Authentication with Custom Certificates for Redistribution
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Authentication with Custom Certificates for Redistribution
Configure a custom certificate or SSL/TLS profile to
secure communication between the redistribution clients and the
redistribution agents.
To establish a unique chain of trust between
the devices in your network, you can now configure a certificate
profile or SSL/TLS profile to use a custom certificate (instead
of a predefined certificate) for mutual authentication during redistribution. The firewall
or Panorama uses the certificate profile to validate the client’s
certificate during connection. The profile applies globally to all
redistribution agents.
You can also use a custom certificate
for the Windows User-ID agent. You must install the Root Certificate
Authority (CA) for the custom certificate in the Windows Trust Store
of the agent host.
Authenticate the Firewall with the Redistribution Agent
- Create a custom SSL certificate profile for the firewall to use for outgoing connections.
- Configure the custom certificate profile for outgoing connections from the firewall.
- Select.DeviceSetupManagementSecure Communication Settings
- Editthe settings.
- Select theCustomize Secure Server Communicationoption.
- Select theCertificate Profileyou created in Step 1.
- ClickOK.
- (Optional) To use the custom certificate profile for Streamlined and Resilient Redistribution,Customize CommunicationforData Redistribution.
- Commityour changes.
- Enter the following CLI command to confirm the certificate profile (SSL config)usesCustom certificates:show redistribution agent state(where<agent-name><agent-name>is the name of the redistribution agent, User-ID agent, or TS agent.
Authenticate the Redistribution Agent with the Firewall
- Create a custom SSL/TLS service profile for the firewall to use for incoming connections.
- Configure the custom SSL/TLS service profile for incoming connections to the firewall.
- Select.DeviceSetupManagementSecure Communication Settings
- Editthe settings.
- Select theCustomize Secure Server Communicationoption.
- Select theSSL/TLS Service Profileyou created in Step 1.
- ClickOK.
- Commityour changes.
- Enter the following CLI command to confirm the certificate profile (SSL config)usesCustom certificates:show redistribution service status.
Authenticate Panorama with the Redistribution Agent
- Create a custom SSL certificate profile for Panorama to use for outgoing connections.
- Configure the custom certificate profile for outgoing connections from Panorama.
- Select.PanoramaSetupManagementSecure Communication Settings
- Editthe settings.
- Select theCustomize Secure Server Communicationoption.
- Select theCertificate Profileyou created in Step 1.
- ClickOK.
- (Optional) To use the custom certificate profile on Panorama for Streamlined and Resilient Redistribution,Customize CommunicationforData Redistribution.
- Commityour changes.
- Enter the following CLI command to confirm the certificate profile (SSL config)usesCustom certificates:show redistribution agent state(where<agent-name><agent-name>is the name of the redistribution agent, User-ID agent, or TS agent.
Authenticate the Redistribution Agent with Panorama
- Create a custom SSL/TLS service profile for Panorama to use for incoming connections.
- Configure the custom SSL/TLS service profile for incoming connections to Panorama.
- Select.PanoramaSetupManagementSecure Communication Settings
- Editthe settings.
- Select theCustomize Secure Server Communicationoption.
- Select theSSL/TLS Service Profileyou created in Step 1.
- ClickOK.
- Commityour changes.
- Enter the following CLI command to confirm the certificate profile (SSL config)usesCustom certificates:show redistribution service status.