Certificate doubt for Web Management GUI-SSL/TLS - Palo Alto Firewalls HA Active-Passive
Good afternoon community,, I have an important question regarding the use of custom certificates for web-gui management.
I understand that there are configuration parameters that are not synchronized and are detailed in these two links:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNBFCA4
Now comes the big question of the case, to avoid a problem, therefore please your support: What is synchronized are the certificates, the certificates themselves that are uploaded, signed and imported and/or generated in "DeviceCertificate"> Management > Certificates" The certificates that you upload, generate and/or import, in the Active Firewall if they are synchronized, this is more than clear. Here is the subject and the matter that interests me. If I want to use a personalized certificate for each member of the active/passive HA, that is:
-Firewallactive.local.net (example of active hostname) and its certificate: hostname: Firewallactive.local.net - IP 192.168.1.200 (IP of the Active firewall MGT)
-Firewallpasivo.local.net (example of hostname of the passive) and its certificate: hostname: Firewallpasivo.local.net - IP 192.168.1.201 (IP of the MGT of the Passive firewall)
Each one will have their personalized certificate, associated with a certain Hostname/FQDN and IP (It will be generated with the Hostname and with the respective MGT) which at the same time points each one to the MGT IP of each of the firewalls separately.
Therefore please help, advice and support to clarify the following:
- That means that the two certificates should be uploaded to the active firewall, so that the config is then synchronized with the passive one, because the certificates are a config that is synchronized ("DeviceCertificate"> Management> Certificates") , then you have to upload the two certificates to the active one, so that the passive one already has them, after the sync of the running-config?
-This also means that the two SSL/TLS profiles must be created and configured for each certificate (one profile for the active one and the other for the passive one, even without being used, just created): Example SSL/TLS Profile "FW-active " --- that points to the particular certificate of the active firewall and an example SSL/TLS SSL/TLS profile "FW-passive" that points to the particular certificate of the passive and then this config (without even being used in any other config and system) after applying and saving the changes, it is synchronized with the passive firewall. Once I have each TLS profile, I will have to go locally to each of the firewalls, and in the active one go to "Device-Setup-General Setting-SSL/TLS Service Profile" and there select the TLS profile of the example "FW- active" and then I will have to go locally and connect to the passive firewall and go to "Device-Setup-General Setting-SSL/TLS Service Profile" and there select the TLS profile of the example "FW-passive". This is achieved in this way right? It must be done locally in each firewall (active and passive) and that configuration, from the management certificate, is not synchronized and applied locally and independently for each firewall, right?
Thanks for the support and collaboration.
Stay tuned to your comments.
Yes, that is how it works