Configure Authentication with Custom Certificates Between Log Collectors
Table of Contents
9.1 (EoL)
Expand all | Collapse all
-
- Determine Panorama Log Storage Requirements
-
- Setup Prerequisites for the Panorama Virtual Appliance
- Perform Initial Configuration of the Panorama Virtual Appliance
- Set Up The Panorama Virtual Appliance as a Log Collector
- Set Up the Panorama Virtual Appliance with Local Log Collector
- Set up a Panorama Virtual Appliance in Panorama Mode
- Set up a Panorama Virtual Appliance in Management Only Mode
-
- Preserve Existing Logs When Adding Storage on Panorama Virtual Appliance in Legacy Mode
- Add a Virtual Disk to Panorama on an ESXi Server
- Add a Virtual Disk to Panorama on vCloud Air
- Add a Virtual Disk to Panorama on AWS
- Add a Virtual Disk to Panorama on Azure
- Add a Virtual Disk to Panorama on Google Cloud Platform
- Add a Virtual Disk to Panorama on KVM
- Add a Virtual Disk to Panorama on Hyper-V
- Mount the Panorama ESXi Server to an NFS Datastore
-
- Increase CPUs and Memory for Panorama on an ESXi Server
- Increase CPUs and Memory for Panorama on vCloud Air
- Increase CPUs and Memory for Panorama on AWS
- Increase CPUs and Memory for Panorama on Azure
- Increase CPUs and Memory for Panorama on Google Cloud Platform
- Increase CPUs and Memory for Panorama on KVM
- Increase CPUs and Memory for Panorama on Hyper-V
- Complete the Panorama Virtual Appliance Setup
-
- Convert Your Evaluation Panorama to a Production Panorama with Local Log Collector
- Convert Your Evaluation Panorama to a Production Panorama without Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing with Local Log Collector
- Convert Your Evaluation Panorama to VM-Flex Licensing without Local Log Collector
- Convert Your Production Panorama to an ELA Panorama
-
- Register Panorama
- Activate a Panorama Support License
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is Internet-connected
- Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is not Internet-connected
- Activate/Retrieve a Firewall Management License on the M-Series Appliance
- Install the Panorama Device Certificate
-
- Migrate from a Panorama Virtual Appliance to an M-Series Appliance
- Migrate a Panorama Virtual Appliance to a Different Hypervisor
- Migrate from an M-Series Appliance to a Panorama Virtual Appliance
- Migrate from an M-100 Appliance to an M-500 Appliance
- Migrate from an M-100 or M-500 Appliance to an M-200 or M-600 Appliance
-
- Configure an Admin Role Profile
- Configure an Access Domain
-
- Configure a Panorama Administrator Account
- Configure Local or External Authentication for Panorama Administrators
- Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface
- Configure an Administrator with SSH Key-Based Authentication for the CLI
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
-
- Add a Firewall as a Managed Device
-
- Add a Device Group
- Create a Device Group Hierarchy
- Create Objects for Use in Shared or Device Group Policy
- Revert to Inherited Object Values
- Manage Unused Shared Objects
- Manage Precedence of Inherited Objects
- Move or Clone a Policy Rule or Object to a Different Device Group
- Push a Policy Rule to a Subset of Firewalls
- Manage the Rule Hierarchy
- Manage the Master Key from Panorama
- Redistribute User-ID Information to Managed Firewalls
-
- Plan the Transition to Panorama Management
- Migrate a Firewall to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall to Panorama Management and Push a New Configuration
- Migrate a Firewall HA Pair to Panorama Management and Reuse Existing Configuration
- Migrate a Firewall HA Pair to Panorama Management and Push a New Configuration
- Load a Partial Firewall Configuration into Panorama
- Localize a Panorama Pushed Configuration on a Managed Firewall
-
- Add Standalone WildFire Appliances to Manage with Panorama
- Configure Basic WildFire Appliance Settings on Panorama
- Remove a WildFire Appliance from Panorama Management
-
-
- Configure a Cluster and Add Nodes on Panorama
- Configure General Cluster Settings on Panorama
- Remove a Cluster from Panorama Management
- Configure Appliance-to-Appliance Encryption Using Predefined Certificates Centrally on Panorama
- Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
- View WildFire Cluster Status Using Panorama
- Upgrade a Cluster Centrally on Panorama with an Internet Connection
- Upgrade a Cluster Centrally on Panorama without an Internet Connection
-
-
- Manage Licenses on Firewalls Using Panorama
-
- Supported Updates
- Schedule a Content Update Using Panorama
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
- Preview, Validate, or Commit Configuration Changes
- Enable Automated Commit Recovery
- Compare Changes in Panorama Configurations
- Manage Locks for Restricting Configuration Changes
- Add Custom Logos to Panorama
- Use the Panorama Task Manager
- Reboot or Shut Down Panorama
- Configure Panorama Password Profiles and Complexity
-
-
- Verify Panorama Port Usage
- Resolve Zero Log Storage for a Collector Group
- Replace a Failed Disk on an M-Series Appliance
- Replace the Virtual Disk on an ESXi Server
- Replace the Virtual Disk on vCloud Air
- Migrate Logs to a New M-Series Appliance in Log Collector Mode
- Migrate Logs to a New M-Series Appliance in Panorama Mode
- Migrate Logs to a New M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Logs to the Same M-Series Appliance Model in Panorama Mode in High Availability
- Migrate Log Collectors after Failure/RMA of Non-HA Panorama
- Regenerate Metadata for M-Series Appliance RAID Pairs
- Troubleshoot Registration or Serial Number Errors
- Troubleshoot Reporting Errors
- Troubleshoot Device Management License Errors
- Troubleshoot Automatically Reverted Firewall Configurations
- Complete Content Update When Panorama HA Peer is Down
- View Task Success or Failure Status
- Restore an Expired Device Certificate
- Downgrade from Panorama 9.1
End-of-Life (EoL)
Configure Authentication with Custom Certificates Between Log Collectors
Configure custom certificates between Log Collectors
to create a unique chain of trust that ensures mutual authentication
between Log Collectors
Complete the following procedure to configure
custom certificates for communication between Log Collectors. You
must configure secure server communication and secure client communication
on each Log Collector in a Collector Group because the server and
client roles are chosen dynamically. Use custom certificates to
create a unique chain of trust that ensures mutual authentication
between the members of your Log Collector Group.
For more
information about using custom certificates, see How
Are SSL/TLS Connections Mutually Authenticated?
- Obtain key pairs and certificate authority (CA) certificates for each Log Collector.
- Import the CA certificate to validate the identity of
the client Log Collector, the server key pair, and the client key pair
for each Log Collector in the Collector Group.
- Select PanoramaCertificate ManagementCertificatesImport.
- Import the CA certificate, server key pair, and client key pair.
- Repeat th step for the each Log Collector.
- Configure a certificate profile that includes the root
CA and intermediate CA for secure server communication. This certificate
profile defines the authentication between Log Collectors.
- Select PanoramaCertificate ManagementCertificate Profile.
- Configure a certificate profile.If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
- Configure the certificate profile for secure client communication.
You can configure this profile on each client Log Collector individually
or you can push the configuration from Panorama™ to managed Log
Collectors.If you are using SCEP for the client certificate, configure a SCEP profile instead of a certificate profile.
- Select PanoramaCertificate ManagementCertificate Profile.
- Configure a Certificate Profile.
- Configure an SSL/TLS service profile.
- Select PanoramaCertificate ManagementSSL/TLS Service Profile.
- Configure an SSL/TLS service profile to define the certificate and protocol that the Log Collectors use for SSL/TLS services.
- After deploying custom certificates on all Log Collectors,
enforce custom-certificate authentication.
- Select PanoramaCollector Groups and select the Collector Group.
- On the General tab, Enable secure inter
LC Communication.If you enable secure inter LC communication and your Collector Group includes a local Log Collector, a link should appear that stating that the Log Collector on local Panorama is using the secure client configuration from PanoramaSecure Communication Settings. You can click this link to open the Secure Communication Settings dialog and configure the secure server and secure client settings for the Local Log Collector from there.
- Click OK.
- Commit your changes.
- Configure secure server communication on each Log Collector.
- Select PanoramaManaged Collectors for Dedicated Log Collectors or PanoramaSetupManagement and Edit the Secure Communication Settings for a Local Log Collector.
- For Dedicated Log Collectors, click the Log Collector and select Communications.
- Enable the Customize Secure Server Communication feature.
- Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between Log Collectors.
- Select the Certificate Profile from the drop-down.
- Verify that the Custom Certificates Only is disabled (cleared). This allows the inter Log Collector communication to continue with the predefined certificate while configuring to custom certificates.
- Set the disconnect wait time—the number of minutes Log Collectors wait before breaking and reestablishing the connection with other Log Collectors. This field is empty by default (range is 0 to 44,640).
- (Optional) Configure an authorization list.
The authorization list adds an additional layer of security beyond
certificate authentication. The authorization list checks the client
certificate Subject or Subject Alt Name. If the Subject or Subject
Alt Name presented with the client certificate does not match an
identifier in the authorization list, authentication is denied.
- Add an Authorization List.
- Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
- Enter the Common Name if the identifier is Subject or an IP address, hostname, or email if the identifier is Subject Alt Name.
- Click OK.
- Enable the Check Authorization List option to configure Panorama to enforce the authorization list.
- Click OK.
- Commit your changes.
After committing these changes, the disconnect wait time countdown begins. When the wait time ends, Log Collectors in the Collector Group cannot connect without the configured certificates. - Configure secure client communication on each Log Collector.
- Select PanoramaManaged Collectors for Dedicated Log Collectors or PanoramaSetupManagement and Edit the Secure Communication Settings for a Local Log Collector.
- For Dedicated Log Collectors, click the Log Collector and select Communications.
- Under Secure Client Communications, select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs.
- Click OK.
- Commit your changes.