Step 2 • Integrate with your firewall
Palo Alto Networks Integration (PAN-OS)
This guide walks you through importing Vesper Secure certificates, creating a Certificate Profile, configuring an External Dynamic List (EDL), and enforcing the EDL in a Security policy.
Prerequisites
- • Admin access to PAN-OS (Device/Objects/Policies).
- • Your Organization UUID and EDL password from the Vesper Secure Admin Console.
- • Outbound connectivity from the firewall to list.vespersecure.com over HTTPS.
EDL source URL format
You can copy this URL from the Policies tab in the Vesper Secure Admin Console.
1) Import Vesper Secure certificates
Vesper Secure uses a certificate chain for server authentication. Import the Root and Intermediate certificates into PAN-OS before creating a Certificate Profile.
Download certificates
Download both certificates to your admin workstation before importing them into PAN-OS.
Import the certificates into PAN-OS
- Navigate to Device → Certificate Management → Certificates.
- Click Import at the bottom.
- Name the certificate (example: VesperSecure Root).
- Click Browse…, select the downloaded certificate file, then click OK.
- Repeat for the Intermediate certificate (example: VesperSecure Intermediate).
Image placeholder:
Device → Certificate Management → Certificates (Import Root + Intermediate)
Create a Certificate Profile
The Certificate Profile is used by PAN-OS to validate the Vesper Secure server when retrieving your EDL.
- Navigate to Device → Certificate Management → Certificate Profile.
- Click Add to create a new profile.
- Provide a name (example: VesperSecure-EDL-CA).
- Under CA Certificates, click Add and select both: VesperSecure Root and VesperSecure Intermediate.
- Click OK to save the Certificate Profile.
Image placeholder:
Device → Certificate Management → Certificate Profile (CA Certificates: Root + Intermediate)
2) Create the External Dynamic List (EDL)
The EDL is the allow-list of public IPs that have successfully authenticated through Vesper Secure. Your firewall will fetch this list on a schedule and enforce it in policy.
Create the EDL object
- Navigate to Objects → External Dynamic Lists.
- Click Add.
- Set Type to IP List.
-
Set Source to your organization URL:
https://list.vespersecure.com/<organization-uuid>
You can find this link in the Policies tab of the Vesper Secure Admin Console (app.vespersecure.com).
Image placeholder:
Objects → External Dynamic Lists (Type: IP List, Source URL)
Configure authentication + update interval
- Under Server Authentication, select the Certificate Profile you created earlier (example: VesperSecure-EDL-CA).
- Enable Client Authentication (a new section appears when a Server Auth profile is selected).
- For Username, use your Organization UUID.
- For Password, use the password provided during account creation. If you no longer have it, generate a new one in the Policies tab of the Vesper Secure Admin Console.
- Set Check for updates to Every five minutes (strongly recommended).
- Click OK, then Commit your changes.
Recommendation
Keep your EDL refresh set to Every five minutes so newly authenticated users can access your VPN quickly.
Image placeholder:
EDL settings (Server Authentication + Client Authentication + Check for updates)
3) Enforce the EDL in your Security policy
The safest rollout approach is to clone your existing “VPN from the Internet” rule, restrict the cloned rule’s Source Address to the EDL, and test thoroughly before removing the original rule.
Clone your existing VPN access rule
- Navigate to Policies → Security.
- Find the rule that currently allows VPN access from the public internet.
- Select the rule and click Clone at the bottom.
- For Rule order, choose Before Rule, then click OK.
Image placeholder:
Policies → Security (Clone existing VPN rule, Rule order: Before Rule)
Restrict Source Address to the EDL
- Open the cloned rule for editing.
- Go to Source.
- Under Source Address, remove any existing entries.
- Click Add and select the EDL you created in the previous step.
- Click OK, then Commit.
Strong recommendation
Add a few static Source Addresses alongside the EDL (for example, your corporate IP ranges and/or administrator home IPs). This reduces the chance of accidentally locking out legitimate access during initial rollout or troubleshooting.
Image placeholder:
Security rule (Source → Source Address: EDL + optional static IPs)
Best practices and rollout safety
Change management matters
- •Make changes during a maintenance window if possible.
- •Have a rollback plan (including out-of-band access) before you enforce new rules.
- •Validate the EDL is populating (and updating) before you rely on it for access control.
Test before removing the old rule
- •Keep the original VPN rule in place while you test the cloned EDL-based rule.
- •Confirm a user can authenticate to Vesper Secure and then reach the VPN service.
- •Only remove/disable the old rule after successful validation and stakeholder approval.
Quick verification checklist
EDL fetch success
Confirm the EDL is reachable and contains IPs after users authenticate.
Rule hit / matching
Confirm traffic is matching the cloned rule (before the original) as expected.
Safe admin access
Keep static admin IPs in Source Address while you validate rollout.
Commit discipline
Commit after each logical stage to isolate issues quickly.
Image placeholder:
Verification examples (EDL populated / log showing security rule match)
Next: User instructions
Once your firewall enforcement is in place, distribute the user guide so users know how to authenticate and what to expect.