09-20-2023 07:36 AM
Hello,
I am configuring Webauth with certificate on my FW cluster and currently the access to the active FW is correct.
I have created CA and client certificate correctly, the problem I am facing to access the passive node,
is it necessary to create another CA also for the Passive FW?
Is there any way to have a single CA for the cluster?
Can anybody helps me?
Greetings.
09-20-2023 03:01 PM
Hello @Alpalo
thanks for post!
You will have to import the certificate to passive Firewall and then create SSL/TLS profile. These configurations are not synchronized between Active / Passive Firewalls: what-settings-dont-sync-in-activepassive-ha:
Kind Regards
Pavel
09-28-2023 11:48 PM
Hi team,
@PavelK i tried with your recommendation but problem still continues, I followed the procedure : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcCCAS adn Web auth with certificate works fine with Active node, but I cannot access to the passive node 😞 Any idea?
Regards
09-29-2023 06:04 AM
Hello @Alpalo
thank you for reply.
Could you confirm that passive Firewall has all required certificate / certificate chain used in certificate profile?
Could you check what authentication logs say in passive Firewall when authentication fails: tail follow yes mp-log authd.log?
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
