Deploy Custom Certificates for Panorama HA

You can configure mutual authentication using custom certificates for securing the HA connection between Panorama HA peers. Complete the following procedure to obtain custom certificates and deploy them on your Panorama HA peers.
  1. Generate and deploy custom certificates on the primary Panorama.
    1. Generate a certificate authority (CA) certificate on Panorama.
    2. Configure a certificate profile that includes the root CA and intermediate CA.
    3. Configure an SSL/TLS service profile.
  2. Configure Secure Server Communication on the primary Panorama.
    1. Assign the SSL/TLS service and certificate profiles for secure server communication.
    2. Do not check Allow Custom Certificates Only until you have deployed custom certificates on your managed devices.
    3. Set the Disconnect Wait Time in minutes. This is the amount of time Panorama waits to terminate its current connection with managed devices before breaking that connection and reestablishing it using custom certificates for authentication. When you commit your configuration, the wait time count down begins.
  3. Configure the client certificate profile on the secondary Panorama.
    Configure a certificate profile or profiles for the device or devices managed by Panorama.
  4. Configure Secure Client Communication on the secondary Panorama.
    1. Configure the Secure Client Connection settings. Assign the certificate and certificate profile for the firewall to use for authentication. Additionally, the firewall can verify the server’s identity by checking matching the server’s IP address or FQDN with common name in the server certificate.
    2. Commit your changes. After committing your changes, the firewall will begin using the custom certificate when the disconnect wait time is complete and the server has terminated its current connection to the client.
  5. Enforce the use of custom certificates.
    After deploying client certificates on all managed devices, return to Panorama or the server Log Collector. By selecting, Allow Customer Certificate Only, all devices managed by Panorama must use custom certificates. If not, authentication between the Panorama peers fails.

Related Documentation