: Set Up Authentication Using Custom Certificates Between HA Peers
Focus
Focus

Set Up Authentication Using Custom Certificates Between HA Peers

Table of Contents
End-of-Life (EoL)

Set Up Authentication Using Custom Certificates Between HA Peers

You can Set Up Authentication Using Custom Certificates for securing the HA connection between Panorama HA peers.
  1. Generate a certificate authority (CA) certificate on Panorama.
    1. Select PanoramaCertificate ManagementCertificates.
    2. Create a self-signed root CA certificate or import a certificate from your enterprise CA.
  2. Configure a certificate profile that includes the root CA and intermediate CA.
    1. Select PanoramaCertificate ManagementCertificate Profile.
    2. Configure a certificate profile.
  3. Configure an SSL/TLS service profile.
    1. Select PanoramaCertificate ManagementSSL/TLS Service Profile.
    2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its manage devices use for SSL/TLS services.
  4. Configure Secure Communication Settings on Panorama on the primary HA peer.
    If you configure Secure Communication Settings on Panorama for Panorama in a HA configuration, it is required to Customize Secure Server Communication as well. Otherwise, managed firewalls, Dedicated Log Collectors, and WildFire appliances are unable to connect to Panorama and PAN-OS functionality is impacted.
    1. Select PanoramaSetupManagement and Edit the Secure Communication Settings.
    2. For the Certificate Type, select Local.
    3. Select the Certificate and Certificate Profile you configured in the previous steps.
    4. Check (enable) HA Communication, WildFire Communication, and Data Redistribution.
    5. Check (enable) Customize Secure Server Communication.
    6. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama’s HA peers.
    7. Select the certificate profile from the Certificate Profile drop-down.
    8. Configure an authorization list.
      When you configure Secure Communication Setting for Panorama in a HA configuration, you are required to add the Panorama HA peer to the authorization list.
      1. Click Add under Authorization List.
      2. Select the Subject or Subject Alt Name as the Identifier type.
      3. Enter the Common Name
    9. (Optional) Verify that Allow Custom Certificate Only check box is not selected. This allows you to continue managing all devices while migrating to custom certificates.
      When Allow Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
    10. In Disconnect Wait Time (min), enter the number of minutes Panorama should before breaking and reestablishing the connection with its managed devices. This field is blank by default and the range is 0 to 44,640 minutes.
      The disconnect wait time does not begin counting down until you commit the new configuration.
    1. Click OK.
    2. Commit and Commit to Panorama.
    3. Repeat this step on the secondary Panorama HA peer.
      When you configure Secure Communication Settings on the secondary Panorama HA peer, add the primary HA peer to the authorization list as described above.
  5. Upgrade the client-side Panorama to 9.1.