Configure Certificate-Based Authentication for SD-WAN Devices
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Configure Certificate-Based Authentication for SD-WAN Devices
Configure SD-WAN devices with certificate-based authentication type for strong security.
You can authenticate an SD-WAN device using either of the following two authentication types:
- Pre-shared key (default authentication type)
- Certificate (SD-WAN plugin 3.2.0 and later releases)
When you create a new SD-WAN cluster or refresh the key with an SD-WAN plugin version earlier than 3.2.0, the SD-WAN plugin generates the pre-shared key automatically. In addition to the pre-shared key authentication type, we provide certificate-based authentication with SD-WAN plugin 3.2.0 and later releases for next-generation firewalls to fulfill your security needs. Take your security to the next level with stronger authentication and validation for all SD-WAN sites with certificate-based authentication.
We support certificate-based authentication on all software and hardware devices running legacy or advanced routing engines that support SD-WAN.
Follow the steps mentioned in the Upgrade and Downgrade Considerations before you upgrade or downgrade your current SD-WAN plugin.
Use the following workflow to configure certificate-based authentication for your SD-WAN device:
- Generate a certificate for SD-WAN devices on Panorama.
- Select.PanoramaCertificate ManagementCertificates
- The generated certificate must be unique for each SD-WAN device. That is, you can't generate a certificate and share it among multiple SD-WAN devices.Keep the following in mind while generating the branch and hub firewall certificates that is used for SD-WAN tunnel authentication:
Also ensure that the leaf certificates (branch and hub firewall certificates) used for SD-WAN tunnel authentication are generated meeting the following criteria:
- Two different hub devices can use the same hub certificate.
- Two different branch devices can use the same branch certificates if the following conditions are met:
- Branch devices are not part of the same VPN cluster
- There is no common hub device between the VPN clusters that these branch devices would be part of
- (HA deployments only) Two different branch devices can also have the same branch certificates if they are configured as HA members.
- If the hub device is common between VPN clusters, certificates for branch devices part of these VPN clusters should have unique certificates with all attributes having unique values. If you don't ensure the uniqueness of the certificate and its values, then commit will fail on the hub device (no commit failure on Panorama).
The certificate attributes are used for determining the local ID and peer ID for IKE gateways. Hence, the leaf certificates, that is, the branch and hub firewall certificates that is used for SD-WAN tunnel authentication must be generated with the following three certificate attributes and each certificate attribute should be assigned with three unique attribute values. Otherwise, a commit error will be thrown.
- Key usage should have digital signatures
- All certificates must be signed by the same root CA
- The device certificate must be directly signed by the root CA.
- Certificate format should be PKCS12
It's mandatory to have uniqueHost Name,IP, andAlt Emailcertificate attributes among all certificates. That is, none of the certificates should have these attribute values in common.In the below example, NewCertificate is generated with the total of nine mandatory certificate attributes. TheHost Namecertificate attribute is configured with three unique attribute values: pan-fw01.yourcompany.com, pan-fw02.yourcompany.com, and pan-fw03.yourcompany.com. TheIPcertificate attribute is configured with three unique attribute values: 192.0.2.0, 192.0.2.1, and 192.0.2.2. TheAlt Emailcertificate attribute is configured with three unique attribute values: email@example.com, IT@yourcompany.com, and firstname.lastname@example.org.
- FQDN (Host Name)
- IP address (IP)
- User FQDN (Alt Email)
- (Optional) Configure a Certificate Profile that includes the root CA and intermediate CA for secure server communication.
- Select.PanoramaCertificate ManagementCertificate Profile
- If you configure an intermediate CA as part of the Certificate Profile, you must also include the root CA.This Certificate Profile defines how the SD-WAN hubs and the branches authenticate mutually.
- Import the CA certificates to validate the identity of the SD-WAN devices.
- PanoramaCertificate ManagementCertificates
- Import the CA certificate and the key pair on Panorama for each SD-WAN device in a cluster or import multiple certificates usingMultiple Certificates (.tar). Use CSV to bulk import the certificates into the Panorama management server. The CSV allows you to import multiple certificates at once, rather than adding each certificate manually.
- Commityour changes. It's important to commit after importing the certificates for the imported certificates to be available for further configuration.
- Configure a certificate-based authentication type while adding an SD-WAN hub or branch firewall to be managed by the Panorama management server. When adding your devices, you specify what type of device it is (branch or hub), an authentication type for the device, and you give each device its site name for easy identification.
- Selectto add an SD-WAN device (SD-WAN hub or branch firewall) to be managed by the Panorama management server.PanoramaSD-WANDevices
- Select theVPN Tunneltab and configure theauthenticationtype. For certificate-based authentication, selectCertificateand configure the certificate-related fields. It's mandatory to select an authentication type while adding an SD-WAN device.
- Configure certificate-based authentication when onboarding PAN-OS firewalls to Prisma Access.
- Selectto select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.PanoramaSD-WANDevices
- SelectPrisma Access OnboardingandAdda compute node to aRegion. In theVPN Tunnel, it's mandatory to select the authentication type to authenticate the CN (Prisma Access hub). For certificate-based authentication, selectCertificateas theAuthenticationtype and configure the certificate-related fields. It's mandatory to select an authentication type while onboarding PAN-OS firewalls to Prisma Access.Ensure that you select the same authentication type for all the branch devices and the Prisma Access hub that is added. A commit failure occurs on Panorama if you try to use different authentication types for the branch and the Prisma hub.
- Configure certificate-based authentication while creating a VPN cluster.
- Select.PanoramaSD-WANVPN Clusters
- Select the VPN clusterType.
- Select theAuthentication TypeasCertificate. It's mandatory to specify the authentication type to add a device in a VPN cluster. A VPN cluster should have the same authentication type selected for all its devices. You can't change the authentication type of an SD-WAN device that has been added to a VPN cluster already. If you want to change, then remove the VPN cluster and its SD-WAN devices and configure it again with the authentication type of your choice. By default, we support the pre-shared key authentication type for the devices in a VPN cluster (if you have not selected the certificate type manually).
- Commityour configuration changes.
- SelectPush to Devicesto push your configuration changes to your managed firewalls.