Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

  1. Upgrade each managed WildFire appliance to PAN-OS 8.1.x. All managed appliances must be running PAN-OS 8.1 or later to enable appliance-to-appliance encryption.
  2. Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
  3. Review your existing WildFire secure communications configuration. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
    1. Select
      Panorama >
      Managed WildFire Clusters
      > WF_cluster_name
      > Communication.
    2. If
      Customize Secure Server Communication
      has been enabled and you would like to use that certificate, identify the details of the custom certificate being used. Otherwise proceed to Step 5 to begin the process of installing a new custom certificate.
    3. Determine the custom certificate FQDN (DNS name) that will be used to define the firewall registration address in step 4.
      Make sure to note the custom certificate name and the associated FQDN. These are referenced several times during the configuration process.
  4. Configure the firewall registration address on Panorama.
    1. On Panorama, select
      Panorama >
      Managed WildFire Clusters
      > WF_cluster_name
      > General.
    2. In the
      Register Firewall To
      field, specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is
      wfpc.service.mycluster.paloaltonetworks.com
      wf-app-to-app-custom-dns.png
  5. Configure WildFire
    Secure Server Communication
    settings on Panorama. If you already configured secure communications between the firewall and the WildFire cluster and are using the existing custom certificate, proceed to step d.
    1. On Panorama, select
      Panorama
      > Managed WildFire Clusters
      > WF_cluster_name
      > Communication.
    2. Click
      Customize Secure Server Communication
      .
    3. Configure and deploy custom certificates used by the WildFire appliances and the associated firewall. The SSL/TLS service profile defines the custom certificate used by WildFire appliances to communicate with WildFire appliance peers and to the firewall. You must also configure the custom certificate settings on the firewall associated with the WildFire appliance cluster. This is configured later in step 9.
      1. Open the SSL/TLS Service Profile drop-down and click SSL/TLS Service Profile. Configure an SSL/TLS service profile with the custom certificate that you want to use. After you configure the SSL/TLS service profile, click OK and select the newly created SSL/TLS Service profile.
      2. Open the Certificate Profile drop-down and click Certificate Profile. Configure a Certificate Profile that identifies the custom certificate used to establish secure connections between the firewall and WildFire appliances, as well as between peer WildFire appliances. After you configure the Certificate Profile, click OK and select the newly created profile.
    4. Select the
      Custom Certificate Only
      check box. This allows you to use the custom certificates that you configured instead of the default preconfigured certificates.
    5. (
      Optional
      ) Configure an authorization list. The authorization list checks the custom certificate Subject or Subject Alt Name; if the
      Subject
      or
      Subject Alt Name
      presented with the custom certificate does not match an identifier on the authorization list, authentication is denied.
      1. Add
        an Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        configured in the custom certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
      4. Click
        OK
        .
      5. Select
        Check Authorization List
        to enforce the authorization list.
    6. Click
      OK
      .
      configure-app-to-app-encyption-panorama.png
  6. Enable
    Secure Cluster Communication.
  7. (Recommended)
    Enable
    HA Traffic Encryption. This optional setting encrypts the HA traffic between the HA pair and is a Palo Alto Networks recommended best practice.
    HA Traffic Encryption cannot be disabled when operating in FIPS/CC mode.
  8. Click
    OK
    to save the
    WildFire Cluster
    settings.
  9. Configure the firewall
    Secure Communication Settings
    on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 10.
    1. Select
      Device
      Setup
      Management > Secure Communication Settings
      and click the
      Edit
      icon in
      Secure Communication Settings
      to configure the firewall custom certificate settings.
    2. Select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      from the respective drop-downs and configure them to use the custom certificate.
    3. Under Customize Communication, select
      WildFire Communication
      .
    4. Click
      OK
      .
  10. Commit
    your changes.

Recommended For You