Panorama - Template imports cert for management a then push to firewall - Config Management MGT SSL/TLS GUI
Hello good afternoon, as always thank you very much for the constant support, collaboration and for the time you take to respond.
I have the following question regarding Panorama and certificates.
I have the following scenario/environment :
2 Firewalls in HA Active other passive (Active-Passive)
1 Template for both firewalls in HA
1 Template Stack containing a single template (mentioned above) for the Active-Passive HA.
PAN-OS 9.1.X Panorama and the 9.1.X Firewall pair.
What is intended, I understand that it is possible to upload certificates to Panorama, to the corresponding template, configure their SSL/TLS profiles in the template and then push the config to each of the firewalls in HA, so far I think PANORAMA can help me, I don't see a problem, considering the scenario described above. Now my question, doubt, appreciation and/or inconvenience is the following, as I have a single template and a single Stack template to configure the SSL/TLS profiles, example the SSL/TLS profile one for the asset (with its name and certificate private) and the other for the passive (with its name and private certificate), so far so good too, that is possible in the template, upload both certificates (one through the firewall) and push the config. Both firewalls would have both certificates and both ssl/ tls profiles created, still not used, not yet nor will they be, even being used by another configuration. Now the problem that I see is the following, if I wanted to use the template/template stack to make the configuration to use the certificate and the ssl profile for the Web-Gui "Device-Setup-GeneralSettings-SSL/TLS Service Profile" from the template in PANORAMA, here is the problem or detail, as I have a single template/tempalte Stack for HA, if I configure an SSL/TLS profile in "Device-Setup-GeneralSettings-SSL/TLS Service Profile" it will appear in both firewalls and I will not be able to indicate a custom one... unless it can be overridden/overwritten from Panorama, this in order not to make it local in the Secondary Passive Firewall (hopefully you can continue accessing the web-gui and not lose access due to some error in the certificate and the SSL-https-web-gui connection against the passive or I imagine that I can enter by changing the Context from PANORAMA, well I imagine that I will not have problems... I hope so, or the other option is to enter through cli and do the override from the CLI locally , by SSH/CLI in case of emergency )... The other option is to configure, upload and use a multi-domain SAN Certificate, a single certificate, that includes both hostname/fqdn and both IPs of each MGT and with that It would be to have a single certificate and only one SSL/TLS profile, and thus when configuring from the template the "Device-Setup-GeneralSettings-SSL/TLS Service Profile" it would already be the same for both and thus it could be applied, everything but everything, from PANORAMA without having to touch anything locally.
Please tell me what you think about everything indicated, what you recommend, what you think and what you think about what has been proposed, what would be the best option, the best practice and/or the least complex to carry out and/or with less impact and/or or less trouble? based on the indicated scenario and what is detailed.
1.- Do everything locally, that is, the certificate(s) and the ssl/tls profile(s) and use the tls profile(s) for the web-gui-https (based on whether a certificate is used for each firewall or a single certificate for both)
2.- Just upload and create certificates and create the ssl/tls profiles from the PANORAMA template and then configure the use of the ssl/tls profiles for the firewall web-gui management, each one locally?
3.- Just upload a single certificate, create a single ssl/tls profile and do the configuration to use the ssl/tls profile all from the same single template in PANORAMA for the HA?
Thank you very much for the support and collaboration.
Kind regards and I look forward to your comments.
4. Use a stack per firewall, so you can configure unique attributes per firewall (IP, hostname, ssl/tls profile, HA parameters,...), and a shared template for everything else. This way nothing needs to be done locally