Active Passive and Active Active PA and Web Gui Cert

Reply
Cyber Elite

Active Passive and Active Active PA and Web Gui Cert

 

I have created CSR and exported that to our Server team as they would generate the cert based off of that.

PA is in active passive mode.

 

Do webgui cert of Active PA will syn with Passive PA?

Do I need to create separte CSR for the passive PA?

 

We also have PA in Active Active mode.

Does A/P Webgui Cert process is same as Active Active PA?

MP

Accepted Solutions
L7 Applicator

Well it does not matter that your firewalls are set into HA.

They both still have their own management IP (unless you manage it through network interface).

 

Let's assume that:

PA1 mgmt IP is 10.0.0.11

PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11

 

PA2 mgmt IP is 10.0.0.12

PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12

 

Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.

Management interface cert config is shared between firewalls.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

L7 Applicator

You can't use seperate for passive firewall.

This part of the config is synced it means that same cert is used for both active and passive.

Wildcard is probably best way to go.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post


All Replies
Cyber Elite

Hello,

Yes you will need a new csr and cert as certificates are not shared during a commit or config sync.

 

Regards,

L7 Applicator

Certificates are shared in HA config and also webgui cert config (Device > Setup > Management > Authentication Settings).

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Most likely SAN cert that has DNS name of both webgui's on it will work aswell but I have not tested it.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Cyber Elite

Can you please explain about this in more 

 

So unless you use wildcard you will still get error when you log into one of them as both webgui's have their own DNS name.

 

Currently on active PA i used the common name as host name of the PA

MP
L7 Applicator

Well it does not matter that your firewalls are set into HA.

They both still have their own management IP (unless you manage it through network interface).

 

Let's assume that:

PA1 mgmt IP is 10.0.0.11

PA1 mgmt interface DNS name PA1.corp.local that resolves to 10.0.0.11

 

PA2 mgmt IP is 10.0.0.12

PA2 mgmt interface DNS name PA2.corp.local that resolves to 10.0.0.12

 

Then you either need *.corp.local cert or SAN cert that has both PA1.corp.local and PA2.corp.local on it.

Management interface cert config is shared between firewalls.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

Cyber Elite

Yes i am using Web Gui cert for the Management interface of both firewalls.

So what I can do now is use this common name on both firewalls while generating the CSR ?

for example

 

*.NGFW

 

Then I do not need to create separate CSR for passive device right?

MP
L7 Applicator

You can't use seperate for passive firewall.

This part of the config is synced it means that same cert is used for both active and passive.

Wildcard is probably best way to go.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

Cyber Elite

Many Thanks Raido will give it a  try.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!