Configure Appliance-to-Appliance Encryption Using Predefined Certificates Through the CLI

When configuring appliance-to-appliance encryption using the CLI, you must issue all commands from the WildFire appliance designated as the active-controller. The configuration changes are automatically distributed to the passive-controller. If you are operating a cluster with 3 or more nodes, you must also configure the WildFire cluster appliances acting as server nodes with the same settings as the active-controller.
  1. Upgrade each managed WildFire appliance to PAN-OS 9.0.
  2. Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
  3. Enable secure cluster communication on the WildFire appliance designated as the active-controller.
    set deviceconfig cluster encryption enabled yes
  4. (Recommended)
    Enable
    HA Traffic Encryption. This optional setting encrypts the HA traffic between the HA pair and is a Palo Alto Networks recommended best practice.
    HA Traffic Encryption cannot be disabled when operating in FIPS/CC mode.
    set deviceconfig high availability encryption enabled yes
  5. (Appliance clusters with 3 or more nodes only) Repeat steps 2-4 for the third WildFire appliance server node enrolled in the cluster.

Recommended For You