Apply Custom Certificates on a WildFire Appliance Configured through Panorama

Use custom certificates to establish mutual authentication for the connection Panorama™ uses to push configurations to your managed WildFire® appliance or cluster
By default, Panorama™ uses a predefined certificate when communicating with a WildFire® appliance to push configurations. You can alternatively configure custom certificates to establish mutual authentication for the connection Panorama uses to push configurations to a managed WildFire appliance or cluster. Complete the following procedure to configure the server certificate on Panorama and the client certificate on the WildFire appliance.
  1. Obtain key pairs and certificate authority (CA) certificates for Panorama and the WildFire appliance.
  2. Import the CA certificate to validate the identify of the WildFire appliance and the key pair for Panorama.
    1. Select
      Panorama
      Certificate Management
      Certificates
      Import
      .
    2. Import the CA certificate and the key pair on Panorama.
  3. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines the authentication between the WildFire appliance (client) and the Panorama virtual or M-Series appliance (server).
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
    2. If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
  4. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire and Panorama appliances use for SSL/TLS services.
  5. Configure secure server communication on the Panorama appliance.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      to select
      Customize Secure Server Communication
      .
    2. Enable the
      Customize Secure Server Communication
      feature.
    3. Select the
      SSL/TLS Service Profile
      .
    4. Select the certificate profile from the
      Certificate Profile
      drop-down.
    5. Verify that
      Custom Certificates Only
      is disabled (cleared). This allows Panorama to continue communicating with WildFire with the predefined certificate while migrating to custom certificates.
    6. (
      Optional
      ) Configure an authorization list.
      1. Add
        an Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        configured in the certificate profile as the Identifier type.
      3. Enter the
        Common Name
        if the identifier is
        Subject
        or an
        IP address
        ,
        hostname
        , or
        email
        if the identifier is
        Subject Alt Name
        .
      4. Click
        OK
        .
      5. Enable the
        Check Authorization List
        option to configure Panorama to enforce the authorization list.
    7. Click
      OK
      .
    8. Commit
      your changes.
  6. Import the CA certificate to validate the certificate on Panorama.
    1. Log in to the Panorama user interface.
  7. Configure a local or a SCEP certificate for the WildFire appliance.
    1. If you are using a local certificate, import the key pair for the WF-500 appliance.
    2. If you are using SCEP for the WildFire appliance certificate, configure a SCEP profile.
  8. Configure the certificate profile for the WildFire appliance.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
  9. Deploy custom certificates on each managed WildFire appliance.
    1. Log in to Panorama.
    2. Select
      Panorama
      Managed WildFire Appliances
      and click on a cluster or appliance name.
    3. Select
      Communications
      .
    4. Under Secure Client Communications, select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      from the respective drop-downs.
    5. Click
      OK
      .
    6. Commit
      your changes.
  10. After deploying custom certificates on all managed WildFire appliances, enforce custom-certificate authentication.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Secure Communications Settings.
    2. Allow Custom Certificate Only
      .
    3. Click
      OK
      .
    4. Commit
      your changes.
    After committing this change, the disconnect wait time begins counting down. When the wait time ends, Panorama and its managed WildFire appliances cannot connect without the configured certificates.

Recommended For You