https://live.paloaltonetworks.com/t5/general-topics/certificate-setup-on-ha-pair/m-p/243313#M69581 <P>Hello,</P><P>&nbsp;</P><P>I&nbsp;wanted to use the SSL/TLS profile facility to restrcit management GUI sessions to TLSv1.2 but am having trouble with the certificates/process to follow.&nbsp; We have an Active/Passive HA Pair, i have been trying to&nbsp;setup on the passive to test but it is not working, from having a look around i susepct this may need to be setup on the Active with just the profile selection defined on the passive.&nbsp;</P><P>&nbsp;</P><P>Can anyone guide please on the correct process and what certificates / profles need to be created where, e.g. do i create the Self Signed Root CA on the Active firewall,&nbsp;generate the certiciates (signed by&nbsp;created root)&nbsp;to be used&nbsp;for both primary and active SSL/TLS profiles on the Active Firewall&nbsp;and then create both SSL/TLS profiles on the&nbsp;Active Firewall.&nbsp; Then on Actve and Passive Firewalls&nbsp;just select the correct SSL/TLS profile?</P><P>&nbsp;</P><P>Appreciate any guidance.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Ryan</P><P>&nbsp;</P> Fri, 14 Dec 2018 11:48:40 GMT RyanJohnstone 2018-12-14T11:48:40Z https://live.paloaltonetworks.com/t5/general-topics/certificate-setup-on-ha-pair/m-p/243313#M69581 <P>Hello,</P><P>&nbsp;</P><P>I&nbsp;wanted to use the SSL/TLS profile facility to restrcit management GUI sessions to TLSv1.2 but am having trouble with the certificates/process to follow.&nbsp; We have an Active/Passive HA Pair, i have been trying to&nbsp;setup on the passive to test but it is not working, from having a look around i susepct this may need to be setup on the Active with just the profile selection defined on the passive.&nbsp;</P><P>&nbsp;</P><P>Can anyone guide please on the correct process and what certificates / profles need to be created where, e.g. do i create the Self Signed Root CA on the Active firewall,&nbsp;generate the certiciates (signed by&nbsp;created root)&nbsp;to be used&nbsp;for both primary and active SSL/TLS profiles on the Active Firewall&nbsp;and then create both SSL/TLS profiles on the&nbsp;Active Firewall.&nbsp; Then on Actve and Passive Firewalls&nbsp;just select the correct SSL/TLS profile?</P><P>&nbsp;</P><P>Appreciate any guidance.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Ryan</P><P>&nbsp;</P> Fri, 14 Dec 2018 11:48:40 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-setup-on-ha-pair/m-p/243313#M69581 RyanJohnstone 2018-12-14T11:48:40Z https://live.paloaltonetworks.com/t5/general-topics/certificate-setup-on-ha-pair/m-p/243851#M69666 <P>Here's the specifics on what does not get synced in HA:</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha</A></P> <P>&nbsp;</P> <P>it specifically mentions:</P> <PRE>The configuration for the associated SSL/TLS Service profile (<STRONG>Device &gt; Certificate<BR /> Management</STRONG><STRONG> &gt; SSL/TLS Service Profile</STRONG> and the associated certificates (<STRONG>Device &gt; <BR />Certificate Management &gt; </STRONG><STRONG>Certificates</STRONG>) is synchronized. It is just the setting of <BR />which SSL/TLS Service Profile to use on the Management interface that does not sync.&nbsp;</PRE> <P>&nbsp;</P> Wed, 19 Dec 2018 14:27:12 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-setup-on-ha-pair/m-p/243851#M69666 reaper 2018-12-19T14:27:12Z