Certificate Setup on HA Pair

Reply
Highlighted
L2 Linker

Certificate Setup on HA Pair

Hello,

 

I wanted to use the SSL/TLS profile facility to restrcit management GUI sessions to TLSv1.2 but am having trouble with the certificates/process to follow.  We have an Active/Passive HA Pair, i have been trying to setup on the passive to test but it is not working, from having a look around i susepct this may need to be setup on the Active with just the profile selection defined on the passive. 

 

Can anyone guide please on the correct process and what certificates / profles need to be created where, e.g. do i create the Self Signed Root CA on the Active firewall, generate the certiciates (signed by created root) to be used for both primary and active SSL/TLS profiles on the Active Firewall and then create both SSL/TLS profiles on the Active Firewall.  Then on Actve and Passive Firewalls just select the correct SSL/TLS profile?

 

Appreciate any guidance.

 

Thanks

 

Ryan

 

Highlighted
L7 Applicator

Here's the specifics on what does not get synced in HA:

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/high-availability/reference-ha-synchroniza...

 

it specifically mentions:

The configuration for the associated SSL/TLS Service profile (Device > Certificate
Management
> SSL/TLS Service Profile and the associated certificates (Device >
Certificate Management >
Certificates) is synchronized. It is just the setting of
which SSL/TLS Service Profile to use on the Management interface that does not sync. 

 

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!