Configuring Different Certificate Profiles for Management for Primary and Secondary Panorama/Palo-Alto Firewall(HA)

2 min readApr 27, 2024

Palo Alto and Panorama - Hardening the Configuration

course.cyberbruharmy.in

2. export the CSRs and sign them on your CA

3. import issued certificates to Panorama for primary and secondary panorama

4. create SSL/TLS profile for both primary and secondary Panorama on the active Panorama

5. commit configuration to Panorama and make sure it is then synchronized

6. connect to the secondary passive Panorama and initiate failover to make it secondary passive

7. assign the SSL/TLS profile you created for secondary Panorama on the management interface and commit the configuration

8. check on the primary passive Panorama that the configuration was not synced

9. if the profiles are different, failover back to primary active

10. assign the SSL/TLS profile you created for primary Panorama on the management interface and commit the configuration

11. primary and secondary Panorama should be using different SSL/TLS profiles

Please see below the verification in the browser from my primary and secondary Panorama — you can see that the CNs are different for each.

Inspecting the Primary Panorama Certificate in the Browser

Inspecting the Secondary Panorama Certificate in the Browser

CYBER | TECH | LIFE — INFORMATION TECHNOLOGY VIDEOS Free Infosec and cybersecurity training. Blog: https://www.cyberbruharmy.in/

📱Social Media📱 & ❓Info❓ Follow me on the following platforms:

Discord: https://discord.com/invite/8Uz7ArN Email: contact@cyberbruharmy.in