- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-22-2019 05:01 AM
We have a Panorama running 8.1.9 and were looking to utlize almost every setting possible in Panorama to deploy to our managed firewalls. One of the settings we are looking to standardize on is the SSL\TLS profile. I see you can set this via Panorama but it requires you specify a certificate.
Does this feature deploy the actual certificate or just the "named" certificate as long as we deploy the certificate individually to firewalls?
The reason I ask is were looking to apply this to our GLOBAL TEMPLATE and if it deploys the certificate i am not sure it will work. our organization does not permit WILDCARD certificates.
08-22-2019 02:54 PM
Hello
Confirmed that a cert, created in a template with Panorama, does indeed, get pushed down to a FW.
I am not sure why you need to push down a wildcard cert, and if you do, why, your company would not let you push down the cert.
It would be easier than creating on the local FW(s). Again, not sure how many FWs need to have this cert on it.
But I did answer you question, so mark it as a solution. 😛
Thanks
08-27-2019 11:52 AM
Actually, Chrome uses the certificate repository store from the OS.
So, if you import a self-signed cert from the FW into IE, the same repository is used from Chrome.
As a PANW instructor for the past 7 years, I routinely import our lab/self-signed certs into Chrome without issue.
Would be glad to assist if you continue to need help.
thanks
Steve
08-27-2019 01:45 PM
@S.Cantwell wrote:Actually, Chrome uses the certificate repository store from the OS.
So, if you import a self-signed cert from the FW into IE, the same repository is used from Chrome.
As a PANW instructor for the past 7 years, I routinely import our lab/self-signed certs into Chrome without issue.
Would be glad to assist if you continue to need help.
thanks
Steve
I will give it another try. My last attemp resulted in support telling me about the certificate issue. That would make things much more simple if it worked as you say.
08-29-2019 01:37 PM
Still no luck. I created the cert in Panorama applied and downloaded and installed on my local PC as a trusted root. Outlook immediatly gets a certificate error and all chrome content is unreachable.
08-29-2019 02:00 PM
Interesting....
I have a PAN220 for 2 years (more or less) and I decrypt 100% of my traffic (on my home network)
No problems with Outlook or Chrome.
My only logical thought is that the cert, although created by Panorama, may not have the correct CN or subject line (or something else)
For my self-signed certs, I actually created 2 certs.
One is a self signed with a CN of the Mgmt IP of my FW. (call this one Cantwell Enterprises :P)
I make sure that the Fwd Trust Certifcate flag (checkbox) is checked, when I modify my Cantwell Enterprises Cert.
The second is signed by Cantwell Enterprises (the FW) and the common name is the IP of my inside interface on my FW.
I have made sure that my Cantwell Enterprise trust CA is loaded into my Trusted CA store in IE (takes care of Chrome) and I also use Mozilla, so I load the cert into Firefox as well.
My decryption policy is
Trust, with src address of (my computer) with destination of (any) for any (url category) = Decrypt with ssl-forward-proxy, and a decryption profile.
Do you have the same thing?
08-30-2019 11:08 AM
So I noticed today that the error is referencing a different cert with an old IP from a firewall we upgraded. I looked through all the Pano configs and do not see that cert and it is not in my root cert folder on my PC. Is there a cache on the PA side or a place I am missing?
08-30-2019 11:19 AM
@Millette wrote:So I noticed today that the error is referencing a different cert with an old IP from a firewall we upgraded. I looked through all the Pano configs and do not see that cert and it is not in my root cert folder on my PC. Is there a cache on the PA side or a place I am missing?
Disregard. I was trying to create and apply the SSL cert from Panorama, not the local firewall and it will not pass the trust and untrust. Once I created the cert on the local device an applied it, I am up and running.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!