How to configure secure communication between Panorama and firewalls?
Objective
- The information of this article is documented at Configure Authentication Using Custom Certificates on Managed Devices. This article provides additional details and screenshots.
- A typical Panorama-firewall communication uses predefined certificates and mutual authentication to establish the SSL connection.
- With Predefined certificates, If the device certificate or common CA expires, no device will be able to connect to Panorama.
- Also, If pre-deployed self-signed common root CA is compromised, an attacker can spoof.
- One can configure authentication using custom certificates instead.
- Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls.
- How to setup "secure communication settings" for Panorama-firewall communication using custom SSL certificates and mutual authentication.
Environment
- Panorama with managed Firewalls
- PAN-OS 8.1 and above
- Custom Certificates
Procedure
A Regular SSL connection server sends its certificate to the client for authentication.
In mutual authentication case, there will be a server certificate presented by the server and a client certificate present by the client.
In this example, Panorama is the server and firewall is the client.
When the predefined certificates are used, A server certificate command name (CN) will be the IP or FQDN of the panorama.
CN of the client certificate will be the serial number of the Firewall.
Here are the requirements for the secure communication configuration.
SSL/TLS service profile
------------------------------
Reference the server certificate on the Panorama and the client certificate on the Firewall.
Also defines the Max version of the TLS protocol version.
The server certificate and the certificate profile.
--------------------------------------------------------------
The server certificate must have the IP address or the FQDN of the Panorama management interface. It has to be either defined in the CN field or the Subject Alt name.
The client device uses this field against the IP address of the Panorama to verify the Panorama identity.
The certificate profile is to identify the server to the client devices. The Root CA of the server certificate can be referenced in this configuration.
Certificate revocation can be configured either as OCSP or CRL
Client certificate profile and client certificate
--------------------------------------------------------------
Client certificate profile identifies the client to the server panorama.
Similar to server a client certificate profile is required with Root CA and optional certificate revocation status.
The client certificate can be the same or unique on all the connected firewalls.
Unlike a server, a client certificate may not necessarily need the serial number of the firewall as the CN.
A server or client certificate can be
- From your enterprise public key infrastructure (PKI)
- Purchase one from a trusted third-party CA
- Generate a self-signed certificate locally.
Configuration:
On Panorama
------------------------
- Panorama < Setup < Management < secure communication settings.
- Enable Customize Secure Server Communication.
- Select the SSL/TLS service profile configured for the server certificate.
- Select the Certificate Profile of the server certificate.
- The authorization list is optional. This option will check the client certificate CN or SAN field and their value. While configuring authorization value either select CN or SAN and provide their value from the client certificate. The authorization list can also be based on the serial number. Select "authorize Clients Based on Serial Number" for the same.
- Verify that the Allow Custom Certificate Only check box is not selected. This allows you to continue
managing all devices while migrating to custom certificates. - Disconnect Wait Time (min) - How long the panorama should wait before terminating an existing connection with the managed devices and establishing a new connection.
- Commit your changes
On firewall
------------------
- Device < setup Management < secure communication settings.
- Set Certificate type as local.
- Browse the client certificate and the client certificate profile
- Enable "Panorama Communication".
- Commit your changes
Additional Information
Verification:
-----------------
How to verify if the custom certificates are used in the Panorama firewall communication.
1. The Panorama Dashboard will display the certificate as "Deployed"
Panorama < Managed device < summary
If the communication is using predefined certificates, the status will be "predefined"
2. Perform a PCAP between Firewall and the panorama
The sever hello and the certificate message from the client will display the respective certificates.
Server certificate
---------------------------------
Client certificate
------------------------------
Panorama logs
---------------------
2022-01-11 05:49:26.830 -0800 pan_conn_set_conn_details: device_type:server: client is device
2022-01-11 05:49:26.830 -0800 received a reg message from 007051000149547. Creating conn entry.
2022-01-11 05:49:26.840 -0800 Got HA state from device 007051000149547, local state: active, peer state: unknown
2022-01-11 05:49:26.858 -0800 connmgr: connection entry added: devid=007051000149547 (1001189)
2022-01-11 05:49:26.858 -0800 007051000149547 is now connected