Generate and deploy custom certificates on the
Generate a certificate authority (CA) certificate
Configure a certificate profile that includes the
root CA and intermediate CA.
Configure an SSL/TLS service profile.
Configure Secure Server Communication on the primary
Assign the SSL/TLS service and certificate
profiles for secure server communication.
Do not check
Allow Custom Certificates
until you have deployed custom certificates on
your managed devices.
Disconnect Wait Time
minutes. This is the amount of time Panorama waits to terminate
its current connection with managed devices before breaking that
connection and reestablishing it using custom certificates for authentication.
When you commit your configuration, the wait time count down begins.
Configure the client certificate profile on the secondary
Configure Secure Client Communication on the secondary
Secure Client Connection
Assign the certificate and certificate profile for the firewall
to use for authentication. Additionally, the firewall can verify
the server’s identity by checking matching the server’s IP address
or FQDN with common name in the server certificate.
your changes. After
committing your changes, the firewall will begin using the custom
certificate when the disconnect wait time is complete and the server
has terminated its current connection to the client.
Enforce the use of custom certificates.
After deploying client certificates on all managed devices,
return to Panorama or the server Log Collector. By selecting,
Customer Certificate Only
, all devices managed by Panorama
must use custom certificates. If not, authentication between the
Panorama peers fails.