Active Passive and Active Active PA and Web Gui Cert

Reply
L4 Transporter

Active Passive and Active Active PA and Web Gui Cert

 

I have created CSR and exported that to our Server team as they would generate the cert based off of that.

PA is in active passive mode.

 

Do webgui cert of Active PA will syn with Passive PA?

Do I need to create separte CSR for the passive PA?

 

We also have PA in Active Active mode.

Does A/P Webgui Cert process is same as Active Active PA?

L7 Applicator

Re: Active Passive and Active Active PA and Web Gui Cert

Hello,

Yes you will need a new csr and cert as certificates are not shared during a commit or config sync.

 

Regards,

L7 Applicator

Re: Active Passive and Active Active PA and Web Gui Cert

Certificates are shared in HA config and also webgui cert config (Device > Setup > Management > Authentication Settings).

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Most likely SAN cert that has DNS name of both webgui's on it will work aswell but I have not tested it.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: Active Passive and Active Active PA and Web Gui Cert

Can you please explain about this in more 

 

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Currently on active PA i used the common name as host name of the PA

Highlighted
L7 Applicator

Re: Active Passive and Active Active PA and Web Gui Cert

Well it does not matter that your firewalls are set into HA.

They both still have their own management IP (unless you manage it through network interface).

 

Let's assume that:

PA1 mgmt IP is 10.0.0.11

PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11

 

PA2 mgmt IP is 10.0.0.12

PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12

 

Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.

Management interface cert config is shared between firewalls.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: Active Passive and Active Active PA and Web Gui Cert

Yes i am using Web Gui cert for the Management interface of both firewalls.

So what I can do now is use this common name on both firewalls while generating the CSR ?

for example

 

*.NGFW

 

Then I do not need to create separate CSR for passive device right?

L7 Applicator

Re: Active Passive and Active Active PA and Web Gui Cert

You can't use seperate for passive firewall.

This part of the config is synced it means that same cert is used for both active and passive.

Wildcard is probably best way to go.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L4 Transporter

Re: Active Passive and Active Active PA and Web Gui Cert

Many Thanks Raido will give it a  try.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!