Apply Custom Certificates on a WildFire Appliance Configured through Panorama
Table of Contents
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
- Install the Device Certificate for a Dedicated Log Collector
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute User-ID Information to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Configure Basic WildFire Appliance Settings on Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Restore an Expired Device Certificate
- Downgrade from Panorama 9.1
Apply Custom Certificates on a WildFire
Appliance Configured through Panorama
Use custom certificates to establish mutual authentication
for the connection Panorama™ uses to push configurations to your
managed WildFire® appliance or cluster
By default, Panorama™ uses a predefined certificate
when communicating with a WildFire® appliance to push configurations.
You can alternatively configure custom certificates to establish
mutual authentication for the connection Panorama uses to push configurations to
a managed WildFire appliance or cluster. Complete the following
procedure to configure the server certificate on Panorama and the client
certificate on the WildFire appliance.
- Obtain key pairs and certificate authority (CA) certificates for Panorama and the WildFire appliance.
- Import the CA certificate to validate the identify of the WildFire appliance and the key pair for Panorama.
- Select.PanoramaCertificate ManagementCertificatesImport
- Import the CA certificate and the key pair on Panorama.
- Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the authentication between the WildFire appliance (client) and the Panorama virtual or M-Series appliance (server).
- Select.PanoramaCertificate ManagementCertificate Profile
- If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
- Configure an SSL/TLS service profile.
- Select.PanoramaCertificate ManagementSSL/TLS Service Profile
- Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire and Panorama appliances use for SSL/TLS services.
- Configure secure server communication on the Panorama appliance.
- SelectandPanoramaSetupManagementEditto selectCustomize Secure Server Communication.
- Enable theCustomize Secure Server Communicationfeature.
- Select theSSL/TLS Service Profile.
- Select the certificate profile from theCertificate Profiledrop-down.
- Verify thatCustom Certificates Onlyis disabled (cleared). This allows Panorama to continue communicating with WildFire with the predefined certificate while migrating to custom certificates.
- (Optional) Configure an authorization list.
- Addan Authorization List.
- Select theSubjectorSubject Alt Nameconfigured in the certificate profile as the Identifier type.
- Enter theCommon Nameif the identifier isSubjector anIP address,hostname, oremailif the identifier isSubject Alt Name.
- ClickOK.
- Enable theCheck Authorization Listoption to configure Panorama to enforce the authorization list.
- ClickOK.
- Commityour changes.
- Import the CA certificate to validate the certificate on Panorama.
- Log in to the Panorama user interface.
- Configure a local or a SCEP certificate for the WildFire appliance.
- If you are using a local certificate, import the key pair for the WF-500 appliance.
- If you are using SCEP for the WildFire appliance certificate, configure a SCEP profile.
- Configure the certificate profile for the WildFire appliance.
- Select.PanoramaCertificate ManagementCertificate Profile
- Deploy custom certificates on each managed WildFire appliance.
- Log in to Panorama.
- Selectand click on a cluster or appliance name.PanoramaManaged WildFire Appliances
- SelectCommunications.
- Under Secure Client Communications, select theCertificate Type,Certificate, andCertificate Profilefrom the respective drop-downs.
- ClickOK.
- Commityour changes.
- After deploying custom certificates on all managed WildFire appliances, enforce custom-certificate authentication.
- SelectandPanoramaSetupManagementEditthe Secure Communications Settings.
- Allow Custom Certificate Only.
- ClickOK.
- Commityour changes.
After committing this change, the disconnect wait time begins counting down. When the wait time ends, Panorama and its managed WildFire appliances cannot connect without the configured certificates.