Configuration Articles

Featured Article
Starting from PAN-OS 8.0, we have an option to have a secure communication, with the help of certificates, between the firewall and the User-ID Agent. NOTE: This requires the firewall to be on PAN-OS 8.0 (or later) as well as the User-ID agent to be on 8.0 (or later).   In this process, the UIA (User-ID Agent) will present a certificate to the firewall to validate. The firewall will check this certificate as per the certification profile configured. If it passes all the checks in the certificate profile, the firewall will accept the connection from the UIA. This can ensure safety against "rogue" UIAs.     Here's a step-by-setup walkthrough to configure this:   1. Launch the UIA, you should see a new option called 'Server Certificate':   2. We need to create a new CSR for the UIA and get it signed by either an external CA, in-house CA or a self-signed certificate present in the firewall. (Note: We will need the CA certificate to be present on the firewall so we can use it in the Certificate profile and validate the UIA's certificate).   3. Once we have a certificate, we can import it in the UIA along with its private key. Make sure to commit the configuration.    4. Create a new certificate profile and use the CA used to sign the UIA's CSR.   5. You should see a new tab under Device >User Identification, called 'Connection Security':   6. Choose the certificate profile created in step 4.   7. If the commit goes well, you should see the UIA connected successfully with the firewall.     Failure Scenario   If an incorrect or no certificate is present on the UIA while Connection Security is enabled on the firewall, you will see the following log entry in the System (and userid) logs: For the same failure, on the agent, you would see the following logs (under Monitoring->Logs):   Hope this helped. Stay safe!
View full article
ansharma ‎03-13-2017 05:02 AM
1 Reply
Our Solutions Engineers in the Live Community present key features in 20 different articles and videos to help you learn about PAN-OS 7.1. This list shows available resources that examine and present key components of this PAN-OS release.
View full article
‎11-22-2016 05:41 AM
1 Reply
A new PAN-OS 7.1 feature allows customers to add a custom list of domains to use with the sinkhole functionality in the Anti-Spyware Profile. This feature is supported on all PAN-OS devices, including M-100, M-500, and Panorama VM, running PAN-OS 7.1 or later.
View full article
‎10-04-2016 07:52 PM
2 Replies
1 Like
Ask Questions Get Answers Join the Live Community