Palo Alto Networks Knowledgebase: PAN-OS 8.0 Connection Security Enhancements

PAN-OS 8.0 Connection Security Enhancements

Created On 02/07/19 23:50 PM - Last Updated 02/07/19 23:50 PM
8.0 PAN-OS

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.


In PAN-OS 8.0, enhancements to connection security introduce additional security measures related to management connections among some Palo Alto Networks entities. The connections being protected by this feature are shown in the illustration, and the security measures include support for:


  • Custom SSL/TLS service profiles
  • Custom client certificates
  • SCEP support
  • CRL/OCSP support


Panorama and Log Collector act as a server for management connections initiated by clients such as Firewalls, Log-Collector Client, Panorama HA client



A new configuration space called Secure Server Communication is introduced on Panorama and Log Collector to let users configure various security features for the MGMT connections where devices are acting as servers.


On Panorama: Setup > Management > Panorama Settings > Secure Server Communication

panorama settings.png


Also, a Log-Collector can act as a server for the MGMT connections originating from the firewalls.


For Log-Collector: Setup>Managed Collectors>Communication > Secure Server Communication

secure communication.png


Secure Server Communication (Panorama and Log-Collector)

Custom SSL/TLS profiles

  • Administrators will have complete control over the SSL ciphers and the certificates used by the Panorama/LC server for the SSL connections when communicating with the clientssecure communication 2.png
  • Panorama/LC can validate the certificate per certificate profile configuration when accepting connections from clients (FW, LC, or its HA peer)
  • Panorama/LC can check status of certs via OCSP/CRL when configured in certificate profile, and terminate connections if the cert is expired or revoked


secure communication 3.png

Client Authentication

  • Enabling 'Custom Certificate Only' option will cause Panorama/LC to reject the connections from clients running Pan-OS 7.1 and earlier. These devices will present a default pre-loaded certificate when connecting to the Panorama LC.


custom certs.png

  • The Client Authentication can be further fine tuned with Authorization list.
  • The Authorization list would have Subject, Subject Alt Name. The Subject Value type can be an IP address or a Domain name. The Subject Alt Name can have types like Email, Domain name, IP address.
  • Clients can also be authenticated via Serial Numbers.custom certs2.png


Secure Client Communication (Firewall, LC clients, Panorama HA client)

  • Users can select the client certificate to be presented by the client when communicating with the Panorama/LC servers. This client certificate can either reside locally or can be imported via SCEP profile.
  • Certificate Profile is used to validate the certificate presented by the Panorama/LC server. If OCSP/CRL is configured then clients will check the status of the certs via these methods and will terminate the connection if the certificate is revoked/expired.


The client side configuration part is done via Secure Client Communication space. Since Firewalls, Panorama HA client, LC client can act as a clients in various cases, this configuration space is available on all of these devices




On Firewall: Setup > Management>Panorama Settings > Secure Client Communication

secure client communication.png


For Panorama HA Client: Panorama > High Availability >Setup

client communication panorama.png


For Log Collector Client: Panorama > Managed Collectors > Communication > Secure Client Communication

client communication collector.png




System logs on the Firewall and Panorama can be used to troubleshoot MGMT SSL connection issues.


Panorama System Logs



Firewall System Logs



A new column called certificate is introduced under Managed Devices on Panorama which indicates the status of the client certificate presented by the clients.

managed device.png


Here is a possible list of messages for the certificate status column:

  • Deployed – Client is using a custom certificate that passed the certificate profile check
  • Pre-defined - Client is using a pre-defined certificate
  • Certificate Validation Error – Client failed the certificate profile check on the server.
  • Client Identity check error – Client certificate failed the authentication list checks on the server
  • No message– Client passed all the checks on the server side. The server cert might have failed the checks done on the client side

  • Print
  • Copy Link

Choose Language