End-of-Life (EoL)

Set Up Authentication Using Custom Certificates Between HA Peers

You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA peers.
  1. Generate a certificate authority (CA) certificate on Panorama.
    1. Select
      Panorama
      Certificate Management
      Certificates
      .
  2. Configure a certificate profile that includes the root CA and intermediate CA.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
  3. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its manage devices use for SSL/TLS services.
  4. Configure Secure Server Communication on Panorama.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Panorama Settings.
    2. Verify that the
      Custom Certificate Only
      check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
    3. Select the SSL/TLS service profile from the
      SSL/TLS Service Profile
      drop-down. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama’s HA peers.
    4. Select the certificate profile from the
      Certificate Profile
      drop-down.
    5. (
      Optional
      ) Configure an authorization list.
      1. Click
        Add
        under Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        as the Identifier type.
      3. Enter the Common Name
    6. In
      Disconnect Wait Time (min)
      , enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    1. Click
      OK
      .
    2. Commit
      your changes.
  5. Upgrade the client-side Panorama to 8.0.
  6. Configure Secure Client Communication.
    1. Select
      Panorama
      High Availability
      and
      Edit
      the HA settings.
    2. Select
      Certificate
      and
      Certificate Profile
      .
    3. Click
      OK
      .
    4. Commit
      your changes.

Recommended For You