Active Passive and Active Active PA and Web Gui Cert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active Passive and Active Active PA and Web Gui Cert

Cyber Elite
Cyber Elite

 

I have created CSR and exported that to our Server team as they would generate the cert based off of that.

PA is in active passive mode.

 

Do webgui cert of Active PA will syn with Passive PA?

Do I need to create separte CSR for the passive PA?

 

We also have PA in Active Active mode.

Does A/P Webgui Cert process is same as Active Active PA?

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

Well it does not matter that your firewalls are set into HA.

They both still have their own management IP (unless you manage it through network interface).

 

Let's assume that:

PA1 mgmt IP is 10.0.0.11

PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11

 

PA2 mgmt IP is 10.0.0.12

PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12

 

Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.

Management interface cert config is shared between firewalls.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

You can't use seperate for passive firewall.

This part of the config is synced it means that same cert is used for both active and passive.

Wildcard is probably best way to go.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

Yes you will need a new csr and cert as certificates are not shared during a commit or config sync.

 

Regards,

Certificates are shared in HA config and also webgui cert config (Device > Setup > Management > Authentication Settings).

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Most likely SAN cert that has DNS name of both webgui's on it will work aswell but I have not tested it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Can you please explain about this in more 

 

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Currently on active PA i used the common name as host name of the PA

MP

Help the community: Like helpful comments and mark solutions.

Well it does not matter that your firewalls are set into HA.

They both still have their own management IP (unless you manage it through network interface).

 

Let's assume that:

PA1 mgmt IP is 10.0.0.11

PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11

 

PA2 mgmt IP is 10.0.0.12

PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12

 

Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.

Management interface cert config is shared between firewalls.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Yes i am using Web Gui cert for the Management interface of both firewalls.

So what I can do now is use this common name on both firewalls while generating the CSR ?

for example

 

*.NGFW

 

Then I do not need to create separate CSR for passive device right?

MP

Help the community: Like helpful comments and mark solutions.

You can't use seperate for passive firewall.

This part of the config is synced it means that same cert is used for both active and passive.

Wildcard is probably best way to go.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Many Thanks Raido will give it a  try.

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 4054 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!