SSL\TLS Profile deployment via Panorama

Reply
Highlighted
L1 Bithead

SSL\TLS Profile deployment via Panorama

We have a Panorama running 8.1.9 and were looking to utlize almost every setting possible in Panorama to deploy to our managed firewalls. One of the settings we are looking to standardize on is the SSL\TLS profile. I see you can set this via Panorama but it requires you specify a certificate. 

 

Does this feature deploy the actual certificate or just the "named" certificate as long as we deploy the certificate individually to firewalls? 

 

The reason I ask is were looking to apply this to our GLOBAL TEMPLATE and if it deploys the certificate i am not sure it will work. our organization does not permit WILDCARD certificates.

L4 Transporter

Re: SSL\TLS Profile deployment via Panorama

Hello

 

Confirmed that a cert, created in a template with Panorama, does indeed, get pushed down to a FW.

I am not sure why you need to push down a wildcard cert, and if you do, why, your company would not let you push down the cert.

It would be easier than creating on the local FW(s).  Again, not sure how many FWs need to have this cert on it.

 

But I did answer you question, so mark it as a solution.  :P

 

Thanks

L1 Bithead

Re: SSL\TLS Profile deployment via Panorama

I have had problems issuing a cert from the firewall for SSL decryption. Chrome does not support self signed certificates for decryption and fails to work if you do.

 

 

L4 Transporter

Re: SSL\TLS Profile deployment via Panorama

Actually, Chrome uses the certificate repository store from the OS.

So, if you import a self-signed cert from the FW into IE, the same repository is used from Chrome.

As a PANW instructor for the past 7 years, I routinely import our lab/self-signed certs into Chrome without issue.

 

Would be glad to assist if you continue to need help.

 

thanks

 

Steve

L1 Bithead

Re: SSL\TLS Profile deployment via Panorama


@SteveCantwell wrote:

Actually, Chrome uses the certificate repository store from the OS.

So, if you import a self-signed cert from the FW into IE, the same repository is used from Chrome.

As a PANW instructor for the past 7 years, I routinely import our lab/self-signed certs into Chrome without issue.

 

Would be glad to assist if you continue to need help.

 

thanks

 

Steve


I will give it another try. My last attemp resulted in support telling me about the certificate issue. That would make things much more simple if it worked as you say.

L1 Bithead

Re: SSL\TLS Profile deployment via Panorama

Still no luck. I created the cert in Panorama applied and downloaded and installed on my local PC as a trusted root. Outlook immediatly gets a certificate error and all chrome content is unreachable.

L4 Transporter

Re: SSL\TLS Profile deployment via Panorama

Interesting....

 

I have a PAN220 for 2 years (more or less) and I decrypt 100% of my traffic (on my home network)

 

No problems with Outlook or Chrome.

 

My only logical thought is that the cert, although created by Panorama, may not have the correct CN or subject line (or something else)

 

For my self-signed certs, I actually created 2 certs.

One is a self signed with a CN of the Mgmt IP of my FW. (call this one Cantwell Enterprises :P) 

I make sure that the Fwd Trust Certifcate flag (checkbox) is checked, when I modify my Cantwell Enterprises Cert.

The second is signed by Cantwell Enterprises (the FW) and the common name is the IP of my inside interface on my FW.

I have made sure that my Cantwell Enterprise trust CA is loaded into my Trusted CA store in IE (takes care of Chrome) and I also use Mozilla, so I load the cert into Firefox as well.

 

My decryption policy is

 

Trust, with src address of (my computer) with destination of (any) for any (url category) = Decrypt with ssl-forward-proxy, and a decryption profile.

 

Do you have the same thing?

 

 

L1 Bithead

Re: SSL\TLS Profile deployment via Panorama

So I noticed today that the error is referencing a different cert with an old IP from a firewall we upgraded. I looked through all the Pano configs and do not see that cert and it is not in my root cert folder on my PC. Is there a cache on the PA side or a place I am missing?

L1 Bithead

Re: SSL\TLS Profile deployment via Panorama


@Millette wrote:

So I noticed today that the error is referencing a different cert with an old IP from a firewall we upgraded. I looked through all the Pano configs and do not see that cert and it is not in my root cert folder on my PC. Is there a cache on the PA side or a place I am missing?


Disregard. I was trying to create and apply the SSL cert from Panorama, not the local firewall and it will not pass the trust and untrust. Once I created the cert on the local device an applied it, I am up and running.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!