For web-gui access to the Palo Alto Networks firewall, you can choose a certificate on the firewall for all web-based management sessions.
- Create new or select existing SSL/TLS Profile to be used
- Firewall: Device> SSL/TLS Service Profile
- Panorama: Panorama> SSL/TLS Service Profile
- Click Add
- Name: Enter name of the profile
- Certificate: Select the certificate to use
- Protocol Settings: Choose your preference
- Device (or Panorama)>Setup>Management
- Click the Gear icon on General tab
- Click the drop-down on SSL/TLS Service Profile and select your profile
- Click OK
- Commit (NOTE: The web server process will restart and you will need to log back in)
- Navigate to GUI: Device > Setup > Management > General Settings > SSL/TLS Service Profile. From the dropdown select the above configured SSL/TLS service profile.
NOTE:
After committing the changes the webserver daemon responsible for the web-gui will be restarted and you will lose connectivity to the WEB GUI. You will need to login to the WEB GUI again. Then you will see the new certificate configured from the above steps being utilized as the certificate for web-management.
- For an HA deployment, Certificates and SSL/TLS service profiles are not synced if it's referenced in system specific configuration (i.e. management access) that are not synced.
To update the certificate on the Secondary-Passive firewall, create a new SSL/TLS service profile with a unique name and associate it with the firewall.
