Palo Alto Networks
SecTrail CM enables automatic deployment and renewal of SSL certificates by establishing agentless connections to Palo Alto Networks firewall devices.
Connection Requirementsβ
| Requirement | Detail | Description |
|---|---|---|
| Protocol | XML API (HTTPS) | Palo Alto's native XML API is used |
| Port | 443 | Standard HTTPS port or custom management port |
| Authentication | Username and Password | Authentication via Username and Password |
| User Permission | Admin or Certificate Manager role | Certificate upload and configuration permission |
Automated Operationsβ
SecTrail CM automatically performs the following operations on Palo Alto Networks firewall:
- Certificate and Key Upload: Secure transfer of SSL certificate and private key
- Certificate Import: Importing certificate and key to the device
- SSL Profile Update: Updating SSL decryption profiles
- Configuration Commit: Committing and making configuration persistent
Configuration Stepsβ
1. Creating Palo Alto Userβ
Navigate to Automation > Device Users and create a user for Palo Alto.
2. Adding Palo Alto Device to SecTrail CMβ
Click Automation > Devices > Add New Device button and enter the following information:
- Name: Provide a descriptive name for the device
- Device Users: Select the user created in Step 1
- IP: Enter the management IP address of the Palo Alto device
- Device Type: Select
Palo Alto Firewallfrom the dropdown menu - Deployment Type: Select deployment type
- Append: Adds new certificate to existing decryption rule (existing certificates are preserved)
- Override: Replaces existing certificate with new one (old certificate is deleted)
- Cert Upload Only: Should only certificate be uploaded? (Disabled/Enabled)
- Force Sync: Should changes be automatically committed? (Disabled/Enabled)
- Wait For Completion: Should commit operation completion be awaited? (Disabled/Enabled)
After the Palo Alto device is added to SecTrail CM, all certificates defined on the device are automatically included in the discovery period and scanned regularly. Automatic alarms are created for certificates that are about to expire or have issues.
3. Viewing Device Informationβ
After the device is added, it will be displayed in the Automation > Devices list. Click on the row to view device details:
- Name: Certificate names defined on the device
- Destination: Certificate usage area (any, tunnel-ip, etc.)
- Subject: Certificate subject information
- Fingerprints: Certificate fingerprint
- NotAfter: Certificate expiration date
- Deploy: For certificate deployment
Certificate Deploymentβ
Step 1: Virtual Server and Certificate Selectionβ
- Select your Palo Alto device from Automation > Devices
- In the device details, find the Virtual Server where you want to deploy the certificate
- Click the Deploy button on the relevant row
- In the Deploy Certificate window that opens:
- Virtual Servers: Target Virtual Server information is displayed (Name/Destination/Subject format)
- Certificate: Select the certificate you want to deploy from the dropdown menu
Step 2: Starting the Deployment Processβ
Click the Deploy button to start the certificate deployment process.
Step 3: Process Trackingβ
The deployment process can be tracked from Automation > Processes:
Operation Detailsβ
The following steps are performed during deployment:
| Step | Operation Description |
|---|---|
| 1 | Certificate is successfully updated |
| 2 | Decryption rules are configured |
| 3 | Configuration is committed |
| 4 | Configuration is successfully completed |
SecTrail CM automatically commits configuration changes after deployment and makes them persistent.
Rollback Operationβ
The Manual Rollback feature can be used in case of issues after certificate deployment.
If an error occurs at any step during the deployment process, the system automatically performs a rollback and all changes are reverted.
Rollback Stepsβ
- Navigate to Automation > Processes
- Find the operation you want to rollback
- Use the Manual-Rollback option in the Status column
- Confirm
Operations During Rollbackβ
| Step | Operation |
|---|---|
| 1 | Newly uploaded certificate is deleted |
| 2 | Previous configuration is restored |
| 3 | Decryption rules are reverted to their previous state |
| 4 | Rollback operation is successfully completed |