https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/558824#M113353 <P>Hello,</P> <P>I am configuring Webauth with certificate on my FW cluster and currently the access to the active FW is correct.</P> <P>I have created CA and client certificate correctly, the problem I am facing to access the passive node,</P> <P>is it necessary to create another CA also for the Passive FW?</P> <P>Is there any way to have a single CA for the cluster?</P> <P>Can anybody helps me?</P> <P>Greetings.</P> Wed, 20 Sep 2023 14:36:25 GMT Alpalo 2023-09-20T14:36:25Z https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/558824#M113353 <P>Hello,</P> <P>I am configuring Webauth with certificate on my FW cluster and currently the access to the active FW is correct.</P> <P>I have created CA and client certificate correctly, the problem I am facing to access the passive node,</P> <P>is it necessary to create another CA also for the Passive FW?</P> <P>Is there any way to have a single CA for the cluster?</P> <P>Can anybody helps me?</P> <P>Greetings.</P> Wed, 20 Sep 2023 14:36:25 GMT https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/558824#M113353 Alpalo 2023-09-20T14:36:25Z https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/558877#M113362 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a></P> <P>&nbsp;</P> <P>thanks for post!</P> <P>&nbsp;</P> <P>You will have to import the certificate to passive Firewall and then create SSL/TLS profile. These configurations are not synchronized between Active / Passive Firewalls:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha" target="_self">what-settings-dont-sync-in-activepassive-ha</A>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PavelK_0-1695247276180.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/53892iDFDEAFE483C21FFA/image-size/large?v=v2&amp;px=999" role="button" title="PavelK_0-1695247276180.png" alt="PavelK_0-1695247276180.png" /></span></P> <P>Kind Regards</P> <P>Pavel</P> Wed, 20 Sep 2023 22:01:50 GMT https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/558877#M113362 PavelK 2023-09-20T22:01:50Z https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/560003#M113551 <P>Hi team,</P> <P>&nbsp;</P> <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;i tried with your recommendation but problem still continues, I followed the procedure :&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcCCAS" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcCCAS</A>&nbsp;adn Web auth with certificate works fine with Active node, but I cannot access to the passive node <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> Any idea?</P> <P>&nbsp;</P> <P>Regards</P> Fri, 29 Sep 2023 06:48:14 GMT https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/560003#M113551 Alpalo 2023-09-29T06:48:14Z https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/560029#M113554 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>Could you confirm that passive Firewall has all required certificate / certificate chain used in certificate profile?</P> <P>Could you check what authentication logs say in passive Firewall when authentication fails:&nbsp;tail follow yes mp-log authd.log?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Fri, 29 Sep 2023 13:04:40 GMT https://live.paloaltonetworks.com/t5/general-topics/web-auth-fw-with-ha/m-p/560029#M113554 PavelK 2023-09-29T13:04:40Z