topic Re: How do people manage certificates for the MGMT interface at scale? in General Topics

How do people manage certificates for the MGMT interface at scale?

Claw4609 — Wed, 08 Nov 2023 17:22:31 GMT

Wondering how other manage the SSL/TLS Service profile that you attach under Device>Setup>Management>General Settings at any sort of scale.

We manage quite a few firewall, via panorama, and the intent would be for each firewall to have a unique certificate for this? Is there a way we can template this would using SCEP in some way? The hope would have been to use SCEP in someway so the firewall could auto renew itself. Or would we individually need an object for each template stack and have to manage numerous objects?

Im able to create a scep profile, generate a cert, create an ssl/tls service profile, at attach it to the management interface on the firewall itself and this works as intended. But I wouldnt want to have to individually go to all of our firewall and do this and have objects that arent controller by panorama.

Are people taking the route of either not attaching a cert to the management interface at all or possibly throwing a wildcard cert on it? Or are people creating individual certs signed by an enterprise CA and manually rotating them every X number of days/years?

Re: How do people manage certificates for the MGMT interface at scale?

GLSparks — Thu, 16 Nov 2023 09:30:01 GMT

I push the certs out from panorama but i've had to set the SSL-TLS-Profile and select the certificate locally along with setting the secure communications settings. I can't figure another way of doing it either.

Re: How do people manage certificates for the MGMT interface at scale?

TomYoung — Thu, 16 Nov 2023 10:34:58 GMT

Hi @Claw4609 ,

I use a wildcard certificate and push it from Panorama. It is in my "Global" template. So, I change it once and push it to every NGFW.

The most common enterprise CA server is Microsoft. It supports SCEP. If you want unique certificates for each NGFW, you can go that route.

Thanks,

Tom

Re: How do people manage certificates for the MGMT interface at scale?

jeffrolc — Sun, 30 Jun 2024 18:40:15 GMT

you created a DNS record for each FW you used the wildcard cert for or somehow used a wildcard cert for the ip address?

Re: How do people manage certificates for the MGMT interface at scale?

TomYoung — Sun, 30 Jun 2024 21:28:35 GMT

Hi @jeffrolc ,

The wildcard cert is *.mydomain.com. The is applied to the management interface. I have DNS records for each NGFW management interface, e.g. fw01.mydomain.com, fw02.mydomain.com, etc. As long as I bring up the FQDN in the browser, it trusts the wildcard certificate.

Thanks,

Tom