Automating Certificates for Firewall Devices in AppViewX

This section describes about end-to-end certificate automation for firewall devices in AppViewX applicatoin. Do the following steps for the firewall device certificate automation.
  • Prerequisites
  • Device Management
  • Firewall Inventory
  • On-Demand Discovery
  • Server Inventory
  • Certificate Renewal
  • Auto Renew Job.

Prerequisites

Device Management

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Firewall tab.
  3. Click the (Add) icon.
  4. Enter the General information, Credentials, Secondary device information in the device details form.
    You can configure multiple device details for the same vendor.
    1. In the General Information section, select the Managed option from Cert Sync radio buttons, the available options are:
      • Managed: Trigger certificate discovery and manage all the certificates.
      • Monitor: Discover and move certificates to inventory with a monitored status.
      • Ignored: No certificate discovery.
  5. Click Save.
  6. Once the server is added successfully you are redirect to the device server inventory. The status of the server can be viewed in the Status column
AppViewX has enabled a feature to set a limit for the licensed certificates. If the number of certs exceeds this limit then the additional certs added into the inventory will be moved into the Monitored status.
  • A red indicator labelled "License Limit Exceed" appears on the title bar of the page, if the limit has exceeded.
  • A pop-up message "Access denied. License count exceeded." is displayed on the click of the Save button while adding a new server device.
  • All the new on-boarded server certs (Server/ADC/Firewall/WAF Device config sync) into the inventory will be mapped to theMonitored state.

Firewall Inventory

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Firewall tab.
  3. In the firewall inventory page, wait for the device status to be Managed.
  4. Once the device status is moved to Managed, navigate to On-Demand Discovery.

On-Demand Discovery

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery Status > On Demand.
    The Discovery Status : On-demand page is displayed. .
  2. To create a new on-demand discovery distance:
    If this is the first on demand discovery instance, click from the center of the page.

    OR

    Click .

  3. Enter the Discover Details, Discover By, Discovery Rules, After Discover information in the Discovery Status : On-demand : Add Discovery form.
  4. In the Discover Details section, enter/select the following details:
    Table 1. Field descriptions for the Discover Details section
    Field Description
    *Discovery Run Type Select On-demand.
    Discovery Instance Name Enter the name of the discovery instance.
    Description

    Enter the required details in this field.

    Note: Character limit: 2000 characters
    *: Mandatory fields
  5. In the Discover By section, from the Discovery From drop-down list, select the source of the discovery as Managed Firewalls.
    Based on your selection in this field, the rest of the fields will be displayed. For instructions on specifying the rest of the details.
  6. Select the configured firewall device from the list of devices.
  7. In the After Discover section, select the Move Certificate to Inventory with Status as Managed.
    • Do not move: New discovered certificates and its objects will not be moved to inventory.
    • Managed: New discovered certificates and its objects will be moved to inventory with the status Managed.
    • Monitored: New discovered certificates and its objects will be moved to inventory with the status Monitor.
    Note: If the discovered certificate already exists in the inventory, its object will be moved with the same status.
  8. After discovery is completed and certificates are moved to inventory, navigate to Server Inventory.

Server Inventory

  1. Go to (Menu) > CERT+ > CERTIFICATE INVENTORY > Server.
    The Server Certificate page is displayed.
  2. Search with the configured firewall device name in the search field. For example, search with PaloAlto_Firewall_Device name.
  3. Click the certificate that needs to be automatically renewed/regenerated and pushed to the firewall devices.
    You will be redirected to the Certificate Holistic View.
  4. Click the () three dots icon available in the CA connector, and then select Edit option
  5. In the Edit Application Connector > Push Details section, click the Push Automatically check box, and set the renewal period.
  6. Click Save.

Certificate Group

  1. Go to (Menu) > CERT+ > GROUPS & POLICIES > Groups.
    The Group inventory is displayed. CERT+ is packaged with default certificate groups Default and Certificate-Gateway.
  2. Search with the configured firewall device group name in the search field. For example, search with PaloAlto_Firewall_Device name.
  3. Click the group to be modified.
  4. Go to Group : Modify : Certificate-Gateway > Other details section, enable the toggle button to On, by enabling the check box, the renewed/ reissued certificates in this group are automatically associated with their device.

Auto Renew Job

  1. A scheduled job runs every six hours, renewing and pushing certificates as configured.
  2. The system will manage the transition from old to new certificates automatically.

By following these steps, you can automate certificate management for firewall devices in the AppViewX platform efficiently.