Configure Appliance-to-Appliance Encryption Using Custom Certificates
Centrally on Panorama
- Upgrade each managed WildFire appliance to PAN-OS 8.1.x. All managed appliances must be running PAN-OS 8.1 or later to enable appliance-to-appliance encryption.
- Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
- Review your existing WildFire secure communications configuration. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
- SelectPanorama >Managed WildFire Clusters> WF_cluster_name> Communication.
- IfCustomize Secure Server Communicationhas been enabled and you would like to use that certificate, identify the details of the custom certificate being used. Otherwise proceed to Step 5 to begin the process of installing a new custom certificate.
- Determine the custom certificate FQDN (DNS name) that will be used to define the firewall registration address in Step 4.Make sure to note the custom certificate name and the associated FQDN. These are referenced several times during the configuration process.
- Configure the firewall registration address on Panorama.
- On Panorama, selectPanorama >Managed WildFire Clusters> WF_cluster_name> General.
- In theRegister Firewall Tofield, specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name iswfpc.service.mycluster.paloaltonetworks.com
- Configure WildFireSecure Server Communicationsettings on Panorama. If you already configured secure communications between the firewall and the WildFire cluster and are using the existing custom certificate, proceed to Step 4 below.
- On Panorama, selectPanorama> Managed WildFire Clusters> WF_cluster_name> Communication.
- ClickCustomize Secure Server Communication.
- Configure and deploy custom certificates used by the WildFire appliances and the associated firewall. The SSL/TLS service profile defines the custom certificate used by WildFire appliances to communicate with WildFire appliance peers and to the firewall. You must also configure the custom certificate settings on the firewall associated with the WildFire appliance cluster. This is configured later in Step 9.
- Open the SSL/TLS Service Profile drop-down and click SSL/TLS Service Profile. Configure an SSL/TLS service profile with the custom certificate that you want to use. After you configure the SSL/TLS service profile, click OK and select the newly created SSL/TLS Service profile.
- Open the Certificate Profile drop-down and click Certificate Profile. Configure a Certificate Profile that identifies the custom certificate used to establish secure connections between the firewall and WildFire appliances, as well as between peer WildFire appliances. After you configure the Certificate Profile, click OK and select the newly created profile.
- Select theCustom Certificate Onlycheck box. This allows you to use the custom certificates that you configured instead of the default preconfigured certificates.
- (Optional) Configure an authorization list. The authorization list checks the custom certificate Subject or Subject Alt Name; if theSubjectorSubject Alt Namepresented with the custom certificate does not match an identifier on the authorization list, authentication is denied.
- Addan Authorization List.
- Select theSubjectorSubject Alt Nameconfigured in the custom certificate profile as the Identifier type.
- Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
- SelectCheck Authorization Listto enforce the authorization list.
- EnableSecure Cluster Communication.
- (Recommended)EnableHA Traffic Encryption. This optional setting encrypts the HA traffic between the HA pair and is a Palo Alto Networks recommended best practice.HA Traffic Encryption cannot be disabled when operating in FIPS/CC mode.
- ClickOKto save theWildFire Clustersettings.
- Configure the firewallSecure Communication Settingson Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to the next step.
- Selectand click theDeviceSetupManagement > Secure Communication SettingsEditicon inSecure Communication Settingsto configure the firewall custom certificate settings.
- Select theCertificate Type,Certificate, andCertificate Profilefrom the respective drop-downs and configure them to use the custom certificate.
- Under Customize Communication, selectWildFire Communication.
- Commityour changes.
Recommended For You
Recommended videos not found.