Palo Alto Networks Knowledgebase: How to Configure Certificate-based Authentication for the WebGUI

How to Configure Certificate-based Authentication for the WebGUI

4954
Created On 02/07/19 23:59 PM - Last Updated 02/08/19 00:00 AM
Resolution

Overview:

 

This article provides the steps to configure certificate-based authentication to the Palo Alto Networks web interface.

Note: After enabling this authentication, all username/password logins are disabled for all administrators.  Administrators must  be issued certificates in order to log in.

 

 

Links to Latest Procedures:

 For the latest procedures, see the following topics in the user guides:

 

 

Steps:

 

1.     Generate a CA.

Go to Device > Certificates > click Generate > ensure CA is checked.

          1.png

 

2.     Create the Client Certificate Profile.

Go to Device > Client Certificate Profile > click Add > change Username to Subject, and the next field will be common-name. Also, add the CA created in Step 1.

          2.png

 

3.     Set Client Certificate Profile for Authentication Settings.

Go to the Device > Setup > Click to edit the Authentication Settings Window > assign the Client Certificate Profile created in Step 2.

          3.png

 

4    Create an Admin with client certificate authentication setting checked.

     Go to Device > Administrators > Click Add. Ensure the option to use only client certificate authentication (Web) is checked.

4.png

 

 

5.     Create the client certificate for the newly created Administrator.

Go to Device > Certificates > Generate

Ensure that the certificate is signed by the CA created in Step 1.

Verify that the common name field has the Administrators’s name created in Step 4.

          5.png

 

6.         Export the  Administrators Client Cert.

                       Go to the Device > Setup.

                       In the Certificates section, check the client Cert’s checkbox.

                       Click Export. 

                       Verify that  the  File  Format is PKCS12 -> Enter a passphrase.   

 

               7.png

 

7.      Commit.

The following message is displayed:

           8.png

 

8.      Import the Administrator's  Client Certificate into the browser (Firefox for demo).

Go to the Firefox options menu.

Click View Certificates.

Click Import

Point  to the Admin’s Client Cert previously exported.

Enter passphrase.

 

9.png

 

9.      Go to the Palo Alto’s WebGUI (ensure HTTPS is enabled on the interface).

Choose the Client Certificate.

 

10.png

 

10.      This warning will display because the Cert isn't trusted.

Add the exception.

 

11.png

11.      Click Login.

 

15.png



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcCCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language