Panorama - Template imports cert for management a then push to firewall - Config Management MGT SSL/TLS GUI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Panorama - Template imports cert for management a then push to firewall - Config Management MGT SSL/TLS GUI

L4 Transporter
Panorama - Template imports cert for management a then push to firewall - Config Management MGT SSL/TLS GUI
 
Hello good afternoon, as always thank you very much for the constant support, collaboration and for the time you take to respond.
 
I have the following question regarding Panorama and certificates.
 
I have the following scenario/environment :
2 Firewalls in HA Active other passive (Active-Passive)
1 Template for both firewalls in HA
1 Template Stack containing a single template (mentioned above) for the Active-Passive HA.
PAN-OS 9.1.X Panorama and the 9.1.X Firewall pair.
 
What is intended, I understand that it is possible to upload certificates to Panorama, to the corresponding template, configure their SSL/TLS profiles in the template and then push the config to each of the firewalls in HA, so far I think PANORAMA can help me, I don't see a problem, considering the scenario described above. Now my question, doubt, appreciation and/or inconvenience is the following, as I have a single template and a single Stack template to configure the SSL/TLS profiles, example the SSL/TLS profile one for the asset (with its name and certificate private) and the other for the passive (with its name and private certificate), so far so good too, that is possible in the template, upload both certificates (one through the firewall) and push the config. Both firewalls would have both certificates and both ssl/ tls profiles created, still not used, not yet nor will they be, even being used by another configuration. Now the problem that I see is the following, if I wanted to use the template/template stack to make the configuration to use the certificate and the ssl profile for the Web-Gui "Device-Setup-GeneralSettings-SSL/TLS Service Profile" from the template in PANORAMA, here is the problem or detail, as I have a single template/tempalte Stack for HA, if I configure an SSL/TLS profile in "Device-Setup-GeneralSettings-SSL/TLS Service Profile" it will appear in both firewalls and I will not be able to indicate a custom one... unless it can be overridden/overwritten from Panorama, this in order not to make it local in the Secondary Passive Firewall (hopefully you can continue accessing the web-gui and not lose access due to some error in the certificate and the SSL-https-web-gui connection against the passive or I imagine that I can enter by changing the Context from PANORAMA, well I imagine that I will not have problems... I hope so, or the other option is to enter through cli and do the override from the CLI locally , by SSH/CLI in case of emergency )... The other option is to configure, upload and use a multi-domain SAN Certificate, a single certificate, that includes both hostname/fqdn and both IPs of each MGT and with that It would be to have a single certificate and only one SSL/TLS profile, and thus when configuring from the template the "Device-Setup-GeneralSettings-SSL/TLS Service Profile" it would already be the same for both and thus it could be applied, everything but everything, from PANORAMA without having to touch anything locally.
 
Please tell me what you think about everything indicated, what you recommend, what you think and what you think about what has been proposed, what would be the best option, the best practice and/or the least complex to carry out and/or with less impact and/or or less trouble? based on the indicated scenario and what is detailed.
 
1.- Do everything locally, that is, the certificate(s) and the ssl/tls profile(s) and use the tls profile(s) for the web-gui-https (based on whether a certificate is used for each firewall or a single certificate for both)
 
2.- Just upload and create certificates and create the ssl/tls profiles from the PANORAMA template and then configure the use of the ssl/tls profiles for the firewall web-gui management, each one locally?
 
3.- Just upload a single certificate, create a single ssl/tls profile and do the configuration to use the ssl/tls profile all from the same single template in PANORAMA for the HA?
 
Thank you very much for the support and collaboration.
 
Kind regards and I look forward to your comments.
High Sticker
2 REPLIES 2

L1 Bithead

I am in a similar scenario where my plan was to use 1 template and 1 template stack per HA-Pair, as opposed to 1 template per-firewall in the pair, both joined to 1 template stack. 

 

In thinking it over I ran into the same mental issue as you in which I couldn't figure out the best way to handle the SSL/TLS Service Profile.

 

I am curious what decision you ended up making in the end?

Cyber Elite
Cyber Elite

Hi @Nick_Davis1639 ,

 

Good question.  It would be nice for PANW to allow template variables to be used for certificates in SSL/TLS Service Profiles.

 

Since they do not, I recommend the following (in no order):

 

  1. Configure a wildcard certificate and push to all NGFWs.
  2. Configure the certificates for management locally.
  3. Configure a one certificate with both NGFW DNS names in the SAN field.

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2276 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!