: Configure a Custom Certificate for a Panorama Managed WildFire Appliance
Focus
Focus

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Table of Contents
End-of-Life (EoL)

Configure a Custom Certificate for a Panorama Managed WildFire Appliance

Configure secure server communication for the WildFire® appliance and secure client communication for firewalls and Panorama™ through the Panorama user interface.
If you use Panorama™ to manage your WildFire® appliance or WildFire cluster, you can configure custom certificate authentication through the Panorama web interface instead of using WildFire appliance CLI. The firewall or Panorama uses this connection to forward samples to WildFire for analysis.
This procedure describes how to install a unique certificate on a single WildFire appliance. If the WildFire appliance is part of a cluster, that device and each cluster member has a unique client certificate. To deploy a single certificate to all WildFire appliances in the cluster, see Configure Authentication with a Single Custom Certificate for a WildFire Cluster.
  1. Obtain key pairs and certificate authority (CA) certificates for the WildFire appliance and the firewall.
  2. Import the CA certificate to validate the identity of the firewall and the key pair for the WildFire appliance.
    1. Select PanoramaCertificate ManagementCertificatesImport.
    2. Import the CA certificate and the key pair on Panorama.
  3. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines how the WildFire appliance and the firewalls authenticate mutually.
    1. Select PanoramaCertificate ManagementCertificate Profile.
    2. Configure a certificate profile.
      If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
  4. Configure an SSL/TLS profile for the WildFire appliance.
    PAN-OS 8.0 and later releases support only TLS 1.2 and higher so ou must set the max version to TLS 1.2 or max.
    1. Select PanoramaCertificate ManagementSSL/TLS Service Profile.
    2. Configure an SSL/TLS service profile to define the certificate and protocol that the WildFire appliance and its the firewalls use for SSL/TLS services.
  5. Configure Secure Server Communication on WildFire.
    1. Select PanoramaManaged WildFire Clusters or PanoramaManaged WildFire Appliances and select a cluster or appliance.
    2. Select Communication.
    3. Enable the Customize Secure Server Communication feature.
    4. Select the SSL/TLS Service Profile. This SSL/TLS service profile applies to all SSL connection between the WildFire appliance and the firewall or Panorama.
    5. Select the Certificate Profile you configured for communication between the WildFire appliance and the firewall or Panorama.
    6. Verify that Custom Certificates Only is disabled (cleared). This allows the WildFire appliance to continue communicating with the firewalls with the predefined certificate while migrating to custom certificates.
    7. (Optional) Configure an authorization list.
      1. Add an Authorization List.
      2. Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or enter an IP address, hostname, or email if the identifier is Subject Alt Name.
      4. Click OK.
      5. Enable Check Authorization List to enforce the list.
    8. Click OK.
    9. Commit your changes.
  6. Import the CA certificate to validate the certificate for the WildFire appliance.
    1. Log in to the firewall web interface.
  7. Configure a local or SCEP certificate for the firewall.
  8. Configure the certificate profile for the firewall or Panorama. You can configure this profile on each client firewall or Panorama appliance individually or you can use a template to push the configuration from Panorama to managed firewalls.
    1. Select DeviceCertificate ManagementCertificate Profile for firewalls or PanoramaCertificate ManagementCertificate Profile for Panorama.
  9. Deploy custom certificates on each firewall or Panorama appliance.
    1. Log in to the firewall web interface.
    2. Select DeviceSetupManagement for a firewall or PanoramaSetupManagement for Panorama and Edit the Secure Communication Settings.
    3. Select the Certificate Type, Certificate, and Certificate Profile.
    4. In the Customize Communication settings, select WildFire Communication.
    5. Click OK.
    6. Commit your changes.
  10. After deploying custom certificates on all managed devices, enforce custom-certificate authentication.
    1. Log in to Panorama.
    2. Select PanoramaManaged WildFire Clusters or PanoramaManaged WildFire Appliances and select a cluster or appliance.
    3. Select Communication.
    4. Select Custom Certificate Only.
    5. Click OK.
    6. Commit your changes.
    After committing this change, WildFire immediately begins the enforcement of custom certificates.