Panorama Administrator's Guide
    : Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage WildFire Appliances
    5. Manage WildFire Clusters
    6. Configure a Cluster Centrally on Panorama
    7. Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama
    Download PDF

    Panorama Administrator's Guide

    Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

    Table of Contents
    End-of-Life (EoL)

    Configure Appliance-to-Appliance Encryption Using Custom Certificates Centrally on Panorama

    1. Upgrade each managed WildFire appliance to PAN-OS 8.1.x. All managed appliances must be running PAN-OS 8.1 or later to enable appliance-to-appliance encryption.
    2. Verify that your WildFire appliance cluster has been properly configured and is operating in a healthy state.
    3. Review your existing WildFire secure communications configuration. Keep in mind, if you previously configured the WildFire appliance and the firewall for secure communications using a custom certificate, you can also use that custom certificate for secure communications between WildFire appliances.
      1. Select Panorama >Managed WildFire Clusters> WF_cluster_name> Communication.
      2. If Customize Secure Server Communication has been enabled and you would like to use that certificate, identify the details of the custom certificate being used. Otherwise proceed to Step 5 to begin the process of installing a new custom certificate.
      3. Determine the custom certificate FQDN (DNS name) that will be used to define the firewall registration address in step 4.
        Make sure to note the custom certificate name and the associated FQDN. These are referenced several times during the configuration process.
    4. Configure the firewall registration address on Panorama.
      1. On Panorama, select Panorama >Managed WildFire Clusters> WF_cluster_name> General.
      2. In the Register Firewall To field, specify the DNS name used for authentication found in the custom certificate (typically the SubjectName or the SubjectAltName). For example, the default domain name is wfpc.service.mycluster.paloaltonetworks.com
    5. Configure WildFire Secure Server Communication settings on Panorama. If you already configured secure communications between the firewall and the WildFire cluster and are using the existing custom certificate, proceed to step d.
      1. On Panorama, select Panorama> Managed WildFire Clusters> WF_cluster_name> Communication.
      2. Click Customize Secure Server Communication.
      3. Configure and deploy custom certificates used by the WildFire appliances and the associated firewall. The SSL/TLS service profile defines the custom certificate used by WildFire appliances to communicate with WildFire appliance peers and to the firewall. You must also configure the custom certificate settings on the firewall associated with the WildFire appliance cluster. This is configured later in step 9.
        1. Open the SSL/TLS Service Profile drop-down and click SSL/TLS Service Profile. Configure an SSL/TLS service profile with the custom certificate that you want to use. After you configure the SSL/TLS service profile, click OK and select the newly created SSL/TLS Service profile.
        2. Open the Certificate Profile drop-down and click Certificate Profile. Configure a Certificate Profile that identifies the custom certificate used to establish secure connections between the firewall and WildFire appliances, as well as between peer WildFire appliances. After you configure the Certificate Profile, click OK and select the newly created profile.
      4. Select the Custom Certificate Only check box. This allows you to use the custom certificates that you configured instead of the default preconfigured certificates.
      5. (Optional) Configure an authorization list. The authorization list checks the custom certificate Subject or Subject Alt Name; if the Subject or Subject Alt Name presented with the custom certificate does not match an identifier on the authorization list, authentication is denied.
        1. Add an Authorization List.
        2. Select the Subject or Subject Alt Name configured in the custom certificate profile as the Identifier type.
        3. Enter the Common Name if the identifier is Subject or and IP address, hostname or email if the identifier is Subject Alt Name.
        4. Click OK.
        5. Select Check Authorization List to enforce the authorization list.
      6. Click OK.
    6. Enable Secure Cluster Communication.
    7. (Recommended) Enable HA Traffic Encryption. This optional setting encrypts the HA traffic between the HA pair and is a Palo Alto Networks recommended best practice.
      HA Traffic Encryption cannot be disabled when operating in FIPS/CC mode.
    8. Click OK to save the WildFire Cluster settings.
    9. Configure the firewall Secure Communication Settings on Panorama to associate the WildFire appliance cluster with the firewall custom certificate. This provides a secure communications channel between the firewall and WildFire appliance cluster. If you already configured secure communications between the firewall and the WildFire appliance cluster and are using the existing custom certificate, proceed to step 10.
      1. Select DeviceSetupManagement > Secure Communication Settings and click the Edit icon in Secure Communication Settings to configure the firewall custom certificate settings.
      2. Select the Certificate Type, Certificate, and Certificate Profile from the respective drop-downs and configure them to use the custom certificate.
      3. Under Customize Communication, select WildFire Communication.
      4. Click OK.
    10. Commit your changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.