End-of-Life (EoL)

Authentication with Custom Certificates for Redistribution

Configure a custom certificate or SSL/TLS profile to secure communication between the redistribution clients and the redistribution agents.
To establish a unique chain of trust between the devices in your network, you can now configure a certificate profile or SSL/TLS profile to use a custom certificate (instead of a predefined certificate) for mutual authentication during redistribution. The firewall or Panorama uses the certificate profile to validate the client’s certificate during connection. The profile applies globally to all redistribution agents.
You can also use a custom certificate for the Windows User-ID agent. You must install the Root Certificate Authority (CA) for the custom certificate in the Windows Trust Store of the agent host.

Authenticate the Firewall with the Redistribution Agent

  1. Create a custom SSL certificate profile for the firewall to use for outgoing connections.
  2. Configure the custom certificate profile for outgoing connections from the firewall.
    1. Select
      Device
      Setup
      Management
      Secure Communication Settings
      .
    2. Edit
      the settings.
    3. Select the
      Customize Secure Server Communication
      option.
    4. Select the
      Certificate Profile
      you created in Step 1.
    5. Click
      OK
      .
  3. (
    Optional
    ) To use the custom certificate profile for Streamlined and Resilient Redistribution,
    Customize Communication
    for
    Data Redistribution
    .
  4. Commit
    your changes.
  5. Enter the following CLI command to confirm the certificate profile (
    SSL config)
    uses
    Custom certificates
    :
    show redistribution agent state
    <agent-name>
    (where
    <agent-name>
    is the name of the redistribution agent, User-ID agent, or TS agent.

Authenticate the Redistribution Agent with the Firewall

  1. Create a custom SSL/TLS service profile for the firewall to use for incoming connections.
  2. Configure the custom SSL/TLS service profile for incoming connections to the firewall.
    1. Select
      Device
      Setup
      Management
      Secure Communication Settings
      .
    2. Edit
      the settings.
    3. Select the
      Customize Secure Server Communication
      option.
    4. Select the
      SSL/TLS Service Profile
      you created in Step 1.
    5. Click
      OK
      .
  3. Commit
    your changes.
  4. Enter the following CLI command to confirm the certificate profile (
    SSL config)
    uses
    Custom certificates
    :
    show redistribution service status
    .

Authenticate Panorama with the Redistribution Agent

  1. Create a custom SSL certificate profile for Panorama to use for outgoing connections.
  2. Configure the custom certificate profile for outgoing connections from Panorama.
    1. Select
      Panorama
      Setup
      Management
      Secure Communication Settings
      .
    2. Edit
      the settings.
    3. Select the
      Customize Secure Server Communication
      option.
    4. Select the
      Certificate Profile
      you created in Step 1.
    5. Click
      OK
      .
  3. (
    Optional
    ) To use the custom certificate profile on Panorama for Streamlined and Resilient Redistribution,
    Customize Communication
    for
    Data Redistribution
    .
  4. Commit
    your changes.
  5. Enter the following CLI command to confirm the certificate profile (
    SSL config)
    uses
    Custom certificates
    :
    show redistribution agent state
    <agent-name>
    (where
    <agent-name>
    is the name of the redistribution agent, User-ID agent, or TS agent.

Authenticate the Redistribution Agent with Panorama

  1. Create a custom SSL/TLS service profile for Panorama to use for incoming connections.
  2. Configure the custom SSL/TLS service profile for incoming connections to Panorama.
    1. Select
      Panorama
      Setup
      Management
      Secure Communication Settings
      .
    2. Edit
      the settings.
    3. Select the
      Customize Secure Server Communication
      option.
    4. Select the
      SSL/TLS Service Profile
      you created in Step 1.
    5. Click
      OK
      .
  3. Commit
    your changes.
  4. Enter the following CLI command to confirm the certificate profile (
    SSL config)
    uses
    Custom certificates
    :
    show redistribution service status
    .

Recommended For You