Set Up Authentication Using Custom Certificates Between HA Peers

You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA peers.
  1. Generate a certificate authority (CA) certificate on Panorama.
    1. Select PanoramaCertificate ManagementCertificates.
    2. Create a self-signed root CA certificate or import a certificate from your enterprise CA.
  2. Configure a certificate profile that includes the root CA and intermediate CA.
    1. Select PanoramaCertificate ManagementCertificate Profile.
    2. Configure a certificate profile.
  3. Configure an SSL/TLS service profile.
    1. Select PanoramaCertificate ManagementSSL/TLS Service Profile.
    2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its manage devices use for SSL/TLS services.
  4. Configure Secure Server Communication on Panorama.
    1. Select PanoramaSetupManagement and Edit the Panorama Settings.
    2. Verify that the Custom Certificate Only check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
    3. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama’s HA peers.
    4. Select the certificate profile from the Certificate Profile drop-down.
    5. (Optional) Configure an authorization list.
      1. Click Add under Authorization List.
      2. Select the Subject or Subject Alt Name as the Identifier type.
      3. Enter the Common Name
    6. In Disconnect Wait Time (min), enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    1. Click OK.
    2. Commit your changes.
  5. Upgrade the client-side Panorama to 8.1.
  6. Configure Secure Client Communication.
    1. Select PanoramaHigh Availability and Edit the HA settings.
    2. Select Certificate and Certificate Profile.
    3. Click OK.
    4. Commit your changes.

Related Documentation