Adding Application Connectors for Firewalls

AppViewX supports creating an application connector for the following Firewall device vendors:
  • CheckPoint
  • Cisco
  • Fortinet
  • PaloAlto
  1. Enter the General Information for the connector.
    Field Description
    *Category From the dropdown list, select Firewall.

    If the certificate being pushed was enrolled with CSR generation at endpoint, this field is auto populated with the category selected at the time of certificate enrollment.
    *Vendor From the dropdown list, select the required firewall vendor.

    If the certificate being pushed was enrolled with CSR generation at endpoint, this field is auto populated with the vendor selected at the time of certificate enrollment.
    *Connector Name

    Enter a name for this connector, to be able to identify it later.

    AppViewX recommends naming connectors according to use cases so they are easily distinguishable.

    Description Enter any additional details you want to record for this connector.
    Based on the information populated here, the Profile Selection section is populated with the list of available devices for the specified vendor that are already onboarded in AppViewX.
  2. To select the device(s) to which the certificate will be pushed, under Profile Selection:
    1. For CheckPoint Vendor, to filter the available profiles, from the dropdown menu for Available profiles, select a value from the following options:
      • Admin Portal
      • HTTPS Inspection.
    2. For PaloAlto vendor, to filter the available profiles, from the dropdown menu for Available profiles, select a value from the following options:
      • PaloAlto Firewall
        • Shared location
        • SSL/TLS Service profile
        • IKE Gateways
        • SSL Inbound Inspection Profiles
        • Authentication Profiles.
      • Panorama
        • Shared location
        • SSL/TLS Service profile
        • IKE Gateways
        • SSL Inbound Inspection Profiles
        • Authentication Profiles.
    3. From the list of Available Devices displayed, to select the target device(s) for pushing the certificate, click .
    The Selected devices list is updated automatically.
  3. Enter the Certificate Details.
    Table 1. Field descriptions for the Certificate Details
    Field Description
    *Certificate Type From the dropdown list, select the file type of the certificate to be pushed.
    *Certificate File Name Enter the file name of the certificate to be pushed. The file extension is auto-populated based on the Certificate Type selected.
    *Trust Point Name A trustpoint configuration is an element that includes details related to a certificate such as the certificate file, the private key file, the CA certificate, and other settings related to the certificate.

    In the Trustpoint Name field, enter the name of the trustpoint configured on the target system to which the certificate will be pushed.
    Alias Name Enter the certificate alias assigned in the CSR generated for requesting/enrolling the certificate.
    Password Enter the password required to access the certificate file/trust store.
    Private Key Passphrase Enter the password required to access the private key file associated with the certificate.
    Push to Firewall To push the certificate when it is updated directly to the firewall, select this checkbox.
    Trust Type
    Important: Trust type is applicable only for server certificates issued by private CAs with a customized template that issues certificate to the PaloAlto device with Key Usage as Certificate Signing for certificates that have a private key.
    Trust Type defines how a firewall handles SSL/TLS traffic based on whether a certificate is trusted or untrusted.
    Select a trust type status from the following values:
    • Forward Trust

      Select this option to establish the firewall as a trusted third party (proxy) to the session between the client and the server.

      For Trust Type = Forward Trust, if the server's certificate is valid (trusted) and signed by a known, trusted CA (like VeriSign, DigiCert, etc.), the firewall decrypts the traffic, inspects it, and then re-encrypts it using its own certificate, which is trusted by the client due to the configured CA.

    • Forward Untrust

      Select this option for the firewall to notify to clients when the server certificate is signed by a CA that the firewall does not trust.

      For Trust Type = Forward Untrust, if the server’s certificate is self-signed or from an unknown CA, the firewall may re-encrypt the traffic using an untrusted certificate, causing the client to see a warning that the connection is not secure.

    Note: If the certificate trust type was already specified when configuring the certificate on the device, then upon discovery in AppViewX, the trust type field will reflect the same value as configured in the device port.
  4. Enter the Push Details.
    Table 2. Field descriptions for the Push Details
    Field Description
    *Script Location Script files are commonly used to perform certain tasks required to be completed before and/or after a certificate is pushed to the target system.

    The script to be run before the certificate is pushed is called a pre-push script and the script to be run after the push is called a post-push script.

    From the following options, select the location of the script file(s):

    • In AppViewX
    • In Device
    Pre - Push Script File Name Enter the file name of the pre-push script.
    Important: Read the pre and push script usage instructions here.
    Pre - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the pre-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Name Enter the file name of the post push script.
    Important: Read the pre and push script usage instructions here.
    Post - Push Script File Path This field is displayed when Script Location = In Device.
    Enter the location on your local system where the post-push script file is stored.
    Important: Read the pre and push script usage instructions here.
    Overwrite The Overwrite option is used to specify if existing certificates on the target system will be overwritten with the certificate being pushed.

    If this option is enabled, the certificate being pushed will overwrite any existing certificates with the same identifier on the target system. This will also ensure that only the latest version of the certificate is available on the target system.

    If it is disabled, the push operation will fail in the event of conflicts with the certificates on the target system.
    Push Automatically To automatically push the certificate after it is renewed/reissued to the target system, enable this checkbox.
    Note: The auto push feature for a certificate works only if enabled for the certificate application connector as well the associated certificate group. To enable this feature at the certificate group level, refer the instructions here.
  5. Click Save.
    The connector is displayed on the certificate holistic view.