1. Home
    2. WildFire Appliance Administration
    3. WildFire Appliance Clusters
    4. Configure WildFire Appliance-to-Appliance Encryption
    5. Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

    Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

    Where Can I Use This?
    What Do I Need?
    • WildFire Appliance
    • WildFire License
    When configuring appliance-to-appliance encryption using the CLI, you must issue all commands from the WildFire appliance designated as the active-controller. The configuration changes are automatically distributed to the passive-controller. If you are operating a cluster with 3 or more nodes, you must also configure the WildFire cluster appliances acting as server nodes with the same settings as the active-controller.
    1. Upgrade each managed WildFire appliance to PAN-OS 9.0.
    2. Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
    3. Import (or optionally, generate) a certificate with a private key and its CA certificate. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
      1. To import a custom certificate, enter the following from the WildFire appliance CLI:
        scp import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <value>
      2. To generate a custom certificate, enter the following from the WildFire appliance CLI:
        request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry hostname [ ... ] request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry ip [ ... ] request certificate generate certificate-name name
    4. Import the WildFire appliance keypair containing the server certificate and private key.
      scp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <pkcs12|pem>
    5. Configure and specify a SSL/TLS profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
      set deviceconfig setting management secure-conn-server ssl-tls-service-profile <profile name>
      1. Create the SSL/TLS profile.
        set shared ssl-tls-service-profile <name>
      2. Specify the custom certificate.
        set shared ssl-tls-service-profile <name> certificate <value>
      3. Define the SSL/TLS range.
        set shared ssl-tls-service-profile <name> protocol-settings min-version <tls1-0|tls1-1|tls1-2>
        set shared ssl-tls-service-profile <name> protocol-settings max-version <tls1-0|tls1-1|tls1-2|max>
      4. Specify the SSL/TLS profile. This SSL/TLS service profile applies to all connections between WildFire appliances and the firewall as well as WildFire appliance peers.
        set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
    6. Configure and specify a certificate profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
      1. Create the certificate profile.
        set shared certificate-profile <name>
      2. (Optional) Set the subject (common-name) or subject-alt name.
        set shared certificate-profile <name> username-field subject <common-name>
        set shared certificate-profile <name> username-field subject-alt <email|principal-name>
      3. (Optional) Set the user domain.
        set shared certificate-profile <name> domain <value>
      4. Configure the CA.
        set shared certificate-profile <name> CA <name>
        set shared certificate-profile <name> CA <name> default-ocsp-url <value>
        set shared certificate-profile <name> CA <name> ocsp-verify-cert <value>
      5. Specify the certificate profile.
        set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
    8. Configure the firewall
      Secure Communication Settings
       on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 9.
      1. Select
        Device
        Certificate Management
        Certificate Profile
        .
      3. Select
        Device
        Setup
        Management > Secure Communication Settings
         and click the
        Edit
         icon in
        Secure Communication Settings
         to configure the firewall custom certificate settings.
      4. Select the
        Certificate Type
        ,
        Certificate
        , and
        Certificate Profile
         from the respective drop-downs and configure them to use the custom certificate created in step 2.
      5. Under Customize Communication, select
        WildFire Communication
        .
      6. Click
        OK
        .
    9. Disable the use of the predefined certificate.
      set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
    10. Specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is
      wfpc.service.mycluster.paloaltonetworks.com
      set deviceconfig setting wildfire custom-dns-name <custom_dns_name>
      .
    11. (Appliance clusters with 3 or more nodes only) Repeat steps 2-10 for the third WildFire appliance server node enrolled in the cluster.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo