This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How do people manage certificates for the MGMT interface at scale?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How do people manage certificates for the MGMT interface at scale?

Claw4609
Cyber Elite
Cyber Elite

‎11-08-2023 09:07 AM - edited ‎11-08-2023 09:22 AM

Wondering how other manage the SSL/TLS Service profile that you attach under Device>Setup>Management>General Settings at any sort of scale.

 

We manage quite a few firewall, via panorama, and the intent would be for each firewall to have a unique certificate for this? Is there a way we can template this would using SCEP in some way? The hope would have been to use SCEP in someway so the firewall could auto renew itself. Or would we individually need an object for each template stack and have to manage numerous objects?

 

Im able to create a scep profile, generate a cert, create an ssl/tls service profile, at attach it to the management interface on the firewall itself and this works as intended. But I wouldnt want to have to individually go to all of our firewall and do this and have objects that arent controller by panorama.

 

Are people taking the route of either not attaching a cert to the management interface at all or possibly throwing a wildcard cert on it? Or are people creating individual certs signed by an enterprise CA and manually rotating them every X number of days/years?

0 Likes Likes
4 REPLIES 4

GLSparks
L1 Bithead

‎11-16-2023 01:30 AM

I push the certs out from panorama but i've had to set the SSL-TLS-Profile and select the certificate locally along with setting the secure communications settings. I can't figure another way of doing it either.

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎11-16-2023 02:34 AM

Hi @Claw4609 ,

 

I use a wildcard certificate and push it from Panorama.  It is in my "Global" template.  So, I change it once and push it to every NGFW.

 

The most common enterprise CA server is Microsoft.  It supports SCEP.  If you want unique certificates for each NGFW, you can go that route.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

jeffrolc
L1 Bithead

‎06-30-2024 11:40 AM

you created a DNS record for each FW you used the wildcard cert for or somehow used a wildcard cert for the ip address?

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎06-30-2024 02:28 PM

Hi @jeffrolc ,

 

The wildcard cert is *.mydomain.com.  The is applied to the management interface.  I have DNS records for each NGFW management interface, e.g. fw01.mydomain.com, fw02.mydomain.com, etc.  As long as I bring up the FQDN in the browser, it trusts the wildcard certificate.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1634 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks