Authentication with Custom Certificates for Redistribution
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Authentication with Custom Certificates for Redistribution
Configure a custom certificate or SSL/TLS profile to
secure communication between the redistribution clients and the
redistribution agents.
To establish a unique chain of trust between
the devices in your network, you can now configure a certificate
profile or SSL/TLS profile to use a custom certificate (instead
of a predefined certificate) for mutual authentication during redistribution. The firewall
or Panorama uses the certificate profile to validate the client’s
certificate during connection. The profile applies globally to all
redistribution agents.
You can also use a custom certificate
for the Windows User-ID agent. You must install the Root Certificate
Authority (CA) for the custom certificate in the Windows Trust Store
of the agent host.
Authenticate the Firewall with the Redistribution Agent
- Create a custom SSL certificate profile for the firewall to use for outgoing connections.
- Configure the custom certificate profile for outgoing
connections from the firewall.
- Select DeviceSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the Certificate Profile you created in Step 1.
- Click OK.
- (Optional) To use the custom certificate profile for Streamlined and Resilient Redistribution, Customize Communication for Data Redistribution.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent, User-ID agent, or TS agent.
Authenticate the Redistribution Agent with the Firewall
- Create a custom SSL/TLS service profile for the firewall to use for incoming connections.
- Configure the custom SSL/TLS service profile for incoming
connections to the firewall.
- Select DeviceSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the SSL/TLS Service Profile you created in Step 1.
- Click OK.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.
Authenticate Panorama with the Redistribution Agent
- Create a custom SSL certificate profile for Panorama to use for outgoing connections.
- Configure the custom certificate profile for outgoing
connections from Panorama.
- Select PanoramaSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the Certificate Profile you created in Step 1.
- Click OK.
- (Optional) To use the custom certificate profile on Panorama for Streamlined and Resilient Redistribution, Customize Communication for Data Redistribution.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution agent state <agent-name> (where <agent-name> is the name of the redistribution agent, User-ID agent, or TS agent.
Authenticate the Redistribution Agent with Panorama
- Create a custom SSL/TLS service profile for Panorama to use for incoming connections.
- Configure the custom SSL/TLS service profile for incoming
connections to Panorama.
- Select PanoramaSetupManagementSecure Communication Settings.
- Edit the settings.
- Select the Customize Secure Server Communication option.
- Select the SSL/TLS Service Profile you created in Step 1.
- Click OK.
- Commit your changes.
- Enter the following CLI command to confirm the certificate profile (SSL config) uses Custom certificates: show redistribution service status.