Palo Alto Networks Knowledgebase: PAN-OS 8.0 Connection Security Enhancements

PAN-OS 8.0 Connection Security Enhancements

5358
Created On 02/07/19 23:50 PM - Last Updated 02/07/19 23:50 PM
8.0 PAN-OS
Resolution

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

 

In PAN-OS 8.0, enhancements to connection security introduce additional security measures related to management connections among some Palo Alto Networks entities. The connections being protected by this feature are shown in the illustration, and the security measures include support for:

 

  • Custom SSL/TLS service profiles
  • Custom client certificates
  • SCEP support
  • CRL/OCSP support

 

Panorama and Log Collector act as a server for management connections initiated by clients such as Firewalls, Log-Collector Client, Panorama HA client

connectenhance1.png

 

A new configuration space called Secure Server Communication is introduced on Panorama and Log Collector to let users configure various security features for the MGMT connections where devices are acting as servers.

 

On Panorama: Setup > Management > Panorama Settings > Secure Server Communication

panorama settings.png

 

Also, a Log-Collector can act as a server for the MGMT connections originating from the firewalls.

 

For Log-Collector: Setup>Managed Collectors>Communication > Secure Server Communication

secure communication.png

 

Secure Server Communication (Panorama and Log-Collector)

Custom SSL/TLS profiles

  • Administrators will have complete control over the SSL ciphers and the certificates used by the Panorama/LC server for the SSL connections when communicating with the clientssecure communication 2.png
  • Panorama/LC can validate the certificate per certificate profile configuration when accepting connections from clients (FW, LC, or its HA peer)
  • Panorama/LC can check status of certs via OCSP/CRL when configured in certificate profile, and terminate connections if the cert is expired or revoked

 

secure communication 3.png

Client Authentication

  • Enabling 'Custom Certificate Only' option will cause Panorama/LC to reject the connections from clients running Pan-OS 7.1 and earlier. These devices will present a default pre-loaded certificate when connecting to the Panorama LC.

 

custom certs.png

  • The Client Authentication can be further fine tuned with Authorization list.
  • The Authorization list would have Subject, Subject Alt Name. The Subject Value type can be an IP address or a Domain name. The Subject Alt Name can have types like Email, Domain name, IP address.
  • Clients can also be authenticated via Serial Numbers.custom certs2.png

 

Secure Client Communication (Firewall, LC clients, Panorama HA client)

  • Users can select the client certificate to be presented by the client when communicating with the Panorama/LC servers. This client certificate can either reside locally or can be imported via SCEP profile.
  • Certificate Profile is used to validate the certificate presented by the Panorama/LC server. If OCSP/CRL is configured then clients will check the status of the certs via these methods and will terminate the connection if the certificate is revoked/expired.

 

The client side configuration part is done via Secure Client Communication space. Since Firewalls, Panorama HA client, LC client can act as a clients in various cases, this configuration space is available on all of these devices

graph.png

 

 

On Firewall: Setup > Management>Panorama Settings > Secure Client Communication

secure client communication.png

 

For Panorama HA Client: Panorama > High Availability >Setup

client communication panorama.png

 

For Log Collector Client: Panorama > Managed Collectors > Communication > Secure Client Communication

client communication collector.png

 

Troubleshooting

 

System logs on the Firewall and Panorama can be used to troubleshoot MGMT SSL connection issues.

 

Panorama System Logs

panoramalog.png

 

Firewall System Logs

firewalllog.png

 

A new column called certificate is introduced under Managed Devices on Panorama which indicates the status of the client certificate presented by the clients.

managed device.png

 

Here is a possible list of messages for the certificate status column:

  • Deployed – Client is using a custom certificate that passed the certificate profile check
  • Pre-defined - Client is using a pre-defined certificate
  • Certificate Validation Error – Client failed the certificate profile check on the server.
  • Client Identity check error – Client certificate failed the authentication list checks on the server
  • No message– Client passed all the checks on the server side. The server cert might have failed the checks done on the client side


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTGCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language