Scribd
Upload
7 views3 pages

How Are SSL_TLS Connections Mutually Authenticated_

The document outlines the process for setting up mutual SSL/TLS authentication using custom certificates in a Panorama deployment. It details the roles of server and client devices, the requirements for SSL/TLS service profiles, server and client certificates, and how to manage certificate revocation. Additionally, it explains the option to configure unique or common certificates across devices and the ability to push configurations from Panorama.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views3 pages

How Are SSL_TLS Connections Mutually Authenticated_

The document outlines the process for setting up mutual SSL/TLS authentication using custom certificates in a Panorama deployment. It details the roles of server and client devices, the requirements for SSL/TLS service profiles, server and client certificates, and how to manage certificate revocation. Additionally, it explains the option to configure unique or common certificates across devices and the ability to push configurations from Panorama.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

(/content/techdocs/en_US.

html)

Updated on Thu Mar 13 20:26:10 UTC 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Set Up Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama.html)
| Set Up Authentication Using Custom Certificates (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-
authentication-using-custom-certificates.html)
| How Are SSL/TLS Connections Mutually Authenticated? (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-
panorama/set-up-authentication-using-custom-certificates/how-are-ssltls-connections-mutually-authenticated.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
How Are SSL/TLS Connections Mutually Authenticated?

Table of Contents

In a regular SSL connection, only the server needs to identify itself to the client by presenting its certificate. However, in
mutual SSL authentication, the client presents its certificate to the server as well. Panorama, the primary Panorama HA peer,
Log Collectors, WildFire appliances, and PAN-DB appliances can act as the server. Firewalls, Log Collectors, WildFire
appliances, and the secondary Panorama HA peer can act as the client. The role that a device takes on depends the
deployment. For example, in the diagram below, Panorama manages a number of firewalls and a collector group and acts as
the server for the firewalls and Log Collectors. The Log Collector acts as the server to the firewalls that send logs to it.

To deploy custom certificates for mutual authentication in your deployment, you need:

SSL/TLS Service Profile—An SSL/TLS service profile (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-


admin/certificate-management/configure-an-ssltls-service-profile) defines the security of the connections by referencing
your custom certificate and establishing the SSL/TLS protocol versions used by the server device to communicate with
client devices.

Server Certificate and Profile—Devices in the server role require a certificate and certificate profile to identify themselves
to the client devices. You can deploy this certificate (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-
admin/certificate-management/certificate-deployment) from your enterprise public key infrastructure (PKI), purchase one
from a trusted third-party CA, or generate a self-signed certificate locally. The server certificate must include the IP
address or FQDN of the device’s management interface in the certificate common name (CN) or Subject Alt Name. The
client firewall or Log Collector matches the CN or Subject Alt Name in the certificate the server presents against the
server’s IP address or FQDN to verify the server’s identity.

Additionally, use the certificate profile to define certificate revocation (https://docs.paloaltonetworks.com/pan-os/10-


1/pan-os-admin/certificate-management/certificate-revocation) status (OCSP/CRL) and the actions taken based on the
revocation status.

Client Certificates and Profile—Each managed device requires a client certificate and certificate profile
(https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/configure-a-certificate-profile).
This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
The client device uses its certificate to identify itself to the server device. You can deploy certificates
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
(https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/certificate-deployment) from
(https://www.paloaltonetworks.com/legal-notices/privacy)
your enterprise PKI, using Simple Certificate Enrollment Protocol (SCEP), purchase one from a trusted third-party CA, or
generate a self-signed certificate locally.

Custom certificates can be unique to each client device or common across all devices. The unique device certificates uses
a hash of the serial number of the managed device and CN. The server matches the CN or the subject alt name against the
configured serial numbers of the client devices. For client certificate validation based on the CN to occur, the username
must be set to Subject common-name. The client certificate behavior also applies to Panorama HA peer connections.

You can configure the client certificate and certificate profile on each client device or push the configuration from
Panorama to each device as part of a template.

FIGURE: SSL/TLS Authentication

Was this information helpful?

Yes No

Next (/content/techdocs/en_US/panorama/10-
Previous
(/content/techdocs/en_US/panorama/10-Configure 1/panorama-admin/set-up-panorama/set-
Set Up
1/panorama-admin/set-up-panorama/set- Authentication up-authentication-using-custom-
Authentication
up-authentication-using-custom- Using Custom certificates/configure-authentication-
Using Custom
certificates.html) Certificates on using-custom-certificates-on-
Certificates panorama.html)
Panorama

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)

You might also like