topic Re: How to manage 140+ Firewalls with their certificates... in General Topics

How to manage 140+ Firewalls with their certificates...

Rievax — Thu, 22 Mar 2018 13:37:02 GMT

Hello Community,

I was wondering how in a "larger scale" environement (140+ branche offices) people are generally managing their certificates?

Take the scenario of Panorama managing thoses 140+ PA firewalls with their corresponding 140+ templates...
Then you either import the compagny's Root CA / generate a Sub-Ca to every single 140+ firewall (in our case AD CS) or create 140+ Sub-CA certs from AD-CS for each branch locations and export CRS / import CER etc.
Then from each firewall create the required certificates... let's say one for the HTTP management access and one for the SLL Decryption... maybe more to come.
By default on PA, the certificate duration is 1 year. I understand one can renew it right away to 5, 10 or even 20 years. But for argument / security sake, let's keep it to its default 1 year.

How do you guys manage all those certificates? Within a year, you would have to at best renew 280 certificates manually... Are you generating them on longer terms? Is this just a yearly "job" that has to be done?

Thanks for your kind input.

Re: How to manage 140+ Firewalls with their certificates...

OtakarKlier — Thu, 22 Mar 2018 15:19:17 GMT

Hello,

That can be a daunting task for sure. What we try to do is internal certificates are generated with the highest level of encryption possible and we generate then for 2+ years depending on their function. External certs are only renewed for 1 year since external service can change but we still go for the highest level of encryption the provier can give us.

Hope that helps.

Re: How to manage 140+ Firewalls with their certificates...

Rievax — Thu, 22 Mar 2018 16:10:08 GMT

Thanks Otakar.Klier for the answer.

For internal certificates, I was thinking of using our AD CS PKI to generate 5 year Sub CA certificates (Default template) for each firewall... and then create 2 other 5 year certificates for GUI and SSL Decryption.

Pretty simple, but after 5 years, I'll have to manually renew all those certificates for 140+ templates in Panorama... So I was just hoping for other solutions 🙂

Re: How to manage 140+ Firewalls with their certificates...

OtakarKlier — Thu, 22 Mar 2018 16:12:56 GMT

Yeah sorry I dont have a better answer. Maybe reach out to your SE and put in a suggestion for Panorama to somehow manage this and hopefully in less than 5 years there will be a solution?

Just a thought.

Re: How to manage 140+ Firewalls with their certificates...

JoeAndreini — Thu, 22 Mar 2018 16:44:00 GMT

With that many certificcates to manage, look into third-party Certificate management software, they will typically interface with AD CS and some third party external providers to track certificate expiry and send e-mail alerts as certificates near expiry.

The last one I dealt with (unfortunately I have forgotten it's name) coudl also use API calls to renew certificates with AD and from there I would think it would not be too difficult to use API calls to push them into panorama or directly to firewalls.

Regarding the volume of certificates... While each firewall should have a unique certificate for their HTTP interface, why not use the same certificate for SSL decrypt on all firewalls? that would nearly halve the number of certificates to manage...

Re: How to manage 140+ Firewalls with their certificates...

JoeAndreini — Thu, 22 Mar 2018 16:47:20 GMT

I looked it up, the product I used previously was from Venafi - It made tracking easy for management, as well as delegation for engineers and self-service for system administrators