End-of-Life (EoL)

Configure Authentication with Custom Certificates on the WildFire Appliance

Use custom certificates to establish a unique chain of trust that ensures mutual authentication between your WildFire appliance and your firewalls.
Use the following workflow to replace predefined certificates to custom certificates in your WildFire deployment. When a firewall or Panorama sends a sample to a WildFire appliance for analysis, the firewall acts as the client and the WildFire appliance acts as the server.
  1. Obtain key pairs and certificate authority (CA) certificates for the WildFire appliance and firewall or Panorama.
  2. Import the CA certificate to validate the certificate one the firewall.
    1. Log in to the CLI on the WildFire appliance and enter configuration mode.
      admin@WF-500>
      configure
    2. Use TFTP or SCP to import the certificate.
      admin@WF-500#
      {tftp | scp} import certificate from
      <value>
      file
      <value>
      remote-port
      <1-65535>
      source-ip
      <ip/netmask>
      certificate-name
      <value>
      passphrase
      <value>
      format {pkcs12 | pem}
  3. Use TFTP or SCP to import the keypair that contains the server certificate and private key for the WildFire appliance.
    admin@WF-500#
    {tftp | scp} import keypair from
    <value>
    file
    <value>
    remote-port
    <1-65535>
    source-ip
    <ip/netmask>
    certificate-name
    <value>
    passphrase
    <value>
    format {pkcs12 | pem}
  4. Configure a certificate profile that includes the root CA and intermediate CA. This certificate profile defines how the WildFire appliance and the firewalls will authenticate mutually.
    1. In the CLI of the WildFire appliance, enter configuration mode.
      admin@WF-500>
      configure
    2. Name the certificate profile.
      admin@WF-500#
      set shared certificate-profile
      <name>
    3. Configure the CA.
      The commands default-ocsp-url and ocsp-verify-cert are optional.
      admin@WF-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      admin@WF-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      [default-ocsp-url
      <value>
      ]
      admin@WF-500#
      set shared certificate-profile
      <name>
      CA
      <name>
      [ocsp-verify-cert
      <value>
      ]
  5. Configure an SSL/TLS profile for the WildFire appliance. This profile defines the certificate and SSL/TLS protocol range that WildFire appliance and firewalls use for SSL/TLS services.
    1. Identify the SSL/TLS profile.
      admin@WF-500#
      set shared ssl-tls-service-profile
      <name>
    2. Select the certificate.
      admin@WF-500#
      set shared ssl-tls-service-profile
      <name>
      certificate
      <value>
    3. Define the SSL/TLS range.
      PAN-OS 8.0 and later releases support TLS 1.2 and later TLS versions only. You must set the max version to TLS 1.2 or max.
      admin@WF-500#
      set shared ssl-tls-service-profile
      <name>
      protocol-settings min-version {tls1-0 | tls1-1 | tls1-2}
      admin@WF-500#
      set shared ssl-tls-service-profile
      <name>
      protocol-settings max-version {tls1-0 | tls1-1 | tls1-2 | max}
  6. Configure secure server communication on the WildFire appliance.
    1. Set the SSL/TLS profile. This SSL/TLS service profile applies to all SSL connection between WildFire and client devices.
      admin@WF-500#
      set deviceconfig setting management secure-conn-server ssl-tls-service-profile
      <ssltls-profile>
    2. Set the certificate profile.
      admin@WF-500#
      set deviceconfig setting management secure-conn-server certificate-profile
      <certificate-profile>

Recommended For You