Replace the Certificate for Inbound Management Traffic
When you first boot up the firewall or Panorama, it automatically generates a default certificate that enables HTTPS access to the web interface and XML API over the management (MGT) interface and (on the firewall only) over any other interface that supports HTTPS management traffic (for details, see Use Interface Management Profiles to Restrict Access). To improve the security of inbound management traffic, replace the default certificate with a new certificate issued specifically for your organization.
You cannot view, modify, or delete the default certificate. Securing management traffic also involves configuring how administrators authenticate to the firewall or to Panorama.
Replace the Certificate for Inbound Management Traffic
Obtain the certificate that will authenticate the firewall or Panorama to the client systems of administrators. You can simplify your Certificate Deployment by using a certificate that the client systems already trust. Therefore, we recommend that you Import a Certificate and Private Key from your enterprise certificate authority (CA) or Obtain a Certificate from an External CA ; the trusted root certificate store of the client systems is likely to already have the associated root CA certificate that ensures trust. If you Generate a Certificate on the firewall or Panorama, administrators will see a certificate error because the root CA certificate is not in the trusted root certificate store of client systems. To prevent this, deploy the self-signed root CA certificate to all client systems. Regardless of how you obtain the certificate, we recommend a Digest algorithm of sha256 or higher for enhanced security.
Configure an SSL/TLS Service Profile. Select the Certificate you just obtained. For enhanced security, we recommend that you set the Min Version (earliest allowed TLS version) to TLSv1.1 for inbound management traffic. We also recommend that you use a different SSL/TLS Service Profile for each firewall or Panorama service instead of reusing this profile for all services.
Apply the SSL/TLS Service Profile to inbound management traffic. Select Device > Setup > Management and edit the General Settings. Select the SSL/TLS Service Profile you just configured. Click OK and Commit.

Related Documentation