https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238958#M2981 <P>Hi Pavel,</P> <P>&nbsp;</P> <P>Thank you for the response.</P> <P>Presently the panorama is provisioned to managed 4 pairs of firewall, each pair is in A-P. What i found is that for each firewall let say FW01-Active has a individual Template and Template stack similarly for FW02-passive has individual T and TS.</P> <P>Now with regards to s2s vpn cert based authenticate, i want to know if i generate a csr from each firewall template with similar CN: contoso.abc.com and import it into each firewall Template and Push.</P> <P>Will the VPN will work after failover is trigerred? when old passive FW02 becomes new active? Assuming that similar CN will suffice for th tunnel to get establish with no issues.</P> <P>&nbsp;</P> Sun, 28 Sep 2025 09:55:21 GMT zaidshaikh 2025-09-28T09:55:21Z https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238667#M2979 <P>Hi folks,</P> <P>&nbsp;</P> <P>We have panorama and few pairs to managed firewalls being managed by panorama,</P> <P>Under the Templates, created CSR and imported the signed CA and pushed it to specific template firewall(say FW01-active), the managed firewall local configurations displays the new certificate, however, on the FW02-passive one the certificate did not sync.</P> <P>Do we need to separately push to FW02 template, by creating csr and same procedure? since its the vpn service certificate, it should sync from the active-FW01.</P> <P>Note: Templates care configured for each firewall separate (eg: FW01-Template ; FW02 Template so on)</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 24 Sep 2025 14:08:53 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238667#M2979 zaidshaikh 2025-09-24T14:08:53Z https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238676#M2980 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/128470">@zaidshaikh</a></P> <P>&nbsp;</P> <P>thanks for post.</P> <P>&nbsp;</P> <P>Based on documentation:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization" target="_self">What Doesn't Sync in Active/Passive HA?</A>&nbsp;most of the certificates and certificate related configuration does not sync in HA deployment. It specifically does not call out a certificate used for VPN, however personally I believe it is a root cause. I would add the certificate to the Template associated with FW02.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Wed, 24 Sep 2025 21:51:37 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238676#M2980 PavelK 2025-09-24T21:51:37Z https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238958#M2981 <P>Hi Pavel,</P> <P>&nbsp;</P> <P>Thank you for the response.</P> <P>Presently the panorama is provisioned to managed 4 pairs of firewall, each pair is in A-P. What i found is that for each firewall let say FW01-Active has a individual Template and Template stack similarly for FW02-passive has individual T and TS.</P> <P>Now with regards to s2s vpn cert based authenticate, i want to know if i generate a csr from each firewall template with similar CN: contoso.abc.com and import it into each firewall Template and Push.</P> <P>Will the VPN will work after failover is trigerred? when old passive FW02 becomes new active? Assuming that similar CN will suffice for th tunnel to get establish with no issues.</P> <P>&nbsp;</P> Sun, 28 Sep 2025 09:55:21 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1238958#M2981 zaidshaikh 2025-09-28T09:55:21Z https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1239127#M2984 <P>Hi Pavel,</P> <P>I was able to get the answer from TAC after testing it in LAB:</P> <P>Each FW template can have separate csr should be generated with the same Common Name in order for the service certificates to work properly during failover. Hence, the peer auth happens based on CN name which is identical in both FW01 and FW02.</P> <P>&nbsp;</P> Tue, 30 Sep 2025 18:53:45 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/service-certificate-push-from-panorama-to-managed-firewalls-eg/m-p/1239127#M2984 zaidshaikh 2025-09-30T18:53:45Z