Does anyone know what the best certificate to use on a Palo is please? We have a customer who is failing PCI compliance testing as we are using a self signed certificate which was generated on the Palo for Global Protect. Any help or advise would be greatly appreciated.
There are loads of CAs that browsers will support by default. It's really a question of budget and preference. Comodo for cheap, VeriSign for good service. Never GoDaddy for anything (IMO).
Concerning PCI, you could setup a compensating control that states that all the users that connect to the service have the correct cert in their local store and are trained on how to deal with a non-trusted response. In that case you can just keep the self-signed cert. <disclaimer> I am not a QSA, your client needs to check w/ their QSA if they want to go down this road</disclaimer>
But really, so far as PAN is concerned, it shouldn't matter.
One workaround would be use a separate web server to buy a wildcard certificate from Commercial CA with something like *.yourdomain.com. Then export the certificate and private key file in PKCS or PEM format from that web server to PaloAlto firewall or Panorama.
I think it may not be possible to generate CSR (Certificate Signing Request) from a PaloAlto firewall as I could not see any option to do that.
Then the workaround like above helped.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!