How to Set Up Secure Communication between Palo Alto Networks Firewall and Terminal Server Agent

To Set Up Secure Communication between Palo Alto Networks Firewall and Terminal Server Agent by using Custom Certificates.

• Palo Alto Firewalls
• Supported PAN-OS
• Terminal Server Agents

To Setup Secure Connection between the Firewall an Terminal Server Agents please follow the Step by Step Guide below 

1.  Launch the TS agent, you should see an option called 'Server Certificate':

   
2. Create a new CSR for the TS agent and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall.
   Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the TS's certificate

More details how to perform the above steps can be found below:

Go to Device > Certificate management > Certificates


Here the TSAgentCert is signed by an external CA (root-cert-Suma-AD in this case). Please DO NOT select check box for “Certificate Authority"

3. Once created it will look as follows
   
   
   If you are using external certificate authority to generate certificates for the the Terminal Server Agent , follow the following document 
   
   
4. Add the above created certificate under Device→Certificate management→Certificate Profile as follows:
   
   
   
   Select add under “CA certificates” to add the OSCP certificate
   
   
   
   
5. Add the the certificate profile under Device→User Identification→Connection security
   
   
   

   Alternatively, starting PAN-OS 10.0 assign the certificate profile on the firewall under Secure Client Communication:

   1. Select DEVICE > Setup > Management > Secure Client Communication
   2. Under Certificate Type choose Local.
   3. Select the Certificate which will be presented to the server (TS-Agent) to secure outgoing connection from the firewall (This can be left set to default which is "None").  (If a certificate is selected then the Root CA that signed the firewall’s custom certificate must be loaded into the Windows Trust store of the Windows machine where TS-Agent is installed).
   4. Select the Certificate Profile configured in step 4. (This will be used for validating the server certificate while connecting to various peer services  such as TS-Agent).
   5. Check "Data Redistribution".
   6. Click OK.
   7. Commit.
   8. Use the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show user ts-agent state <ts agent-name> (where <ts agent-name> is the name of the TS agent).

      dmin@pa1-vm> show user ts-agent state TS-Agent
      
      Agent: test(vsys: vsys1) Host: 10.x.x.10:5009
              Status                                            : conn:idle
              Version                                           : 0x0
              SSL config                                        : Custom certificates   <<<<
              num of connection tried                           : 28298
              num of connection succeeded                       : 0
              num of connection failed                          : 28298
              num of status msgs rcvd                           : 0
              num of request of status msgs sent                : 0
              num of user ip mapping add entries rcvd           : 0
              num of user ip mapping del entries rcvd           : 0
              num of config msgs rcvd                           : 0
              num of config msgs rcvd but failed to proc        : 0
              num of add user info msgs rcvd                    : 0
              num of add user info msgs rcvd but failed to proc : 0
              num of add users info msgs rcvd                   : 0
              num of add users info msgs rcvd but failed to proc: 0
              num of remove user info msgs rcvd                 : 0
              num of remove user msgs rcvd but failed to proc   : 0
              num of remove user info msgs rcvd                 : 0
              num of remove user info msgs rcvd but failed to proc: 0
              Credential Enforcement Status : Unknown
      
      

   NOTE: In case a certificate profile is configured under both Device > User Identification > Connection Security and Device > Setup > Secure communications settings >  Secure Client Communication (where Data Redistribution is selected)
   The certificate profile configured in the latter will take precedence and will be used to validate the TS agent certificate. 
6. Now, go back to the Device > Certificate management >Certificates and try exporting the certificate created above using PEM format (TS agents DO NOT support Encrypted Private Key and Certificate (PKCS12) format)
   
   
   
   
7. Copy the *.pem file on the server where the TS agent is running and select “Server certificate”>Add.
   Add the above exported certificate along with passphrase added and see if the certificate is exported as expected
   
   
   
   
8. Once the import is successful the Terminal Server Agent should be able to connect to the Firewall using the new Custom Certificate configured.
   
   

Following are some helpful debug commands to view Terminal Server Agent related information 

1. show user ts-agent state all
2. show user ts-agent statistics

To enable debugs, for additional info on Terminal Server Agent connection  you can run the following command 

1. debug user-id on debug
2. debug user-id set agent all