: Configure a Custom Certificate for a Panorama Managed WildFire Appliance
Focus
Focus

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Table of Contents

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure secure server communication for the WildFire® appliance and secure client communication for firewalls and Panorama™ through the Panorama user interface.
If you use Panorama™ to manage your WildFire® appliance or WildFire cluster, you can configure custom certificate authentication through the Panorama web interface instead of using WildFire appliance CLI. The firewall or Panorama uses this connection to forward samples to WildFire for analysis.
This procedure describes how to install a unique certificate on a single WildFire appliance. If the WildFire appliance is part of a cluster, that device and each cluster member has a unique client certificate. To deploy a single certificate to all WildFire appliances in the cluster, see Configure Authentication with a Single Custom Certificate for a WildFire Cluster.
  1. Obtain key pairs and certificate authority (CA) certificates for the WildFire appliance and the firewall.
  2. Import the CA certificate to validate the identity of the firewall and the key pair for the WildFire appliance.
    1. Select
      Panorama
      Certificate Management
      Certificates
      Import
      .
    2. Import the CA certificate and the key pair on Panorama.
  3. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines how the WildFire appliance and the firewalls authenticate mutually.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
    2. If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
  4. Configure an SSL/TLS profile for the WildFire appliance.
    PAN-OS 8.0 and later releases support only TLS 1.2 and higher so ou must set the max version to
    TLS 1.2
    or
    max
    .
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire appliance and its the firewalls use for SSL/TLS services.
  5. Configure Secure Server Communication on WildFire.
    1. Select
      Panorama
      Managed WildFire Clusters
      or
      Panorama
      Managed WildFire Appliances
      and select a cluster or appliance.
    2. Select
      Communication
      .
    3. Enable the
      Customize Secure Server Communication
      feature.
    4. Select the
      SSL/TLS Service Profile
      . This SSL/TLS service profile applies to all SSL connection between the WildFire appliance and the firewall or Panorama.
    5. Select the
      Certificate Profile
      you configured for communication between the WildFire appliance and the firewall or Panorama.
    6. Verify that
      Custom Certificates Only
      is disabled (cleared). This allows the WildFire appliance to continue communicating with the firewalls with the predefined certificate while migrating to custom certificates.
    7. (
      Optional
      ) Configure an authorization list.
      1. Add
        an Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or enter an IP address, hostname, or email if the identifier is Subject Alt Name.
      4. Click
        OK
        .
      5. Enable
        Check Authorization List
        to enforce the list.
    8. Click
      OK
      .
    9. Commit
      your changes.
  6. Import the CA certificate to validate the certificate for the WildFire appliance.
    1. Log in to the firewall web interface.
  7. Configure a local or SCEP certificate for the firewall.
  8. Configure the certificate profile for the firewall or Panorama. You can configure this profile on each client firewall or Panorama appliance individually or you can use a template to push the configuration from Panorama to managed firewalls.
    1. Select
      Device
      Certificate Management
      Certificate Profile
      for firewalls or
      Panorama
      Certificate Management
      Certificate Profile
      for Panorama.
  9. Deploy custom certificates on each firewall or Panorama appliance.
    1. Log in to the firewall web interface.
    2. Select
      Device
      Setup
      Management
      for a firewall or
      Panorama
      Setup
      Management
      for Panorama and
      Edit
      the Secure Communication Settings.
    3. Select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      .
    4. In the Customize Communication settings, select
      WildFire Communication
      .
    5. Click
      OK
      .
    6. Commit
      your changes.
  10. After deploying custom certificates on all managed devices, enforce custom-certificate authentication.
    1. Log in to Panorama.
    2. Select
      Panorama
      Managed WildFire Clusters
      or
      Panorama
      Managed WildFire Appliances
      and select a cluster or appliance.
    3. Select
      Communication
      .
    4. Select
      Custom Certificate Only
      .
    5. Click
      OK
      .
    6. Commit
      your changes.
    After committing this change, WildFire immediately begins the enforcement of custom certificates.

Recommended For You