- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Wondering how other manage the SSL/TLS Service profile that you attach under Device>Setup>Management>General Settings at any sort of scale.
We manage quite a few firewall, via panorama, and the intent would be for each firewall to have a unique certificate for this? Is there a way we can template this would using SCEP in some way? The hope would have been to use SCEP in someway so the firewall could auto renew itself. Or would we individually need an object for each template stack and have to manage numerous objects?
Im able to create a scep profile, generate a cert, create an ssl/tls service profile, at attach it to the management interface on the firewall itself and this works as intended. But I wouldnt want to have to individually go to all of our firewall and do this and have objects that arent controller by panorama.
Are people taking the route of either not attaching a cert to the management interface at all or possibly throwing a wildcard cert on it? Or are people creating individual certs signed by an enterprise CA and manually rotating them every X number of days/years?
I push the certs out from panorama but i've had to set the SSL-TLS-Profile and select the certificate locally along with setting the secure communications settings. I can't figure another way of doing it either.
Hi @Claw4609 ,
I use a wildcard certificate and push it from Panorama. It is in my "Global" template. So, I change it once and push it to every NGFW.
The most common enterprise CA server is Microsoft. It supports SCEP. If you want unique certificates for each NGFW, you can go that route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!