topic Secure web-GUI access for managment in General Topics

Secure web-GUI access for managment

Jafar_Hussain — Tue, 24 Nov 2020 06:24:03 GMT

Dears,

When i log in my firewall it is showing the connection not secure.

For secure connection login, i have gone through these documents and try to configure a secure connection for web GUI access.

How To Configure A Certificate For Secure Web-GUI Access - Knowledge Base - Palo Alto Networks

Procedure 1 I followed:-

- Created a self-sign certificate with a common name management IP address.

- Created an SSL/TLS profile and attached the self-sign certificate in SSL/TLS profile

- Then Device>Setup>>management>general setting > Attached the same SSL/TLS profile and commit.

- Export the self-sign certificate in import in client machine trusted root certificate store.

- Tried to login into the firewall in a different browser.

Procedure 2 i followed:-

- Created a CSR request and the certificate sign by internal CA.

- Import the certificate in the firewall.

- Created an SSL/TLS profile and attached the newly imported certificate in SSL/TLS profile

- Then Device>Setup>>management>general setting > Attached the same SSL/TLS profile and commit.

- Export the certificate in import in client machine trusted root certificate store.

- Tried to login into the firewall in a different browser.

I tried two both above procedures but still, I am facing the connection, not a secure error.

Can anyone help me with this.

Re: Secure web-GUI access for managment

raji_toor — Tue, 24 Nov 2020 06:44:49 GMT

@Jafar_Hussain Your screenshot shows you are accessing it by IP, instead you should be accessing it by the common name you have set while creating cert.

Re: Secure web-GUI access for managment

Jafar_Hussain — Tue, 24 Nov 2020 06:47:13 GMT

@raji_toor

As i mentioned i have given the management IP address in the certificate common name.

Re: Secure web-GUI access for managment

raji_toor — Tue, 24 Nov 2020 17:17:05 GMT

If i am not wrong it should be a dns name and not IP in there although it doesn't stop you from entering IP

Re: Secure web-GUI access for managment

rmfalconer — Wed, 25 Nov 2020 00:00:04 GMT

For procedure 1, if you use a firewall self-signed cert for the web management, you're workstation won't trust that cert unless you import the firewall CA certificate on to your workstation.

For procedure 2, you don't need to export/import the device certificate. If your workstation trusts your internal CA, then your workstation will trust any certificates issued by that internal CA wherever they are installed.

What's the message if you click on 'Not secure'? It will usually point you in the right direction for troubleshooting. What does the subject and subject alternative show in the certificate details?

Re: Secure web-GUI access for managment

Jafar_Hussain — Wed, 25 Nov 2020 09:55:42 GMT

@rmfalconer

For procedure 1, if you use a firewall self-signed cert for the web management, you're workstation won't trust that cert unless you import the firewall CA certificate on to your workstation. - installed the certificate on the workstation but did not work.

when I use a self-sign certificate and try to login in to the firewall. the below error is showing.

but when i check the certificate it is showing OK.

Re: Secure web-GUI access for managment

rmfalconer — Mon, 30 Nov 2020 20:17:37 GMT

Did you create a certificate authority on the PA and then use that to issue the device certificate? The root certificate from the PA would need to be imported into your local machine's certificate store, not the device certificate. For the device certificate to be trusted by your PC, the root that issued it needs to be trusted.

For actually generating the certificate, you'll probably need to use an actual name as the CN, not an IP address. Most authorities won't issue with an IP address as the CN. If you want to include the IP as a valid entry, create it as a SAN entry on the cert using the IP field. You should also include the CN in the SAN entry as well.

Try this:

Create a root authority on the PA: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/certificate-management/obtain-certificates/create-a-self-signed-root-ca-certificate.html

Export this root certificate and import to the trusted root store on your computer.

Generate a device certificate on the PA signed by the root you just created:

Common name: firewallname.company.com

Attribute Hostname: firewallname.company.com

Attribute Hostname: firewallname

Attribute IP: 172.16.3.30

Then assign this cert to your SSL/TLS profile.