Focus

Panorama Administrator's Guide

Configure Authentication with Custom Certificates Between Log Collectors

Table of Contents

Configure Authentication with Custom Certificates Between Log Collectors

Configure custom certificates between Log Collectors to create a unique chain of trust that ensures mutual authentication between Log Collectors

Complete the following procedure to configure custom certificates for communication between Log Collectors. You must configure secure server communication and secure client communication on each Log Collector in a Collector Group because the server and client roles are chosen dynamically. Use custom certificates to create a unique chain of trust that ensures mutual authentication between the members of your Log Collector Group.

For more information about using custom certificates, see How Are SSL/TLS Connections Mutually Authenticated?

Obtain key pairs and certificate authority (CA) certificates for each Log Collector.
Import the CA certificate to validate the identity of the client Log Collector, the server key pair, and the client key pair for each Log Collector in the Collector Group.
1. Select PanoramaCertificate ManagementCertificatesImport.
2. Import the CA certificate, server key pair, and client key pair.
3. Repeat th step for the each Log Collector.
Configure a certificate profile that includes the root CA and intermediate CA for secure server communication. This certificate profile defines the authentication between Log Collectors.
1. Select PanoramaCertificate ManagementCertificate Profile.
2. Configure a certificate profile.
  If you configure an intermediate CA as part of the certificate profile, you must also include the root CA.
Configure the certificate profile for secure client communication. You can configure this profile on each client Log Collector individually or you can push the configuration from Panorama™ to managed Log Collectors.

If you are using SCEP for the client certificate, configure a SCEP profile instead of a certificate profile.
1. Select PanoramaCertificate ManagementCertificate Profile.
2. Configure a Certificate Profile.
Configure an SSL/TLS service profile.
1. Select PanoramaCertificate ManagementSSL/TLS Service Profile.
2. Configure an SSL/TLS service profile to define the certificate and protocol that the Log Collectors use for SSL/TLS services.
After deploying custom certificates on all Log Collectors, enforce custom-certificate authentication.
1. Select PanoramaCollector Groups and select the Collector Group.
2. On the General tab, Enable secure inter LC Communication.
  If you enable secure inter LC communication and your Collector Group includes a local Log Collector, a link should appear that stating that the Log Collector on local Panorama is using the secure client configuration from PanoramaSecure Communication Settings. You can click this link to open the Secure Communication Settings dialog and configure the secure server and secure client settings for the Local Log Collector from there.
3. Click OK.
4. Commit your changes.
Configure secure server communication on each Log Collector.
1. Select PanoramaManaged Collectors for Dedicated Log Collectors or PanoramaSetupManagement and Edit the Secure Communication Settings for a Local Log Collector.
2. For Dedicated Log Collectors, click the Log Collector and select Communications.
3. Enable the Customize Secure Server Communication feature.
4. Select the SSL/TLS service profile from the SSL/TLS Service Profile drop-down. This SSL/TLS service profile applies to all SSL connections between Log Collectors.
5. Select the Certificate Profile from the drop-down.
6. Verify that the Custom Certificates Only is disabled (cleared). This allows the inter Log Collector communication to continue with the predefined certificate while configuring to custom certificates.
7. Set the disconnect wait time—the number of minutes Log Collectors wait before breaking and reestablishing the connection with other Log Collectors. This field is empty by default (range is 0 to 44,640).
8. (Optional) Configure an authorization list. The authorization list adds an additional layer of security beyond certificate authentication. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier in the authorization list, authentication is denied.
  Add an Authorization List.
  Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
  Enter the Common Name if the identifier is Subject or an IP address, hostname, or email if the identifier is Subject Alt Name.
  Click OK.
  Enable the Check Authorization List option to configure Panorama to enforce the authorization list.
9. Click OK.
10. Commit your changes.
After committing these changes, the disconnect wait time countdown begins. When the wait time ends, Log Collectors in the Collector Group cannot connect without the configured certificates.
Configure secure client communication on each Log Collector.
1. Select PanoramaManaged Collectors for Dedicated Log Collectors or PanoramaSetupManagement and Edit the Secure Communication Settings for a Local Log Collector.
2. For Dedicated Log Collectors, click the Log Collector and select Communications.
3. Under Secure Client Communications, select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs.
4. Click OK.
5. Commit your changes.

Configure a Collector Group

Move a Log Collector to a Different Collector Group