07-09-2022 11:17 PM
Certificate doubt for Web Management GUI-SSL/TLS - Palo Alto Firewalls HA Active-Passive
Good afternoon community,, I have an important question regarding the use of custom certificates for web-gui management.
I understand that there are configuration parameters that are not synchronized and are detailed in these two links:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activepassive-ha
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNBFCA4
Now comes the big question of the case, to avoid a problem, therefore please your support: What is synchronized are the certificates, the certificates themselves that are uploaded, signed and imported and/or generated in "DeviceCertificate"> Management > Certificates" The certificates that you upload, generate and/or import, in the Active Firewall if they are synchronized, this is more than clear. Here is the subject and the matter that interests me. If I want to use a personalized certificate for each member of the active/passive HA, that is:
-Firewallactive.local.net (example of active hostname) and its certificate: hostname: Firewallactive.local.net - IP 192.168.1.200 (IP of the Active firewall MGT)
-Firewallpasivo.local.net (example of hostname of the passive) and its certificate: hostname: Firewallpasivo.local.net - IP 192.168.1.201 (IP of the MGT of the Passive firewall)
Each one will have their personalized certificate, associated with a certain Hostname/FQDN and IP (It will be generated with the Hostname and with the respective MGT) which at the same time points each one to the MGT IP of each of the firewalls separately.
Therefore please help, advice and support to clarify the following:
- That means that the two certificates should be uploaded to the active firewall, so that the config is then synchronized with the passive one, because the certificates are a config that is synchronized ("DeviceCertificate"> Management> Certificates") , then you have to upload the two certificates to the active one, so that the passive one already has them, after the sync of the running-config?
-This also means that the two SSL/TLS profiles must be created and configured for each certificate (one profile for the active one and the other for the passive one, even without being used, just created): Example SSL/TLS Profile "FW-active " --- that points to the particular certificate of the active firewall and an example SSL/TLS SSL/TLS profile "FW-passive" that points to the particular certificate of the passive and then this config (without even being used in any other config and system) after applying and saving the changes, it is synchronized with the passive firewall. Once I have each TLS profile, I will have to go locally to each of the firewalls, and in the active one go to "Device-Setup-General Setting-SSL/TLS Service Profile" and there select the TLS profile of the example "FW- active" and then I will have to go locally and connect to the passive firewall and go to "Device-Setup-General Setting-SSL/TLS Service Profile" and there select the TLS profile of the example "FW-passive". This is achieved in this way right? It must be done locally in each firewall (active and passive) and that configuration, from the management certificate, is not synchronized and applied locally and independently for each firewall, right?
Thanks for the support and collaboration.
Stay tuned to your comments.
07-10-2022 06:32 AM
Hi @Metgatz ,
The 1st URL that you provided states that "Certificates for Device Management", "SSL/TLS Service Profile for Device Management", and "Management Interface Settings" for "SSL/TLS Service Profile" are not synchronized between HA pairs. So, everything is done locally.
Configure the management certificate, SSL/TLS profile, and management interface settings on each firewall.
Thanks,
Tom
07-10-2022 11:59 AM
Hello, thank you for your reply.
When you create, import, generate a certificate, in a HA Active/passive environment, in the active and also create a ssl/tls profile, without using yet for any config, just created, both the certs, as these if synchronized with the passive .... What the doc says and the practice says, is that when you use it for the syslog issues or another example you assign the tls/ssl profile for the device management of the web-gui there that config is not synchronized. That's why I detail the other points and the other observations
Thank you, I remain attentive
07-15-2022 02:43 PM
Hi @Metgatz ,
I have done this many times with many NGFWs.
With regard to "That means that the two certificates should be uploaded to the active firewall?" No. Upload each certificate to each firewall. It's true that you can upload it to the active and push it before it is configured as a management certificate, but why?
With regard to "This is achieved in this way right?" No. The most straightforward way is to configure the management certificate, SSL/TLS profile, and management interface settings on each firewall locally.
Thanks,
Tom
07-15-2022 03:21 PM - edited 07-15-2022 03:23 PM
Hello @TomYoung
Thank you very much for your answer. I understand that you have configured many firewalls that is very good, therefore you are experienced and can contribute from that experience to the Live community, for my part there have also been not a few that I have implemented, but like everyone, doubts always arise and it is normal.
I am explaining the behavior based on your last answer and what is synchronized or not:
I tell you when you have an Active/Passive HA firewall and when you upload and/or generate a certificate in the active one, and then generate an ssl/tls profile, both the certificate and the ssl/tls profile (without even being assigned) are synchronized , this happens a lot in HA environments with Global Protect (ssl/tls profiles are synchronized) with externally signed certificates, but I imagine that with your vast experience you already know that... Now it is the most normal thing in the world that your firewalls are synchronizing your settings. Now the issue is as follows, when there are Panorama environments where for example if you have the HA in panorama and example with a configuration/environment with a Template Stack and a template for the HA, there the issue is different, since when you upload to panorama the certificate and then generate the certificate with its ssl/tls, then assign from the template the ssl/tls for the web-gui, if it is the same certificate/ssl/tls certificate (thinking of a multi-domain SAN certificate) everything is perfectly possible to be configuring everything, but everything from Panorama. But in case there are two custom certificates for each ha firewall, the problem is when you have a template/template stack, you can only define a single ssl/tls profile in the section/part of management device for the web-gui from the template, so the operating mode there is to load the certificates in the panorama template, create the ssl/tls profiles in the template and then locally in each firewall, both active and passive, assign the ssl/profile tls one for each HA firewall.
I reiterate, it is the most normal and practical thing that your HA is synchronizing settings... either due to changes in configs, policies, etc... so remove synchronization only because of the issue of certificates, so that in the asset and in the passive not having both created/generated/uploaded the certificates and the ssl profiles is something super impractical and doesn't make much sense. But it all depends if it is based on CSR for each firewall or the private key is outside the firewall, it all depends on that context.
Since if the certificate is not based on the CSR and the private key comes from abroad, then it is enough to upload the certificates to the active one, synchronize the passive one, and then configure each ssl/tls profile with its respective certificate for the web-gui in each one of the firewalls and that's it, since strictly speaking, below the certificates are text so there are no problems synchronizing them, total is only Base64-ASCII, it is demonstrated in the cases of the use of Global Protect, I reiterate in environments where the private key comes from outside and was not generated from the CSR of each firewall, for the web-gui device management.
Best regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
