Scribd
Upload
46 views4 pages

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

The document provides a guide for configuring certificate-based authentication for Panorama administrator accounts, enhancing security by replacing password-based logins. It outlines steps for generating a certificate authority certificate, configuring a certificate profile, and setting up administrator accounts for client certificate authentication. The process culminates in verifying access to the Panorama web interface using the newly configured certificates.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
46 views4 pages

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

The document provides a guide for configuring certificate-based authentication for Panorama administrator accounts, enhancing security by replacing password-based logins. It outlines steps for generating a certificate authority certificate, configuring a certificate profile, and setting up administrator accounts for client certificate authentication. The process culminates in verifying access to the Panorama web interface using the newly configured certificates.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

(/content/techdocs/en_US.

html)

Updated on Thu Oct 03 16:39:51 UTC 2024

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/11-0/panorama-admin.html)
| Set Up Panorama (/content/techdocs/en_US/panorama/11-0/panorama-admin/set-up-panorama.html)
| Set Up Administrative Access to Panorama (/content/techdocs/en_US/panorama/11-0/panorama-admin/set-up-panorama/set-up-
administrative-access-to-panorama.html)
| Configure Administrative Accounts and Authentication (/content/techdocs/en_US/panorama/11-0/panorama-admin/set-up-
panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-authentication.html)
| Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
(/content/techdocs/en_US/panorama/11-0/panorama-admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-
administrative-accounts-and-authentication/configure-a-panorama-administrator-with-certificate-based-authentication-for-the-web-
interface.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/11-0/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/11-
0/panorama-admin.html)
Configure a Panorama Administrator with Certificate-Based Authentication
for the Web Interface

Table of Contents

End-of-Life (EoL)

As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-
based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the
exchange and verification of a digital signature instead of a password.

Configuring certificate-based authentication for any administrator disables the username/password logins

 for all administrators on Panorama and all administrators thereafter require the certificate to log in.

STEP 1 -
Generate a certificate authority (CA) certificate on Panorama.

You will use this CA certificate to sign the client certificate of each administrator.

Create a self-signed root CA certificate (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-


admin/certificate-management/obtain-certificates/create-a-self-signed-root-ca-certificate).

Alternatively, you can import a certificate (https://docs.paloaltonetworks.com/pan-os/11-


0/pan-os-admin/certificate-management/obtain-certificates/import-a-certificate-and-private-
key) from your enterprise CA.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯ Cookie Settings
(https://www.paloaltonetworks.com/legal-notices/privacy)
STEP 2 -
Configure a certificate profile for securing access to the web interface.

A Select Panorama > Certificate Management > Certificate Profile and click Add.

B Enter a Name for the certificate profile and set the Username Field to Subject.

C Select Add in the CA Certificates section and select the CA Certificate you just created.

D Click OK to save the profile.

STEP 3 -
Configure Panorama to use the certificate profile for authenticating administrators.

A Select the Panorama > Setup > Management and edit the Authentication Settings.

B Select the Certificate Profile you just created and click OK.

STEP 4 -
Configure the administrator accounts to use client certificate authentication.

Configure a Panorama Administrator Account (/content/techdocs/en_US/panorama/11-0/panorama-


admin/set-up-panorama/set-up-administrative-access-to-panorama/configure-administrative-accounts-and-
authentication/configure-a-panorama-administrator-account.html#id23798e8c-637f-4e7c-8ff8-
f1f61a88d6ce) for each administrator who will access the Panorama web interface. Select the Use only client
certificate authentication (Web) check box.

If you have already deployed client certificates that your enterprise CA generated, skip to Step 8. Otherwise,
continue with Step 5.

STEP 5 -
Generate a client certificate for each administrator.

Generate a certificate on Panorama (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-


admin/certificate-management/obtain-certificates/generate-a-certificate). In the Signed By drop-down, select
the CA certificate you created.

STEP 6 -
Export the client certificates.

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)
A Export the certificates (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/certificate-
management/export-a-certificate-and-private-key).

B Select Commit > Commit to Panorama and Commit your changes.

Panorama restarts and terminates your login session. Thereafter, administrators can access the web
interface only from client systems that have the client certificate you generated.

STEP 7 -
Import the client certificate into the client system of each administrator who will access the web interface.

Refer to your web browser documentation as needed to complete this step.

STEP 8 -
Verify that administrators can access the web interface.

A Open the Panorama IP address in a browser on the computer that has the client certificate.

B When prompted, select the certificate you imported and click OK. The browser displays a certificate
warning.

C Add the certificate to the browser exception list.

D Click Login. The web interface should appear without prompting you for a username or password.

Was this information helpful?

Yes No

Previous (/content/techdocs/en_US/panorama/11- Next (/content/techdocs/en_US/panorama/11-


Configure 0/panorama-admin/set-up- Configure an 0/panorama-admin/set-up-
Local or panorama/set-up-administrative-access- Administrator panorama/set-up-administrative-access-
External to-panorama/configure-administrative- with SSH Key- to-panorama/configure-administrative-
Authentication accounts-and-authentication/configure- Based accounts-and-authentication/configure-
for Panorama local-or-external-authentication-for- Authentication an-administrator-with-ssh-key-based-
Administrators panorama-administrators.html) for the CLI authentication-for-the-cli.html)

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
Kno
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯
(https://www.paloaltonetworks.com/legal-notices/privacy)Compatibility Matrix (/content/techdocs/en_US/compatibility-
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

This site uses cookies essential to its operation, for analytics, and for personalized content and ads. By
continuing to browse this site, you acknowledge the use of cookies. Privacy statement ❯

You might also like