Deploy Custom Certificates for Panorama HA
You can configure mutual authentication using custom certificates for securing the HA connection between Panorama HA peers. Complete the following procedure to obtain custom certificates and deploy them on your Panorama HA peers.
- Generate and deploy custom certificates on the
- Generate a certificate authority (CA) certificate on Panorama.
- Configure a certificate profile that includes the root CA and intermediate CA.
- Configure an SSL/TLS service profile.
- Configure Secure Server Communication on the primary
- Assign the SSL/TLS service and certificate profiles for secure server communication.
- Do not check Allow Custom Certificates Only until you have deployed custom certificates on your managed devices.
- Set the Disconnect Wait Time in minutes. This is the amount of time Panorama waits to terminate its current connection with managed devices before breaking that connection and reestablishing it using custom certificates for authentication. When you commit your configuration, the wait time count down begins.
- Configure the client certificate profile on the secondary
Panorama.Configure a certificate profile or profiles for the device or devices managed by Panorama.
- Configure Secure Client Communication on the secondary
- Configure the Secure Client Connection settings. Assign the certificate and certificate profile for the firewall to use for authentication. Additionally, the firewall can verify the server’s identity by checking matching the server’s IP address or FQDN with common name in the server certificate.
- Commit your changes. After committing your changes, the firewall will begin using the custom certificate when the disconnect wait time is complete and the server has terminated its current connection to the client.
- Enforce the use of custom certificates.After deploying client certificates on all managed devices, return to Panorama or the server Log Collector. By selecting, Allow Customer Certificate Only, all devices managed by Panorama must use custom certificates. If not, authentication between the Panorama peers fails.
Deploy Custom Certificates
Deploy Custom Certificates Complete the following procedure to obtain custom certificates and deploy them on your Panorama and its managed devices. Generate or obtain your ...
Set Up Authentication Using Custom Certificates Between HA Peers
Set Up Authentication Using Custom Certificates Between HA Peers You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA ...
Configure Authentication Using Custom Certificates on Panorama
Configure Authentication Using Custom Certificates on Panorama Complete the following procedure to configure the server side (Panorama) to use custom certificates instead of predefined certificates ...
Configure Authentication Using Custom Certificates on Managed Devices
Configure Authentication Using Custom Certificates on Managed Devices Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates ...
Set Up Authentication Using Custom Certificates
Set Up Authentication Using Custom Certificates By default, Panorama, firewalls, and Log Collectors use predefined certificates for mutual authenticate to establish the SSL connections used ...
Communication Settings Panorama > Managed Collectors > Communication To configure custom certificate-based authentication between Log Collectors and Panorama, firewalls, and other Log Collectors, configure the ...
How Are SSL/TLS Connections Mutually Authenticated?
How Are SSL/TLS Connections Mutually Authenticated? In a regular SSL connection, only the server need to identify itself to the client by presenting its certificate. ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
Change a Root or Intermediate CA Certificate
Change a Root or Intermediate CA Certificate Complete the following task to replace a root or intermediate CA certificate. Configure the server to accept predefined ...