Set Up Authentication Using Custom Certificates Between HA Peers

You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA peers.
  1. Generate a certificate authority (CA) certificate on Panorama.
    1. Select
      Panorama
      Certificate Management
      Certificates
      .
  2. Configure a certificate profile that includes the root CA and intermediate CA.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
  3. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its manage devices use for SSL/TLS services.
  4. Configure Secure Communication Settings on Panorama on the primary HA peer.
    If you configure Secure Communication Settings on Panorama for Panorama in a HA configuration, it is required to
    Customize Secure Server Communication
    as well. Otherwise, managed firewalls, Dedicated Log Collectors, and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Secure Communication Settings.
    2. For the Certificate Type, select
      Local
      .
    3. Select the
      Certificate
      and
      Certificate Profile
      you configured in the previous steps.
    4. Check (enable)
      HA Communication
      ,
      WildFire Communication
      , and
      Data Redistribution
      .
    5. Check (enable)
      Customize Secure Server Communication
      .
    6. Select the SSL/TLS service profile from the
      SSL/TLS Service Profile
      drop-down. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama’s HA peers.
    7. Select the certificate profile from the
      Certificate Profile
      drop-down.
    8. Configure an authorization list.
      When you configure Secure Communication Setting for Panorama in a HA configuration, you are required to add the Panorama HA peer to the authorization list.
      1. Click
        Add
        under Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        as the Identifier type.
      3. Enter the Common Name
    9. (
      Optional
      ) Verify that
      Allow Custom Certificate Only
      check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When
      Allow Custom Certificate Only
      check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
    10. In
      Disconnect Wait Time (min)
      , enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    1. Click
      OK
      .
    2. Commit
      and
      Commit to Panorama
      .
    3. Repeat this step on the secondary Panorama HA peer.
      When you configure Secure Communication Settings on the secondary Panorama HA peer, add the primary HA peer to the authorization list as described above.
  5. Upgrade the client-side Panorama to PAN-OS 10.1.

Recommended For You