You can encrypt WildFire communications between appliances deployed in a cluster. By default, WildFire appliances send data using cleartext when communicating with management appliances as well as WildFire cluster peers. You can use either predefined or custom certificates to authenticate connections between WildFire appliance peers using the IKE/IPsec protocol. The predefined certificates meet current FIPS/CC/UCAPL-approved certification and compliance requirements. If you want to use custom certificates instead, you must select a FIPS/CC/UCAPL-compliant certificate or you will not be able to import the certificate.

You can configure WildFire appliance-to-appliance encryption locally using the WildFire CLI or centrally through Panorama. Keep in mind, all WildFire appliances within a given cluster must run a version of PAN-OS that supports encrypted communications.

If the WildFire appliances in your cluster uses FIPS/CC mode, encryption is automatically enabled using predefined certificates.

Depending on how you want to deploy appliance to appliance encryption, perform one of the following tasks:

Configure Appliance-to-Appliance Encryption UsingPredefined Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption UsingCustom Certificates Centrally on Panorama

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Through the CLI

Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI