PAN-OS root certificate expiration

What is changing:

On December 31, 2023, the root certificate and default certificate for Palo Alto Networks firewalls and devices running PAN-OS software expired. If your certificates have not been renewed before this date, your firewalls and Panorama devices will no longer be able to establish new connections to Palo Alto Networks cloud services, which can impact network traffic and potentially cause an outage when connections existing connections terminate and attempt to reconnect.

Certificate typeCurrent expiration dateExpiration date after update
rootDec 31, 2023 at 14:47:47 2023 GMT01-Jan-2032 at 05:14:57 2032 GMT
by defaultDec 31, 2023 at 20:14:14 2023 GMT01-Jan-2032 at 07:30:33 2032 GMT

Target update versions

The following table contains the target update versions for scenario 1a and scenario 2b.

Current version of PAN-OSUpdate target version
8.18.1.21-h28.1.25-h1 or greater
9.09.0.16-h5 or greater
9.19.1.11-h49.1.12-h69.1.13-h49.1.14-h79.1.16-h3 9.1.17 or higher
10.010.0.8-h1010.0.11-h310.0.12-h3 or greater
10.110.1.3-h210.1.5-h310.1.6-h710.1.8-h610.1.9-h310.1.10 or higher
10.210.2.3-h910.2.4 or higher
11.011.0.0-h111.0.1-h211.0.2 or higher
11.111.1.0 or higher

All hotfix versions have been released for Private Cloud Appliances (M Series) Firewalls, Panorama, WF500/B, and Pan-DB URL. For WF500/B private cloud devices (M series) and Pan-DB URL specifically, use the following patch versions: 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1 and 11.1.0-h1

Required action:

You will need to complete the appropriate actions as described in one or both of the following scenarios, depending on the services you are using. Evaluate whether these expiring certificates impact your firewalls, Panorama devices, or connected services based on the considerations below and take appropriate action where appropriate.

Scenario 1

If you are a client with data redistribution (User ID, IP Tag, User Tag, GlobalProtect HIP, and/or Quarantine List), you will need to do one of the following: (1a) Update your affected firewalls, and Panorama (modes of administration and log collector), Or (1b) implement custom certificates on affected firewalls, and Panorama (modes of administration and log collector).


If you are a customer of a private cloud URL PAN-DB (M Series) or a WildFire private cloud appliance (WF500/B), you will need to take the following action: (1a) update your affected firewalls, WF-500, M-Series and Panorama (modes of administration and log collector).

  • 1a) Update your affected firewalls, WF-500, M-Series and Panorama
    1. If you do not have custom certificates installed, you must update all your firewalls, WF-500, M-Series, and Panoramas (modes of administration and log collector) que participan en la redistribución de datos (ID de usuario, etiqueta IP, etiqueta, GlobalProtect HIP y/o lista de cuarentena), URL de nube privada PAN-DB (Serie M) y/o nube privada WildFire (WF500/B) a una de las versiones de PAN-OS en la tabla de versión de actualización de destino anterior .

    2. Customers need to upgrade their WF-500/B device to the versions mentioned below:
      1. Posted : 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1
    3. Customers must upgrade their PAN-DB URL Private Cloud Devices (M Series) to the versions mentioned below:
      1. Posted : 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1
  • 1b) Implement custom certificates on your affected firewalls and Panorama
    • Data Redistribution (User ID, IP Tag, User Tag, GlobalProtect HIP, and Quarantine List) – If all firewalls and Panorama devices on your network are running PAN-OS version 10.0 or later and are not redistributing data even from Prisma Access, you can switch to custom certificates instead of using root certificates for data redistribution.
    • All firewalls and Panorama involved as clients and servers for data redistribution must receive the custom certificate.
    • All Windows User ID agents connected to firewalls and Panorama involved in data redistribution must receive the custom certificate.
    • For information about configuring custom certificates for data redistribution, see the instructions in the PAN-OS Administrator’s Guide (steps 8 and 9).

      Important:
      • Upgrade Planning: It is essential to carefully plan any upgrades after certificate expiration. An update to a redistribution agent can affect connected clients; therefore, we recommend updating all devices (clients) connected to the same agent.
      • Risks of Ongoing Sessions: After 31Dec23, it is important to note that there are no timeouts on redistribution sessions that could cause them to fail. All sessions running with expired certificates will continue, but are at risk of failing due to network outages, process restarts, related configuration changes being committed, or PAN-OS updates; therefore, we recommend that device updates be performed during a maintenance window.
      • You must switch to custom certificates on both the data redistribution agent and the client for secure communications between the server and the client.
      • You must switch to custom certificates in Windows User ID agents for secure client communications.
      • When moving to custom certificates, you will have a period where the User ID agent will not be able to communicate with the firewall or Panorama it is connected to. To minimize that time, ensure that the service account on Windows Server that runs the User ID Agent service has the appropriate permissions before migrating to custom certificates.
      • Follow this article of KB for more information about preparation steps and how to apply custom certificates.
      • If you use data redistribution between firewalls and Prisma Access, you should also patch or update your affected firewalls because Prisma Access does not support custom certificates. You don’t need to make any changes in Prisma Access; you just need to update your firewalls to a specific update version.
  • WildFire Private Cloud (WF500/B) – Custom certificates are not an option.
  • PAN-DB URL Private Cloud (M Series) – Custom certificates are not an option.

Scenario 2

If you are a WildFire public cloud customer, Advanced WildFire public cloud, URL filtering, advanced URL filteringDNS securityThreat Vault or AutoFocus, you must do one of the following three actions now that the certificate has expired: (2a) install a specific content update on your affected firewalls and Panorama devices OR (2b) update your affected firewalls and Panorama devices OR (2c) enable certificates device on your firewalls and affected Panorama devices.

  • 2a) Install a specific content update on your affected firewalls and Panorama devices.
    You should install the next content update version (8776-8390 or later) on your firewalls and Panorama.
    • If you have automatic content configured, this update will be automatic
    • If you manually update your content, update your content to the previous content version
  • 2b) Update your affected firewalls and Panorama
    Upgrade your firewall and Panorama to one of the PAN-OS versions in the target upgrade versions mentioned above.
  • 2c) Enable Device Certificate on your affected firewalls and Panorama
    • If you have Panorama firewalls and devices running PAN-OS 8.1, PAN-OS 9.0, or PAN-OS 9.1, we do not recommend that you use this option.
    • If you have Panorama firewalls and devices running PAN-OS 10.0.5, PAN-OS 10.1.10, PAN-OS 10.2.5, or PAN-OS 11.0.2 or any later version or release, follow the instructions to enable the device. Certificate.

FREQUENTLY ASKED QUESTIONS:


PanOS 9.1 will end support on December 12, 2023. Will PanOS still be supported after that date?


For customers with Pan-OS 9.1, which has an end-of-life (EoL) support date of December 13, 2023, we will extend support for all customers until March 31, 2024. This is now reflected in our end of useful life. Summary page.

Is my Prisma Access deployment affected by this emergency update?

If you use data redistribution between firewalls and Prisma Access, you must patch or update the affected firewalls. No changes are required in Prisma Access; you only need to update your firewalls to a specific update version because this customer notice does not affect the Prisma Access service.

What will be the impact on my network if I don’t upgrade my firewalls and Panorama to one of the versions (above) by December 31, 2023?

For scenario 1:

  • If you do not update your affected Panorama firewalls and devices by December 31, 2023, your Panorama firewalls and devices will no longer be able to establish new connections for data redistribution (user ID, IP tag, user tag, GlobalProtect HIP, or list quarantine)
  • PAN-DB URL Private Cloud Appliances (M Series) or WildFire Private Cloud Appliances (WF-500 or WF-500-B): If your existing connections are terminated (for example, when you make network or configuration changes or experience some unforeseen network event), you will experience an outage of the affected services when they cannot reconnect due to expired certificates.

For scenario 2:

If you do not complete the recommended actions above by December 31, 2023, your WildFire public cloud services, Advanced WildFire public cloud, url filtering, advanced URL filteringDNS Security, Threat Vault and AutoFocus they will no longer be able to establish new connections. after that date.

How can I check my firewalls and Panorama to make sure they have the new root certificate that expires on January 1, 2032?

There is no direct way to view the actual certificate. Based on the scenarios described above, if your firewalls and Panorama are running any of the specific PAN-OS versions listed above (or a later version), or running the required content version, then you will have the new root and default certificate installed.

Which PAN-OS version should I select in the table for Update Target Version?

We recommend that you update to the latest revision for the specific PAN-OS major/minor version you are currently running, i.e. if you are currently using 9.1.11, select 9.1.11-h4 or the next closest higher version (current : 9.1 .5 to objective 9.1.11-h4). It is not necessary or recommended to upgrade to a major version just to update certificates, for example: you do not need to upgrade from 10.1.X to 10.2.Y, but rather select a 10.1.X revision.

How can I determine if my firewalls and Panoramas are configured with custom certificates?

Custom certificates for data redistribution (User ID, IP Tag, User Tag, GlobalProtect HIP, and/or Quarantine List) are supported starting with PAN-OS 10.0 and higher. You can check if you are using default/custom certificates for data redistribution using the following commands.

Redistribution Agent

[email protected]> show redistribution service status

Redistribution info: 
        Redistribution service:                     up
        listening port:                           5007
        SSL config:                    Custom certificates
        back pressure is:                          off
        number of clients:                           2

Redistribution client

[email protected]> show redistribution agent state all

Agent: 92-uid-Agent(vsys: vsys1) Host: 10.46.196.49(10.46.196.49):5007
        Status                                            : conn:idle
        Version                                           : 0x6
        SSL config:                                       : Custom certificates
        num of connection tried                           : 1

Custom certificates for WildFire Private Cloud (WF-500 or WF-500-B) are available starting with PAN-OS 8.1 and all later versions.

Certificate verification from PAN-OS CLI:

dmin@sjc-bld-smk01-esx13-t2-pavm02> show wildfire status channel private
… 

Secure Connection: Custom Trusted CA, Custom Client Certificate

…

For data redistribution (user ID, IP tag, user tag, GlobalProtect HIP and/or quarantine list), in what order should I update?

  • Until December 31, 2023, the Redistribution Agent and Redistribution Client can run different versions and still connect and communicate correctly.
  • You do not need to update all of your Panorama firewalls and devices simultaneously, but you should start with updates to your Panorama devices and then update your firewalls.
  • On December 31, 2023, all of your Panorama firewalls and devices must be running one of the specific versions  for your network to continue connecting and communicating successfully and sharing mappings and labels as expected.

Does the expiration of this certificate affect communication between firewalls and Windows Terminal Server or User ID agents or between firewalls and Panorama devices?

If you choose to remedy scenario 1 by using custom certificates, you will need to add those custom certificates to the Windows User ID agent. This does not affect Terminal Server agents. Review solution b of scenario 1 for more information.

In the Scenario 1 fix and all Scenario 2 fixes, there is no impact on the communication between the firewalls and the User-ID and Terminal Server agents.

Why am I seeing a pop-up notification even though I have taken steps to avoid this issue?

The message is broadcast to all devices regardless of version or actions taken and will continue to be displayed until you click the checkbox at the bottom left of the popup that says Do not show again (this checkbox is saved per user, not per system, so each administrator with their own credentials will have to select it for their own account).

If all corrective actions have been taken properly, it is safe to ignore the notification.


Is there a tool I can use to determine if this certificate issue affects me?

Take advantage of the Self Impact Discovery tool on: https://github.com/PaloAltoNetworks/redist-check/tree/main If you have any issues with the tool, please report them on GitHub here: https://github.com/PaloAltoNetworks/ redist-check/problemas