
Pre-defined - Client is using a pre-defined certificate
Certificate Validation Error – Client failed the certificate profile check on the server.
Client Identity check error – Client certificate failed the authentication list checks on the server
No message– Client passed all the checks on the server side. The server cert might have failed the checks done on the client side
Additional Information
To learn more about this topic or PAN-OS in-general, please checkout the TechDocs PAN-OS Landing page