Certificate Setup on HA Pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Certificate Setup on HA Pair

L2 Linker

Hello,

 

I wanted to use the SSL/TLS profile facility to restrcit management GUI sessions to TLSv1.2 but am having trouble with the certificates/process to follow.  We have an Active/Passive HA Pair, i have been trying to setup on the passive to test but it is not working, from having a look around i susepct this may need to be setup on the Active with just the profile selection defined on the passive. 

 

Can anyone guide please on the correct process and what certificates / profles need to be created where, e.g. do i create the Self Signed Root CA on the Active firewall, generate the certiciates (signed by created root) to be used for both primary and active SSL/TLS profiles on the Active Firewall and then create both SSL/TLS profiles on the Active Firewall.  Then on Actve and Passive Firewalls just select the correct SSL/TLS profile?

 

Appreciate any guidance.

 

Thanks

 

Ryan

 

1 REPLY 1

Cyber Elite
Cyber Elite

Here's the specifics on what does not get synced in HA:

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/high-availability/reference-ha-synchroniza...

 

it specifically mentions:

The configuration for the associated SSL/TLS Service profile (Device > Certificate
Management
> SSL/TLS Service Profile and the associated certificates (Device >
Certificate Management >
Certificates) is synchronized. It is just the setting of
which SSL/TLS Service Profile to use on the Management interface that does not sync. 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 6297 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!