Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

When configuring appliance-to-appliance encryption using the CLI, you must issue all commands from the WildFire appliance designated as the active-controller. The configuration changes are automatically distributed to the passive-controller. If you are operating a cluster with 3 or more nodes, you must also configure the WildFire cluster appliances acting as server nodes with the same settings as the active-controller.
  1. Upgrade each managed WildFire appliance to PAN-OS 9.0.
  2. Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
  3. Import (or optionally, generate) a certificate with a private key and its CA certificate. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
    1. To import a custom certificate, enter the following from the WildFire appliance CLI:
      scp import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <value>
    2. To generate a custom certificate, enter the following from the WildFire appliance CLI:
      request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry hostname [ ... ] request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry ip [ ... ] request certificate generate certificate-name name
  4. Import the WildFire appliance keypair containing the server certificate and private key.
    scp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <pkcs12|pem>
  5. Configure and specify a SSL/TLS profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
    set deviceconfig setting management secure-conn-server ssl-tls-service-profile <profile name>
    1. Create the SSL/TLS profile.
      set shared ssl-tls-service-profile <name>
    2. Specify the custom certificate.
      set shared ssl-tls-service-profile <name> certificate <value>
    3. Define the SSL/TLS range.
      set shared ssl-tls-service-profile <name> protocol-settings min-version <tls1-0|tls1-1|tls1-2>
      set shared ssl-tls-service-profile <name> protocol-settings max-version <tls1-0|tls1-1|tls1-2|max>
    4. Specify the SSL/TLS profile. This SSL/TLS service profile applies to all connections between WildFire appliances and the firewall as well as WildFire appliance peers.
      set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
  6. Configure and specify a certificate profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
    1. Create the certificate profile.
      set shared certificate-profile <name>
    2. (Optional) Set the subject (common-name) or subject-alt name.
      set shared certificate-profile <name> username-field subject <common-name>
      set shared certificate-profile <name> username-field subject-alt <email|principal-name>
    3. (Optional) Set the user domain.
      set shared certificate-profile <name> domain <value>
    4. Configure the CA.
      set shared certificate-profile <name> CA <name>
      set shared certificate-profile <name> CA <name> default-ocsp-url <value>
      set shared certificate-profile <name> CA <name> ocsp-verify-cert <value>
    5. Specify the certificate profile.
      set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>
  7. Configure the firewall
    Secure Communication Settings
    on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 9.
    1. Select
      Device
      Certificate Management
      Certificate Profile
      .
    2. Select
      Device
      Setup
      Management > Secure Communication Settings
      and click the
      Edit
      icon in
      Secure Communication Settings
      to configure the firewall custom certificate settings.
    3. Select the
      Certificate Type
      ,
      Certificate
      , and
      Certificate Profile
      from the respective drop-downs and configure them to use the custom certificate created in step 2.
    4. Under Customize Communication, select
      WildFire Communication
      .
    5. Click
      OK
      .
  8. Disable the use of the predefined certificate.
    set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
  9. Specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is
    wfpc.service.mycluster.paloaltonetworks.com
    set deviceconfig setting wildfire custom-dns-name <custom_dns_name>
    .
  10. (Appliance clusters with 3 or more nodes only) Repeat steps 2-10 for the third WildFire appliance server node enrolled in the cluster.

Recommended For You