Issue on updating cert on Palo Alto FW pair

Reply
L2 Linker

Issue on updating cert on Palo Alto FW pair

I got an issue to update a cert on PA pair.

The issue is very similar to what it describes under

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldECAS

I import the new cert to both PA FW units and change config to use the new cert. However it comes with config out-of-sync issue and somehow the new cert on passive unit is removed after committing config.

any fix for the issue?

L4 Transporter

Re: Issue on updating cert on Palo Alto FW pair

This is what I would do (thinking out of the box)

If HA firewalls....

 

Export the configurtion from the active FW.

 

Import the configuration in the passive FW

Now, both FWs have 100% the exact config.

 

On the passive FW, change the config to modify/update the config to use the original mgmt IP

On the passive FW, because it has the exact HA configuration as the active FW, modify it so that is has the orignal HA settings that the standby FW would have.

 

Commit on the standby

 

Now, you have the cert on both FWs

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!