WildFire Appliance-to-Appliance Encryption

You can now encrypt WildFire® communications between appliances deployed in a cluster. Prior to 8.1 and by default, WildFire appliances send data using cleartext when communicating with management appliances as well as WildFire cluster peers. You can use either predefined or custom certificates to authenticate connections between WildFire appliance peers using the IKE/IPsec protocol. The predefined certificates meet current FIPS/CC/UACPL-approved certification and compliance requirements. If you want to use custom certificates instead, you must select a FIPS/CC/UACPL-compliant certificate or you will not be able to import the certificate.
You can configure WildFire appliance-to-appliance encryption locally using the WildFire CLI or centrally through Panorama. Keep in mind, all WildFire appliances within a given cluster must run a version of PAN-OS that supports encrypted communications.
If the WildFire appliances in your cluster uses FIPS/CC mode, encryption is automatically enabled using predefined certificates.
Before configuring WildFire appliance-to-appliance encryption, be sure to review your existing WildFire secure communications configuration. If you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can use that custom certificate and the requisite DNS name for configuring secure communications between WildFire appliances.
It is imperative that you use the correct, matching DNS name in the register firewall to: field in Panorama. Failure to do so will prevent appliance-to-appliance encryption from working as intended.
The following tables describe the high-level tasks involved in configuring WildFire appliance-to-appliance encryption. For detailed instructions on these tasks, refer to the WildFire Administration Guide for the full installation procedure.
WildFire Appliance-to-Appliance Encryption Installation Tasks Using Panorama
Configuration Using Custom Certificates through Panorama
Configuration Using Predefined Certificates through Panorama
  1. In the Panorama > Managed WildFire Clusters > WildFire Cluster page:
    • Configure the DNS name used for authentication found in the custom certificate.
    • Enable customize secure server communication and configure the SSL/TLS Service Profile and certificate profile to define the custom certificate for encrypted communication between WildFire peers.
      • Import or generate a custom certificate. If you are generating a custom certificate, be sure to use the same DNS stated in the certificate.
  2. In the Device > Setup > Management > Secure Communication Settings page, configure the firewall secure communication settings to use the custom certificate. This enables the WildFire cluster to communicate with the firewall using encryption.
  3. In the Panorama > Managed WildFire Clusters > WildFire Cluster page:
    • Make sure you configure the appliance to use Custom Certificates Only, so that it does not use the predefined certificate.
    • EnableSecure Cluster Communication.
    • Enable HA Traffic Encryption.
  1. In the Panorama > Managed WildFire Clusters > WildFire Cluster page:
    • Enable Secure Cluster Communication.
    • Enable HA Traffic Encryption.
WildFire Appliance-to-Appliance Encryption Installation Tasks Using the CLI
Configuration Using Custom Certificates through the WildFire CLI
Configuration Using Predefined Certificates through the CLI
To configure the WildFire appliance for encrypted communications, you must enable and configure the following on the active-controller in 2-node clusters. If your cluster has 3 or more nodes, you must also duplicate the configuration on the server nodes.
  1. In the Panorama > Managed WildFire Clusters > WildFire Cluster page:
    • Configure the DNS name used for authentication found in the custom certificate.
    • Enable customize secure server communication and configure the SSL/TLS Service Profile and certificate profile to define the custom certificate for encrypted communication between WildFire peers.
      • Import or generate a custom certificate. If you are generating a custom certificate, be sure to use the same DNS stated in the certificate.
  2. Configure the firewall secure communication settings to use the custom certificate. This enables the WildFire cluster to communicate with the firewall using encryption.
  3. From the WildFire appliance cluster active-controller CLI:
    • Make sure you configure the appliance to use custom certificates only, so that it does not use the predefined certificate.
    • Enable secure cluster communication.
    • Enable HA traffic encryption.
  1. From the WildFire appliance cluster active-controller CLI:
    • Enable secure cluster communication.
    • Enable HA traffic encryption.

Related Documentation