topic Panorama Certificate question in General Topics

Panorama Certificate question

dstjames — Thu, 12 Oct 2017 14:39:38 GMT

In pamorama I created a default template with basic configuration settings for all firewalls and then create a site specific template and put them both in a template stack to apply the stack to each firewall. This way the default settings apply to all firewalls for consistancy and we can apply site specific settings like individual rules. This works great so far.

One of the default settings we pushed out is a wildcard cert and a ssl/tls service profile so that we can use our domain to secure communication to the management web sites over SSL. This works great.

Later I setup global protect vpn for remote clients to connect. I am doing this on only 1 locaiton currnetly so I made these changes to the site specific template and not the default template. When I go to add the cert and the TLS profile in the site sepecific template it doesnt see the cert or ssl/tls service profile pushed out with the default template even though its the same wildcard cert. I installed the cert and in the site specific template and created a new service profile and global protect works fine.

The issue is every time I commit to this firewall group now I get an error saying duplicate certificate subject found.

What is the best way to fix this? I thought maybe I had to make the change on the stack rather than the individual certs but everything is read only when I go to modify the stack.

Everything is working fine but my OCD finds it really annoying that the commit comes back with succedeed with warnings.

Re: Panorama Certificate question

hpunjabi — Fri, 13 Oct 2017 04:08:42 GMT

Hi @dstjames,

Yes that is how it would work you cant reference template values across in a stack.

Have you kept the same name while importing the certificates (Display Name) in both the templates ?

If you keep the same name (try rename) in both the templates then the default template should supersede and only one certificate should get imported which should take care of your Warning.

The old certificate should ideally be deleted with Panorama push and only one certificate should reflect in the Firewall.

Re: Panorama Certificate question

dstjames — Fri, 13 Oct 2017 13:59:56 GMT

Thanks for the reply.

Yeah I put them in as different names.

If I go to the firewall directly rather than through panorama I do see that it installed both certs and both tls serivce profiles. Since these are technically both the same cert thats why when I commit its telling me I have a duplicate subject name.

Just not sure what the best practice is to use the same cert in both scenarios? I guess I could remove it from the default template and put all the cert settings in the site specific template. I was just hoping there was a better way.

Re: Panorama Certificate question

hpunjabi — Sat, 14 Oct 2017 12:25:31 GMT

Yes usually as best practice it is recommended to use different certificates.

Using it in individual templates than default in the stack will also solve this problem or the other way is to keep same display name for the certificate in default template and nested template, this way you can still deploy the certificates through default template to other firewalls.