Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

Table of Contents

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Through the CLI

Configure Appliance-to-Appliance Encryption Using Custom Certificates Through the CLI

Where Can I Use This?	What Do I Need?
WildFire Appliance	WildFire License

When configuring appliance-to-appliance encryption using the CLI, you must issue all commands from the WildFire appliance designated as the active-controller. The configuration changes are automatically distributed to the passive-controller. If you are operating a cluster with 3 or more nodes, you must also configure the WildFire cluster appliances acting as server nodes with the same settings as the active-controller.

Upgrade each managed WildFire appliance to PAN-OS 9.0.
Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
Import (or optionally, generate) a certificate with a private key and its CA certificate. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
1. To import a custom certificate, enter the following from the WildFire appliance CLI: scp import certificate from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <value>
2. To generate a custom certificate, enter the following from the WildFire appliance CLI: request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry hostname [ ... ] request certificate generate certificate-name name digest country-code state locality organization email filename ca signed-by | ocsp-responder-url days-till-expiry ip [ ... ] request certificate generate certificate-name name

Import the WildFire appliance keypair containing the server certificate and private key.

scp import keypair from <value> file <value> remote-port <1-65535> source-ip <ip/netmask> certificate-name <value> passphrase <value> format <pkcs12|pem>

Configure and specify a SSL/TLS profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.
set deviceconfig setting management secure-conn-server ssl-tls-service-profile <profile name>
1. Create the SSL/TLS profile.
```
set shared ssl-tls-service-profile <name>
```
2. Specify the custom certificate.
```
set shared ssl-tls-service-profile <name> certificate <value>
```
3. Define the SSL/TLS range.
```
set shared ssl-tls-service-profile <name> protocol-settings min-version <tls1-0|tls1-1|tls1-2>
```
```
set shared ssl-tls-service-profile <name> protocol-settings max-version <tls1-0|tls1-1|tls1-2|max>
```
4. Specify the SSL/TLS profile. This SSL/TLS service profile applies to all connections between WildFire appliances and the firewall as well as WildFire appliance peers.
```
set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile>
```

Configure and specify a certificate profile to define the certificate and protocol that WildFire appliances use for SSL/TLS services.

Create the certificate profile.
```
set shared certificate-profile <name>
```

(Optional) Set the subject (common-name) or subject-alt name.

set shared certificate-profile <name> username-field subject <common-name>

set shared certificate-profile <name> username-field subject-alt <email|principal-name>

(Optional) Set the user domain.

set shared certificate-profile <name> domain <value>

Configure the CA.

set shared certificate-profile <name> CA <name>

set shared certificate-profile <name> CA <name> default-ocsp-url <value>

set shared certificate-profile <name> CA <name> ocsp-verify-cert <value>

Specify the certificate profile.

set deviceconfig setting management secure-conn-server certificate-profile <certificate-profile>

Import the certificate and private key pair.
Configure the firewall Secure Communication Settings on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 9.
1. Select DeviceCertificate ManagementCertificate Profile.
2. Configure a Certificate Profile.
3. Select DeviceSetupManagement > Secure Communication Settings and click the Edit icon in Secure Communication Settings to configure the firewall custom certificate settings.
4. Select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs and configure them to use the custom certificate created in step 2.
5. Under Customize Communication, select WildFire Communication.
6. Click OK.
Disable the use of the predefined certificate.
set deviceconfig setting management secure-conn-server disable-pre-defined-cert yes
Specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is wfpc.service.mycluster.paloaltonetworks.com
set deviceconfig setting wildfire custom-dns-name <custom_dns_name>.
(Appliance clusters with 3 or more nodes only) Repeat steps 2-10 for the third WildFire appliance server node enrolled in the cluster.

Configure Appliance-to-Appliance Encryption Using Predefined Certificates Through the CLI

Monitor a WildFire Cluster