topic Certificates duplicated from Primary to Secondary firewall in Palo alto in Next-Generation Firewall Discussions

Certificates duplicated from Primary to Secondary firewall in Palo alto

Sai14091990 — Tue, 29 Nov 2022 04:09:12 GMT

Hi All,

We have 2 Palo alto firewalls in HA mode (Active-standby).

Palo alto mode: PA-3220

OS Version: 10.1.6-h3

We create Unique certificates (for management, interdevice) in each firewall with hostname. After some time, the certificates in secondary firewall gets removed and the certificates from primary firewall are copied into secondary firewall..

For example: Primary firewall hostname and certificates: Hostname:PrimaryFW Certificate name: PrimaryFW

Secondary firewall hostname: SecondaryFW; Certificate name: SecondaryFW

After some time,, the seconday firewall certificates are deleted, and the primary firewall certificates are visible in the secondary firewall.. is it a bug? @aleksandar.astardzhiev @Jafar_Hussain @DelvinC

Re: Certificates duplicated from Primary to Secondary firewall in Palo alto

aleksandar.astardzhiev — Tue, 29 Nov 2022 07:17:14 GMT

Hi @Sai14091990 ,

According to documentations certificates are not synced between Active/Passive HA member - What Settings Don’t Sync in Active/Passive HA? (paloaltonetworks.com)

There is very important note mentioned on that link

So what you experience shouldn't be normal, and I suspect that you are using different certificate names. Don't confuse Common Name (CN) with name - latter is the name of the certificate object you put when importing/generating the certificate.

Try to import the certificate for secondary member again and set exactly the same name as the mgmt certificate on the primary member and see if this will help.