Set Up Secure Communication with Panorama

1. On your enterprise domain controller, create a DNS A record that points to the IP address of the Panorama log collector (for example, you can use the DNS snap-in available in Windows Administrative Tools to create the DNS record).
2. Create the server certificate for the ESM components to use to trust and verify the identity of Panorama. The certificate must be generated from a certificate authority (CA) that is trusted by the ESM. The Common Name of the certificate must also identify Panorama using the name you specified in the DNS record.
   There are multiple methods for creating the server certificate:

   • Obtain a certificate from an external CA (see Steps 1 and 2 in the procedure and then follow the instructions below to import the certificate)
   • Obtain a certificate from your Active Directory CA.

   The following procedure describes how to create a certificate from your Active Directory CA:
   1. Open IIS Manager and navigate to the level you want to manage.
   2. Double-click Server Certificates.
   3. In the Actions pane, click Create Domain Certificate.
   4. On the Distinguished Name Properties page of the Create Certificate Wizard, enter the information for your certificate. In the Common name field, make sure to specify Panorama using the name you used to identify the server in the DNS record.

   5. Click Next.
   6. On the Online Certification Authority page, in the Specify Online Certification Authority box, enter or Select the name of a CA server in your Windows domain.
   7. Enter a Friendly name for the certificate and then click Finish.
   8. Export the certificate and private key as a PFX file.
3. In Panorama, import the certificate.
   1. In Panorama, select Certificate ManagementCertificates and then select Import.
   2. Enter a name to identify the certificate name and browse to the certificate PFX file containing the private key.
   3. Select the file format as Encrypted Private Key and Certificate (PKCS12).
   4. Enter the Passphrase you used when creating the certificate and confirm it.
   5. Click OK. The Device Certificates tab displays the certificate with a Status of valid.
4. Click the certificate Name and enable the Certificate for Secure Syslog, then click OK.
5. On Panorama, associate the certificate that you configured for secure communication with the managed collector:
   1. Select PanoramaManaged Collectors<collector>General.
   2. Select the Inbound Certificate for Secure Syslog. This is the certificate you created and imported earlier in the workflow.
   3. Click OK and then Commit your changes.
6. Enable communication between the ESM Server and Panorama to use TLS 1.1 and higher protocols.
   1. On the ESM Server, open regedit.exe: Click Start, and type regedit in the Run or Search field and press Enter.
   2. Browse to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\
   3. Select EditNewDWORD (32-bit) Value.
   4. Name the value SchUseStrongCrypto.
   5. Double-click the new value and enter 1 as the value data in Hexadecimal format, then click OK.
   6. Reboot the ESM Server.
7. Configure the ESM to forward logs to Panorama as described in Enable Log Forwarding to Panorama and then verify your connectivity.