Authentication Using Custom Certificates for WildFire, PAN-DB, and Between Log Collectors

You can now configure mutual authentication between WildFire® or PAN-DB appliances and other Palo Alto Networks appliances using custom certificates. This allows you to establish a unique chain of trust between WildFire or PAN-DB and connected Palo Alto Networks appliances instead of relying on predefined certificates for inter-device communication. You can generate these certificates locally on Panorama or the firewall, obtain them from a trusted third-party certificate authority (CA), or obtain certificates from your own enterprise CA.
Additionally, you can configure mutual authentication between Log Collectors in a Collector Group. Local Log Collectors use the same client and server certificates as Panorama.
You can configure the client certificate and certificate profile on each client device or push the configuration from Panorama to each device as part of a template.
This feature is an extension of Authentication Using Custom Certificates introduced in PAN-OS 8.0.
  • Custom certificates for a standalone WildFire appliance or a PAN-DB appliance—You can deploy custom certificates between a WildFire or PAN-DN appliance that receives samples or URL information from a firewall. In this case, the firewall acts as the client and the WildFire appliance or PAN-DB appliance acts as the server. Use the CLI to deploy custom certificates directly on the WildFire appliance or PAN-DB appliance.
  • Custom certificate for a WildFire appliance managed by Panorama—This allows you to configure custom certificate communication between WildFire appliance that receives samples from firewalls. In this deployment, the WildFire appliance is the server and the firewalls are the clients. However, you can complete the server and client communication configuration through the Panorama web interface instead of the WildFire appliance CLI.
  • Custom certificates for a WildFire appliance as a client—You can deploy custom certificates for the communication channel Panorama uses to push configuration information to a WildFire appliance. In this deployment, Panorama is the server and the WildFire appliance is the client.
  • Single custom certificate for a WildFire Cluster—Instead of assigning unique certificates to each WildFire appliance in a cluster, you can assign a single, shared client certificate to the entire WildFire cluster, which, in turn, allows you to push a single certificate to all WildFire appliances in the cluster instead of configuring separate certificates for each cluster member. In this scenario, Panorama is the server and the WildFire cluster is the client.
  • Custom certificates for communication between Log Collectors—This allows you to configure custom server and client certificates for inter-Log Collector communication. You must configure secure server communication and secure client communication on each Log Collector in a Collector Group because the server and client roles are chosen dynamically.
The following procedure provides a high-level overview of the steps involved in deploying custom certificates on your WildFire appliance, PAN-DB appliance, or Log Collectors.
  1. Generate or obtain your server and client certificates.
    Based in the needs of your organization, choose one of the supported methods for generating or obtaining your custom certificates.
  2. Configure the server certificate profile and SSL/TLS service profile for the server.
  3. Configure Secure Server Communication on the server.
  4. Configure the client certificate profile for the client device. The method for configuring this profile depends on your deployment.
  5. Configure Secure Client Communication on the client devices.
  6. Enforce the use of custom certificates.

Related Documentation