Configure Authentication with Custom Certificates Between Log Collectors

Configure custom certificates between Log Collectors to create a unique chain of trust that ensures mutual authentication between Log Collectors
Complete the following procedure to configure custom certificates for communication between Log Collectors. You must configure secure server communication and secure client communication on each Log Collector in a Collector Group because the server and client roles are chosen dynamically. Use custom certificates to create a unique chain of trust that ensures mutual authentication between the members of your Log Collector Group.
For more information about using custom certificates, see How Are SSL/TLS Connections Mutually Authenticated?
  1. Obtain key pairs and certificate authority (CA) certificates for each Log Collector.
  2. Import the CA certificate to validate the identity of the client Log Collector, the server key pair, and the client key pair for each Log Collector in the Collector Group.
    1. Select
      Panorama
      Certificate Management
      Certificates
      Import
      .
    2. Import the CA certificate, server key pair, and client key pair.
    3. Repeat th step for the each Log Collector.
  3. Configure a certificate profile that includes the root CA and intermediate CA for secure server communication. This certificate profile defines the authentication between Log Collectors.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
    2. If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
  4. Configure the certificate profile for secure client communication. You can configure this profile on each client Log Collector individually or you can push the configuration from Panorama™ to managed Log Collectors.
    If you are using SCEP for the client certificate, configure a SCEP profile instead of a certificate profile.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      .
  5. Configure an SSL/TLS service profile.
    1. Select
      Panorama
      Certificate Management
      SSL/TLS Service Profile
      .
    2. Configure an SSL/TLS service profile to define the certificate and protocol that the Log Collectors use for SSL/TLS services.
  6. After deploying custom certificates on all Log Collectors, enforce custom-certificate authentication.
    1. Select
      Panorama
      Collector Groups
      and select the Collector Group.
    2. On the General tab,
      Enable secure inter LC Communication
      .
      If you enable secure inter LC communication and your Collector Group includes a local Log Collector, a link should appear that stating that the
      Log Collector on local Panorama is using the secure client configuration from Panorama
      Secure Communication Settings
      . You can click this link to open the Secure Communication Settings dialog and configure the secure server and secure client settings for the Local Log Collector from there.
    3. Click
      OK
      .
    4. Commit
      your changes.
  7. Configure secure server communication on each Log Collector.
    1. Select
      Panorama
      Managed Collectors
      for Dedicated Log Collectors or
      Panorama
      Setup
      Management
      and
      Edit
      the Secure Communication Settings for a Local Log Collector.
    2. For Dedicated Log Collectors, click the Log Collector and select
      Communications
      .
    3. Enable the
      Customize Secure Server Communication
      feature.
    4. Select the SSL/TLS service profile from the
      SSL/TLS Service Profile
      drop-down. This SSL/TLS service profile applies to all SSL connections between Log Collectors.
    5. Select the
      Certificate Profile
      from the drop-down.
    6. Verify that the
      Custom Certificates Only
      is disabled (cleared). This allows the inter Log Collector communication to continue with the predefined certificate while configuring to custom certificates.
    7. Set the disconnect wait time—the number of minutes Log Collectors wait before breaking and reestablishing the connection with other Log Collectors. This field is empty by default (range is 0 to 44,640).
    8. (
      Optional
      ) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier in the authorization list, authentication is denied.
      1. Add
        an Authorization List.
      2. Select the
        Subject
        or
        Subject Alt Name
        configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is
        Subject
        or an IP address, hostname, or email if the identifier is
        Subject Alt Name
        .
      4. Click
        OK
        .
      5. Enable the
        Check Authorization List
        option to configure Panorama to enforce the authorization list.
    9. Click
      OK
      .
    10. Commit
      your changes.
    After committing these changes, the disconnect wait time countdown begins. When the wait time ends, Log Collectors in the Collector Group cannot connect without the configured certificates.
  8. Configure secure client communication on each Log Collector.
    1. Select
      Panorama
      Managed Collectors
      for Dedicated Log Collectors or
      Panorama
      Setup
      Management
      and
      Edit
      the Secure Communication Settings for a Local Log Collector.
    2. For Dedicated Log Collectors, click the Log Collector and select
      Communications
      .
    3. Under Secure Client Communications, select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      from the respective drop-downs.
    4. Click
      OK
      .
    5. Commit
      your changes.

Related Documentation