WildFire Appliance-to-Appliance Encryption
Table of Contents
Expand all | Collapse all
-
- WildFire Saudi Arabia Cloud
- WildFire Israel Cloud
- WildFire South Korea Cloud
- WildFire Qatar Cloud
- WildFire France Cloud
- WildFire Taiwan Cloud
- WildFire Indonesia Cloud
- WildFire Poland Cloud
- WildFire Switzerland Cloud
- Advanced WildFire Support for Intelligent Run-time Memory Analysis
- Shell Script Analysis Support for Wildfire Inline ML
- Standalone WildFire API Subscription
- WildFire India Cloud
- MSI, IQY, and SLK File Analysis
- MS Office Analysis Support for Wildfire Inline ML
- WildFire Germany Cloud
- WildFire Australia Cloud
- Executable and Linked Format (ELF) Analysis Support for WildFire Inline ML
- Global URL Analysis
- WildFire Canada Cloud
- WildFire UK Cloud
- HTML Application and Link File Analysis
- Recursive Analysis
- Perl Script Analysis
- WildFire U.S. Government Cloud
- Real Time WildFire Verdicts and Signatures for PDF and APK Files
- Batch File Analysis
- Real Time WildFire Verdicts and Signatures for PE and ELF Files
- Real Time WildFire Verdicts and Signatures for Documents
- Script Sample Analysis
- ELF Malware Test File
- Email Link Analysis Enhancements
- Sample Removal Request
- Updated WildFire Cloud Data Retention Period
- DEX File Analysis
- Network Traffic Profiling
- Additional Malware Test Files
- Dynamic Unpacking
- Windows 10 Analysis Environment
- Archive (RAR/7z) and ELF File Analysis
- WildFire Analysis of Blocked Files
- WildFire Phishing Verdict
WildFire Appliance-to-Appliance Encryption
You can now encrypt WildFire® communications between
appliances deployed in a cluster. Prior to 8.1 and by default, WildFire
appliances send data using cleartext when communicating with management
appliances as well as WildFire cluster peers. You can use either
predefined or custom certificates to authenticate connections between WildFire
appliance peers using the IKE/IPsec protocol. The predefined certificates
meet current FIPS/CC/UACPL-approved certification and compliance
requirements. If you want to use custom certificates instead, you
must select a FIPS/CC/UACPL-compliant certificate or you will not
be able to import the certificate.
You can configure WildFire appliance-to-appliance encryption
locally using the WildFire CLI or centrally through Panorama. Keep
in mind, all WildFire appliances within a given cluster must run
a version of PAN-OS that supports encrypted communications.
If the WildFire appliances in your cluster uses FIPS/CC
mode, encryption is automatically enabled using predefined certificates.
Before configuring WildFire appliance-to-appliance encryption,
be sure to review your existing WildFire secure communications configuration.
If you previously configured the WildFire appliance and the firewall
for secure communications using a custom certificate, you can use
that custom certificate and the requisite DNS name for configuring
secure communications between WildFire appliances.
It is imperative that you use the correct, matching DNS
name in the
register firewall to:
field in
Panorama. Failure to do so will prevent appliance-to-appliance encryption
from working as intended.The following tables describe the high-level tasks involved in
configuring WildFire appliance-to-appliance encryption. For detailed
instructions on these tasks, refer to the WildFire Administration Guide for the
full installation procedure.
Configuration Using
Custom Certificates through Panorama | Configuration Using Predefined Certificates
through Panorama |
|---|---|
|
|
Configuration Using
Custom Certificates through the WildFire CLI | Configuration Using Predefined Certificates
through the CLI |
|---|---|
To configure the WildFire
appliance for encrypted communications, you must enable and configure
the following on the active-controller in 2-node clusters. If your
cluster has 3 or more nodes, you must also duplicate the configuration
on the server nodes. | |
|
|