1. Home
    2. WildFire
    3. WildFire® What's New Guide
    4. WildFire Features in PAN-OS 8.1
    5. WildFire Appliance-to-Appliance Encryption

    WildFire Appliance-to-Appliance Encryption

    You can now encrypt WildFire® communications between appliances deployed in a cluster. Prior to 8.1 and by default, WildFire appliances send data using cleartext when communicating with management appliances as well as WildFire cluster peers. You can use either predefined or custom certificates to authenticate connections between WildFire appliance peers using the IKE/IPsec protocol. The predefined certificates meet current FIPS/CC/UACPL-approved certification and compliance requirements. If you want to use custom certificates instead, you must select a FIPS/CC/UACPL-compliant certificate or you will not be able to import the certificate.
    You can configure WildFire appliance-to-appliance encryption locally using the WildFire CLI or centrally through Panorama. Keep in mind, all WildFire appliances within a given cluster must run a version of PAN-OS that supports encrypted communications.
    If the WildFire appliances in your cluster uses FIPS/CC mode, encryption is automatically enabled using predefined certificates.
    Before configuring WildFire appliance-to-appliance encryption, be sure to review your existing WildFire secure communications configuration. If you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can use that custom certificate and the requisite DNS name for configuring secure communications between WildFire appliances.
    It is imperative that you use the correct, matching DNS name in the
    register firewall to:
     field in Panorama. Failure to do so will prevent appliance-to-appliance encryption from working as intended.
    The following tables describe the high-level tasks involved in configuring WildFire appliance-to-appliance encryption. For detailed instructions on these tasks, refer to the WildFire Administration Guide for the full installation procedure.
    WildFire Appliance-to-Appliance Encryption Installation Tasks Using Panorama
    Configuration Using Custom Certificates through Panorama
    Configuration Using Predefined Certificates through Panorama
    1. In the
      Panorama > Managed WildFire Clusters > WildFire Cluster
       page:
      • Configure the DNS name used for authentication found in the custom certificate.
      • Enable customize secure server communication and configure the SSL/TLS Service Profile and certificate profile to define the custom certificate for encrypted communication between WildFire peers.
        • Import or generate a custom certificate. If you are generating a custom certificate, be sure to use the same DNS stated in the certificate.
    2. In the
      Device > Setup > Management > Secure Communication Settings
       page, configure the firewall secure communication settings to use the custom certificate. This enables the WildFire cluster to communicate with the firewall using encryption.
    3. In the
      Panorama > Managed WildFire Clusters > WildFire Cluster
       page:
      • Make sure you configure the appliance to use
        Custom Certificates Only
        , so that it does not use the predefined certificate.
      • Enable
        Secure Cluster Communication
        .
      • Enable
        HA Traffic Encryption
        .
    1. In the
      Panorama > Managed WildFire Clusters > WildFire Cluster
       page:
      • Enable
        Secure Cluster Communication
        .
      • Enable
        HA Traffic Encryption
        .
    WildFire Appliance-to-Appliance Encryption Installation Tasks Using the CLI
    Configuration Using Custom Certificates through the WildFire CLI
    Configuration Using Predefined Certificates through the CLI
    To configure the WildFire appliance for encrypted communications, you must enable and configure the following on the active-controller in 2-node clusters. If your cluster has 3 or more nodes, you must also duplicate the configuration on the server nodes.
    1. In the
      Panorama > Managed WildFire Clusters > WildFire Cluster
       page:
      • Configure the DNS name used for authentication found in the custom certificate.
      • Enable customize secure server communication and configure the SSL/TLS Service Profile and certificate profile to define the custom certificate for encrypted communication between WildFire peers.
        • Import or generate a custom certificate. If you are generating a custom certificate, be sure to use the same DNS stated in the certificate.
    2. Configure the firewall secure communication settings to use the custom certificate. This enables the WildFire cluster to communicate with the firewall using encryption.
    3. From the WildFire appliance cluster active-controller CLI:
      • Make sure you configure the appliance to use custom certificates only, so that it does not use the predefined certificate.
      • Enable secure cluster communication.
      • Enable HA traffic encryption.
    1. From the WildFire appliance cluster active-controller CLI:
      • Enable secure cluster communication.
      • Enable HA traffic encryption.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo