How to manage 140+ Firewalls with their certificates...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to manage 140+ Firewalls with their certificates...

L2 Linker

Hello Community,

 

I was wondering how in a "larger scale" environement (140+ branche offices) people are generally managing their certificates?

  • Take the scenario of Panorama managing thoses 140+ PA firewalls with their corresponding 140+ templates...
  • Then you either import the compagny's Root CA / generate a Sub-Ca to every single 140+ firewall  (in our case AD CS) or create 140+ Sub-CA certs from AD-CS for each branch locations and export CRS / import CER etc.
  • Then from each firewall create the required certificates... let's say one for the HTTP management access and one for the SLL Decryption... maybe more to come.
  • By default on PA, the certificate duration is 1 year. I understand one can renew it right away to 5, 10 or even 20 years. But for argument / security sake, let's keep it to its default 1 year.

How do you guys manage all those certificates? Within a year, you would have to at best renew 280 certificates manually... Are you generating them on longer terms? Is this just a yearly "job" that has to be done? 

 

Thanks for your kind input.

1 accepted solution

Accepted Solutions

L4 Transporter

With that many certificcates to manage, look into third-party Certificate management software, they will typically interface with AD CS and some third party external providers to track certificate expiry and send e-mail alerts as certificates near expiry.

 

The last one I dealt with (unfortunately I have forgotten it's name) coudl also use API calls to renew certificates with AD and from there I would think it would not be too difficult to use API calls to push them into panorama or directly to firewalls.

 

Regarding the volume of certificates... While each firewall should have a unique certificate for their HTTP interface, why not use the same certificate for SSL decrypt on all firewalls?  that would nearly halve the number of certificates to manage...

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

That can be a daunting task for sure. What we try to do is internal certificates are generated with the highest level of encryption possible and we generate then for 2+ years depending on their function. External certs are only renewed for 1 year since external service can change but we still go for the highest level of encryption the provier can give us.

 

Hope that helps.

Thanks Otakar.Klier for the answer.

 

For internal certificates, I was thinking of using our AD CS PKI to generate 5 year Sub CA certificates (Default template) for each firewall... and then create 2 other 5 year certificates for GUI and SSL Decryption.

Pretty simple, but after 5 years, I'll have to manually renew all those certificates for 140+ templates in Panorama... So I was just hoping for other solutions 🙂

Yeah sorry I dont have a better answer. Maybe reach out to your SE and put in a suggestion for Panorama to somehow manage this and hopefully in less than 5 years there will be a solution?

 

Just a thought.

L4 Transporter

With that many certificcates to manage, look into third-party Certificate management software, they will typically interface with AD CS and some third party external providers to track certificate expiry and send e-mail alerts as certificates near expiry.

 

The last one I dealt with (unfortunately I have forgotten it's name) coudl also use API calls to renew certificates with AD and from there I would think it would not be too difficult to use API calls to push them into panorama or directly to firewalls.

 

Regarding the volume of certificates... While each firewall should have a unique certificate for their HTTP interface, why not use the same certificate for SSL decrypt on all firewalls?  that would nearly halve the number of certificates to manage...

I looked it up, the product I used previously was from Venafi - It made tracking easy for management, as well as delegation for engineers and self-service for system administrators

  • 1 accepted solution
  • 2699 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!