Cluster FW Active-Pasive syncronize certificate profile 10.1.9-h1

Alpalo — Thu, 23 Nov 2023 15:06:40 GMT

Hello team

I am deploying web auth with certificate

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-certificate-based-administrator-authentication-to-the-web-interface

in an active - passive cluster, the problem is that the certificate profile is synchronized when I commit, which generates that I can only use one and so I can only access one of the nodes, any idea? it seems a bug but I have not found anything.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha

Regards

Re: Cluster FW Active-Pasive syncronize certificate profile 10.1.9-h1

aleksandar.astardzhiev — Thu, 23 Nov 2023 18:24:31 GMT

Hi @Alpalo ,

Similar questions were asked before, please check the following post - https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-use-certificate-for-secure-web-gui-access-ha-pair/m-p/566112

TL;DR - certificate is not synchronized so you need to import it separately on both members. However you must use the same name (no cert CN, but name for the cert when importing it to the config). You can choose to use separate certificates with different CNs for each member, or single cert using SAN or wildcard.

topic Cluster FW Active-Pasive syncronize certificate profile 10.1.9-h1 in General Topics

Cluster FW Active-Pasive syncronize certificate profile 10.1.9-h1

Re: Cluster FW Active-Pasive syncronize certificate profile 10.1.9-h1