Add a Certificate to Cloud NGFW for AWS

Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. These certificates are stored in the AWS Secrets Manager. The when adding certificate to the AWS Secrets Manager for use with Cloud NGFW, the following prerequisites must be met.
  • Certificate added as a key/value pair, with two keys—
    private-key
    and
    public-key
    . For the private key, the value should be the actual key and, for the public-key, the value should be the actual certificate body.
  • A tag with the key
    PaloAltoCloudNGFW
    and value of
    true
    .
Complete the following procedure to add a certificate for use with Cloud NGFW for AWS.
  1. Add your certificate to the AWS Secrets Manager.
    1. Log in to the AWS console, navigate to the AWS Secrets Manager, and click
      Store a new secret
      .
    2. Select
      Other type of secret
      .
    3. Under
      Key/value pairs
      , create a key called
      private-key
      and another called
      public-key
      .
    4. Paste your entire private key and entire public key in the corresponding field.
    5. Click
      Next
      .
    6. Enter a descriptive
      Secret Name
      .
    7. Add a tag with the Key
      PaloAltoCloudNGFW
      and Value
      true
      .
    8. Click
      Next
      ,
      Next
      again, and
      Store
      to finishing adding your certificate.
  2. Select
    Rulestacks
    and select a previously-created rulestack on which to configure a custom URL category.
  3. Select
    Objects
    Certificate List
    Add Certificate
    .
  4. Enter a descriptive
    Name
    for your certificate.
  5. (
    optional
    ) Enter a description for your certificate.
  6. Enter the
    Certificate ARN
    from the AWS Secrets Manager.
  7. If the certificate is self-signed, check
    Self Signed Certificate
    .
    Inbound decryption does not support self-signed certificates.
  8. Click
    Save
    .

Recommended For You