WildFire Appliance-to-Appliance Encryption
You can now encrypt WildFire® communications between appliances deployed in a cluster. Prior to 8.1 and by default, WildFire appliances send data using cleartext when communicating with management appliances as well as WildFire cluster peers. You can use either predefined or custom certificates to authenticate connections between WildFire appliance peers using the IKE/IPsec protocol. The predefined certificates meet current FIPS/CC/UACPL-approved certification and compliance requirements. If you want to use custom certificates instead, you must select a FIPS/CC/UACPL-compliant certificate or you will not be able to import the certificate.
You can configure WildFire appliance-to-appliance encryption locally using the WildFire CLI or centrally through Panorama. Keep in mind, all WildFire appliances within a given cluster must run a version of PAN-OS that supports encrypted communications.
If the WildFire appliances in your cluster uses FIPS/CC mode, encryption is automatically enabled using predefined certificates.
Before configuring WildFire appliance-to-appliance encryption, be sure to review your existing WildFire secure communications configuration. If you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can use that custom certificate and the requisite DNS name for configuring secure communications between WildFire appliances.
It is imperative that you use the correct, matching DNS name in the
register firewall to:field in Panorama. Failure to do so will prevent appliance-to-appliance encryption from working as intended.
The following tables describe the high-level tasks involved in configuring WildFire appliance-to-appliance encryption. For detailed instructions on these tasks, refer to the WildFire Administration Guide for the full installation procedure.
Configuration Using Custom Certificates through Panorama
Configuration Using Predefined Certificates through Panorama
Configuration Using Custom Certificates through the WildFire CLI
Configuration Using Predefined Certificates through the CLI
To configure the WildFire appliance for encrypted communications, you must enable and configure the following on the active-controller in 2-node clusters. If your cluster has 3 or more nodes, you must also duplicate the configuration on the server nodes.
Recommended For You
Recommended videos not found.