How do people manage certificates for the MGMT interface at scale?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How do people manage certificates for the MGMT interface at scale?

Cyber Elite
Cyber Elite

Wondering how other manage the SSL/TLS Service profile that you attach under Device>Setup>Management>General Settings at any sort of scale.

 

We manage quite a few firewall, via panorama, and the intent would be for each firewall to have a unique certificate for this? Is there a way we can template this would using SCEP in some way? The hope would have been to use SCEP in someway so the firewall could auto renew itself. Or would we individually need an object for each template stack and have to manage numerous objects?

 

Im able to create a scep profile, generate a cert, create an ssl/tls service profile, at attach it to the management interface on the firewall itself and this works as intended. But I wouldnt want to have to individually go to all of our firewall and do this and have objects that arent controller by panorama.

 

Are people taking the route of either not attaching a cert to the management interface at all or possibly throwing a wildcard cert on it? Or are people creating individual certs signed by an enterprise CA and manually rotating them every X number of days/years?

4 REPLIES 4

L1 Bithead

I push the certs out from panorama but i've had to set the SSL-TLS-Profile and select the certificate locally along with setting the secure communications settings. I can't figure another way of doing it either.

Cyber Elite
Cyber Elite

Hi @Claw4609 ,

 

I use a wildcard certificate and push it from Panorama.  It is in my "Global" template.  So, I change it once and push it to every NGFW.

 

The most common enterprise CA server is Microsoft.  It supports SCEP.  If you want unique certificates for each NGFW, you can go that route.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L1 Bithead

you created a DNS record for each FW you used the wildcard cert for or somehow used a wildcard cert for the ip address?

Cyber Elite
Cyber Elite

Hi @jeffrolc ,

 

The wildcard cert is *.mydomain.com.  The is applied to the management interface.  I have DNS records for each NGFW management interface, e.g. fw01.mydomain.com, fw02.mydomain.com, etc.  As long as I bring up the FQDN in the browser, it trusts the wildcard certificate.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1657 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!