Configure Authentication with a Single Custom Certificate for a WildFire Cluster
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on Alibaba Cloud
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on Hyper-V
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Oracle Cloud Infrastructure (OCI)
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on Alibaba Cloud
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on Hyper-V
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Oracle Cloud Infrastructure (OCI)
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Install Updates for Panorama in an HA Configuration
- Install Updates for Panorama with an Internet Connection
- Install Updates for Panorama When Not Internet-Connected
- Install Updates Automatically for Panorama without an Internet Connection
- Migrate Panorama Logs to the New Log Format
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute Data to Managed Firewalls
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- View Log Query Jobs
- Troubleshoot Commit Failures
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Downgrade from Panorama 10.0
End-of-Life (EoL)
Configure Authentication with a Single Custom Certificate for a WildFire Cluster
Assign and push a single, shared certificate to an entire
WildFire® cluster.
Instead of assigning unique certificates to
each WildFire® appliance in a cluster, you can assign a single,
shared client certificate to the entire WildFire cluster, which,
in turn, allows you to push a single certificate to all WildFire
appliances in the cluster instead of configuring separate certificates
for each cluster member. Because the individual WildFire appliances
share a client certificate, you must configure a unique hostname
(DNS name) for each WildFire appliance. Then you can add all the
hostnames as certificate attributes to the shared certificate or
use a one-wildcard string that matches all the custom hostnames
on all the WildFire appliances in the cluster.
To configure
a single custom certificate for your WildFire cluster to use when
communicating with the Panorama™, complete the following procedure.
- Obtain a server key pair and CA certificate for Panorama.
- Configure a certificate profile that includes the root
certificate authority (CA) and the intermediate CA. This certificate
profile defines the authentication between the WildFire cluster
(client) and the Panorama appliance (server).
- Select PanoramaCertificate ManagementCertificate Profile.
- Configure a certificate profile.If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
- Configure an SSL/TLS service profile.
- Select PanoramaCertificate ManagementSSL/TLS Service Profile.
- Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire cluster and Panorama appliance use for SSL/TLS services.
- Connect each node in the cluster to Panorama.
- Configure a unique hostname (DNS name) on each node in
the cluster or use a string with a single wildcard that matches
all custom DNS names set on the WildFire appliances in the cluster.If using a single-wildcard string, see RFC-6125,Section 6.4.3 for requirements and limitations of wildcard string values. Make sure you understand these requirements and limitations when configuring your custom DNS names.
- Log in to the WildFire CLI on a node.
- Use the following command to assign a unique custom
DNS name to the node.
admin@WF-500> configureadmin@WF-500# set deviceconfig setting wildfire custom-dns-name <dns-name> - Commit your change.
- Repeat this process for each node in the cluster.
- On Panorama, generate a client certificate for all nodes in the cluster. Under Certificate Attributes, add a hostname entry for each custom DNS name you assigned to the cluster nodes or add one hostname entry with a one-wildcard string that matches all of the node hostnames, such as *.example.com; you can do this only if each custom DNS name shares a common string.
- On Panorama, configure the certificate profile for the
cluster client certificate.
- Select PanoramaCertificate ManagementCertificate Profile for Panorama.
- Configure a Certificate Profile.
- Deploy custom certificates on each node. This certificate
profile must contain the CA certificate that signed the Panorama
server certificate.
- Select PanoramaManaged WildFire Clusters and click on the cluster name.
- Select Communications.
- Under Secure Client Communications, select the Certificate Type, Certificate, and Certificate Profile.
- Click OK.
- Commit your changes.
- Configure secure server communication on Panorama.
- Select PanoramaSetupManagement and Edit to select Customize Secure Server Communication.
- Enable Customize Secure Server Communication.
- Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connection between WildFire and Panorama.
- Select the Certificate Profile for Panorama.
- Enable Custom Certificates Only.
- Click OK.
- Commit your changes.