Configure Appliance-to-Appliance Encryption Using Custom
Certificates Through the CLI
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
When configuring appliance-to-appliance encryption
using the CLI, you must issue all commands from the WildFire appliance
designated as the active-controller. The configuration changes are
automatically distributed to the passive-controller. If you are
operating a cluster with 3 or more nodes, you must also configure
the WildFire cluster appliances acting as server nodes with the
same settings as the active-controller.
- Upgrade each managed WildFire appliance to PAN-OS 9.0.
- Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
- Import (or optionally, generate) a certificate with a private key and its CA certificate. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
- To import a custom certificate, enter the following from the WildFire appliance CLI:scp import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <value>
- To generate a custom certificate, enter the following from the WildFire appliance CLI:request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry hostname [ ... ] request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry ip [ ... ] request certificate generate certificate-name name
- Import the WildFire appliance keypair containing the server certificate and private key.scp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <pkcs12|pem>
- Configure and specify a SSL/TLS profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.set deviceconfig setting management secure-conn-server ssl-tls-service-profile <profile name>
- Create the SSL/TLS profile.set shared ssl-tls-service-profile <name>
- Specify the custom certificate.set shared ssl-tls-service-profile <name> certificate <value>
- Define the SSL/TLS range.set shared ssl-tls-service-profile <name> protocol-settings min-version <tls1-0|tls1-1|tls1-2>set shared ssl-tls-service-profile <name> protocol-settings max-version <tls1-0|tls1-1|tls1-2|max>
- Specify the SSL/TLS profile. This SSL/TLS service profile applies to all connections between WildFire appliances and the firewall as well as WildFire appliance peers.set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
- Configure and specify a certificate profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
- Create the certificate profile.set shared certificate-profile <name>
- (Optional) Set the subject (common-name) or subject-alt name.set shared certificate-profile <name> username-field subject <common-name>set shared certificate-profile <name> username-field subject-alt <email|principal-name>
- (Optional) Set the user domain.set shared certificate-profile <name> domain <value>
- Configure the CA.set shared certificate-profile <name> CA <name>set shared certificate-profile <name> CA <name> default-ocsp-url <value>set shared certificate-profile <name> CA <name> ocsp-verify-cert <value>
- Specify the certificate profile.set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
- Configure the firewallSecure Communication Settingson Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 9.
- Select.DeviceCertificate ManagementCertificate Profile
- Selectand click theDeviceSetupManagement > Secure Communication SettingsEditicon inSecure Communication Settingsto configure the firewall custom certificate settings.
- Select theCertificate Type,Certificate, andCertificate Profilefrom the respective drop-downs and configure them to use the custom certificate created in step 2.
- Under Customize Communication, selectWildFire Communication.
- ClickOK.
- Disable the use of the predefined certificate.set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
- Specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name iswfpc.service.mycluster.paloaltonetworks.comset deviceconfig setting wildfire custom-dns-name <custom_dns_name>.
- (Appliance clusters with 3 or more nodes only) Repeat steps 2-10 for the third WildFire appliance server node enrolled in the cluster.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.