SSL/TLS Service Profile in Palo Alto Networks

The SSL/TLS Service Profile in Palo Alto Networks devices defines the certificate and SSL/TLS protocol settings used for securing various services. It ensures encrypted communication and plays a pivotal role in mutual authentication between devices.

Purpose and Usage

The SSL/TLS Service Profile is utilized in the following scenarios:

• Administrative Access: Securing the web interface (HTTPS) and SSH access to the firewall or Panorama.
• GlobalProtect: Securing connections between GlobalProtect portals/gateways and clients.
• Authentication Portal: Presenting certificates during user authentication processes.
• User-ID Syslog Listener: Securing syslog connections for user identification.
• Mutual Authentication: Establishing trust between Panorama and managed firewalls or log collectors.

Reference: Configure an SSL/TLS Service Profile

Configuration Steps

To configure an SSL/TLS Service Profile:

1. Navigate to Device > Certificate Management > SSL/TLS Service Profile .
2. Click Add to create a new profile.
3. Enter a descriptive Name for the profile.
4. Select a valid Certificate (should be a server certificate, not a CA certificate).
5. Define the Protocol Settings :
   • Min Version: Typically set to TLSv1.2.
   • Max Version: Can be set to TLSv1.3 if supported.
6. Optionally, customize cipher suites as per security requirements.
7. Click OK and commit the changes.

Reference: Configure an SSL/TLS Service Profile

Role in Mutual Authentication with Panorama

When establishing secure connections between Panorama and managed firewalls or log collectors, mutual SSL/TLS authentication is employed. This involves:

• Each device presenting its certificate to the other.
• Verification of certificates against trusted Certificate Authorities (CAs).
• Ensuring that both devices trust each other's certificates to establish a secure channel.

The SSL/TLS Service Profile defines the certificate and protocol settings used during this handshake.

Reference: How Are SSL/TLS Connections Mutually Authenticated?

Interaction with Certificate-Based Authentication

In scenarios where certificate-based authentication is required (e.g., GlobalProtect, admin access), the SSL/TLS Service Profile works in conjunction with Certificate Profiles:

• SSL/TLS Service Profile: Specifies the server certificate and SSL/TLS settings.
• Certificate Profile: Defines the trusted CAs and certificate verification settings for client certificates.

Together, they ensure that both server and client certificates are appropriately validated during the SSL/TLS handshake.

Reference: Configure a Certificate Profile

Additional Use Cases

Beyond the primary uses, SSL/TLS Service Profiles are also applied in:

• WildFire Appliance Integration: Securing communication between firewalls and WildFire appliances.
• Log Collector Communication: Ensuring secure log transmission between devices.
• High Availability (HA) Links: Securing HA synchronization traffic between peers.

Reference: WildFire Appliance Mutual SSL Authentication

Best Practices

• Always use certificates signed by a trusted CA.
• Avoid using self-signed certificates in production environments.
• Regularly update and renew certificates before expiration.
• Restrict SSL/TLS versions to TLSv1.2 and above to ensure strong encryption.
• Ensure that client systems trust the issuing CA to prevent certificate warnings.