Advanced WildFire Powered by Precision AI™
Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI
Table of Contents
Expand All
|
Collapse All
Advanced WildFire
-
-
- Forward Files for Advanced WildFire Analysis
- Manually Upload Files to the WildFire Portal
- Forward Decrypted SSL Traffic for Advanced WildFire Analysis
- Enable Advanced WildFire Inline Cloud Analysis
- Enable Advanced WildFire Inline ML
- Enable Hold Mode for Real-Time Signature Lookup
- Configure the Content Cloud FQDN Settings
- Sample Removal Request
- Firewall File-Forwarding Capacity by Model
-
-
-
- set deviceconfig cluster
- set deviceconfig high-availability
- set deviceconfig setting management
- set deviceconfig setting wildfire
- set deviceconfig system eth2
- set deviceconfig system eth3
- set deviceconfig system panorama local-panorama panorama-server
- set deviceconfig system panorama local-panorama panorama-server-2
- set deviceconfig system update-schedule
- set deviceconfig system vm-interface
-
- clear high-availability
- create wildfire api-key
- delete high-availability-key
- delete wildfire api-key
- delete wildfire-metadata
- disable wildfire
- edit wildfire api-key
- load wildfire api-key
- request cluster decommission
- request cluster reboot-local-node
- request high-availability state
- request high-availability sync-to-remote
- request system raid
- request wildfire sample redistribution
- request system wildfire-vm-image
- request wf-content
- save wildfire api-key
- set wildfire portal-admin
- show cluster all-peers
- show cluster controller
- show cluster data migration status
- show cluster membership
- show cluster task
- show high-availability all
- show high-availability control-link
- show high-availability state
- show high-availability transitions
- show system raid
- submit wildfire local-verdict-change
- show wildfire
- show wildfire global
- show wildfire local
- test wildfire registration
Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
When configuring appliance-to-appliance encryption
using the CLI, you must issue all commands from the WildFire appliance
designated as the active-controller. The configuration changes are
automatically distributed to the passive-controller. If you are
operating a cluster with 3 or more nodes, you must also configure
the WildFire cluster appliances acting as server nodes with the
same settings as the active-controller.
- Upgrade each managed WildFire appliance to PAN-OS 9.0.
- Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
- Import (or optionally, generate) a certificate with a private key and its CA certificate. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
- To import a custom certificate, enter the following from the WildFire appliance CLI: scp import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <value>
- To generate a custom certificate, enter the following from the WildFire appliance CLI: request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry hostname [ ... ] request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry ip [ ... ] request certificate generate certificate-name name
- Import the WildFire appliance keypair containing the server certificate and private key.
scp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <pkcs12|pem> - Configure and specify a SSL/TLS profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.set deviceconfig setting management secure-conn-server ssl-tls-service-profile <profile name>
- Create the SSL/TLS profile.
set shared ssl-tls-service-profile <name> - Specify the custom certificate.
set shared ssl-tls-service-profile <name> certificate <value> - Define the SSL/TLS range.
set shared ssl-tls-service-profile <name> protocol-settings min-version <tls1-0|tls1-1|tls1-2>set shared ssl-tls-service-profile <name> protocol-settings max-version <tls1-0|tls1-1|tls1-2|max> - Specify the SSL/TLS profile. This SSL/TLS service profile applies to all connections between WildFire appliances and the firewall as well as WildFire appliance peers.
set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
- Configure and specify a certificate profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
- Create the certificate profile.
set shared certificate-profile <name> - (Optional) Set the subject (common-name) or subject-alt name.
set shared certificate-profile <name> username-field subject <common-name>set shared certificate-profile <name> username-field subject-alt <email|principal-name> - (Optional) Set the user domain.
set shared certificate-profile <name> domain <value> - Configure the CA.
set shared certificate-profile <name> CA <name>set shared certificate-profile <name> CA <name> default-ocsp-url <value>set shared certificate-profile <name> CA <name> ocsp-verify-cert <value> - Specify the certificate profile.
set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
- Configure the firewall Secure Communication Settings on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step9.
- Select DeviceCertificate ManagementCertificate Profile.
- Select DeviceSetupManagement > Secure Communication Settings and click the Edit icon in Secure Communication Settings to configure the firewall custom certificate settings.
- Select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs and configure them to use the custom certificate created in step 2.
- Under Customize Communication, select WildFire Communication.
- Click OK.
- Disable the use of the predefined certificate.set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
- Specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is wfpc.service.mycluster.paloaltonetworks.comset deviceconfig setting wildfire custom-dns-name <custom_dns_name>.
- (Appliance clusters with 3 or more nodes only) Repeat steps 2-10 for the third WildFire appliance server node enrolled in the cluster.