You can encrypt WildFire communications between appliances deployed in a cluster. By default, WildFire appliances send data using cleartext when communicating with management appliances as well as WildFire cluster peers. You can use either predefined or custom certificates to authenticate connections between WildFire appliance peers using the IKE/IPsec protocol. The predefined certificates meet current FIPS/CC/UCAPL-approved certification and compliance requirements. If you want to use custom certificates instead, you must select a FIPS/CC/UCAPL-compliant certificate or you will not be able to import the certificate.

You can configure WildFire appliance-to-appliance encryption locally using the WildFire CLI or centrally through Panorama. Keep in mind, all WildFire appliances within a given cluster must run a version of PAN-OS that supports encrypted communications.

Depending on how you want to deploy appliance to appliance encryption, perform one of the following tasks: