Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-07-2019 07:47 PM
I have created CSR and exported that to our Server team as they would generate the cert based off of that.
PA is in active passive mode.
Do webgui cert of Active PA will syn with Passive PA?
Do I need to create separte CSR for the passive PA?
We also have PA in Active Active mode.
Does A/P Webgui Cert process is same as Active Active PA?
02-08-2019 09:26 AM - edited 02-08-2019 09:26 AM
Well it does not matter that your firewalls are set into HA.
They both still have their own management IP (unless you manage it through network interface).
Let's assume that:
PA1 mgmt IP is 10.0.0.11
PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11
PA2 mgmt IP is 10.0.0.12
PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12
Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.
Management interface cert config is shared between firewalls.
02-08-2019 10:30 AM
You can't use seperate for passive firewall.
This part of the config is synced it means that same cert is used for both active and passive.
Wildcard is probably best way to go.
02-08-2019 07:48 AM
Hello,
Yes you will need a new csr and cert as certificates are not shared during a commit or config sync.
Regards,
02-08-2019 08:46 AM - edited 02-08-2019 08:50 AM
Certificates are shared in HA config and also webgui cert config (Device > Setup > Management > Authentication Settings).
So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.
Most likely SAN cert that has DNS name of both webgui's on it will work aswell but I have not tested it.
02-08-2019 09:20 AM
Can you please explain about this in more
So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.
Currently on active PA i used the common name as host name of the PA
02-08-2019 09:26 AM - edited 02-08-2019 09:26 AM
Well it does not matter that your firewalls are set into HA.
They both still have their own management IP (unless you manage it through network interface).
Let's assume that:
PA1 mgmt IP is 10.0.0.11
PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11
PA2 mgmt IP is 10.0.0.12
PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12
Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.
Management interface cert config is shared between firewalls.
02-08-2019 09:34 AM
Yes i am using Web Gui cert for the Management interface of both firewalls.
So what I can do now is use this common name on both firewalls while generating the CSR ?
for example
*.NGFW
Then I do not need to create separate CSR for passive device right?
02-08-2019 10:30 AM
You can't use seperate for passive firewall.
This part of the config is synced it means that same cert is used for both active and passive.
Wildcard is probably best way to go.
02-08-2019 02:36 PM
Many Thanks Raido will give it a try.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
