PAN-OS Root Certificate Expiration

By /

¿What’s Changing?

On December 31, 2023, the root certificate and the default certificate for Palo Alto Networks firewalls and devices running PAN-OS expired. If your certificates were not renewed before this date, your firewalls and Panorama devices will no longer be able to establish new connections to Palo Alto Networks cloud services, which may impact network traffic and potentially cause disruptions when existing connections end and attempt to reconnect.

Certificate TypeCurrent Expiration DateExpiration Date After Update
Root31-dic-2023 a las 14:47:47 2023 GMT01-ene-2032 a las 05:14:57 2032 GMT
Default31-dic-2023 a las 20:14:14 2023 GMT01-ene-2032 a las 07:30:33 2032 GMT


Target Update Versions

The following table contains the target update versions for Scenario 1a and Scenario 2b.

Current PAN-OS VersionUpdate to Target Version
8.18.1.21-h28.1.25-h1 o mayor
9.09.0.16-h5 o mayor
9.19.1.11-h49.1.12-h69.1.13-h49.1.14-h79.1.16-h3 9.1.17 o superior
10.010.0.8-h1010.0.11-h310.0.12-h3 o mayor
10.110.1.3-h210.1.5-h310.1.6-h710.1.8-h610.1.9-h310.1.10 o superior
10.210.2.3-h910.2.4 o superior
11.011.0.0-h111.0.1-h211.0.2 o superior
11.111.1.0 o superior

All maintenance release versions have been published for Private Cloud (M-Series) Firewalls, Panorama, WF500/B, and URL Pan-DB. For Private Cloud (M-Series) WF500/B and URL Pan-DB devices specifically, use the following maintenance release versions:  8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1 y 11.1.0-h1

Required Action:

You must complete the appropriate actions as described in one or both of the following scenarios, depending on the services you are using. Assess whether these expiring certificates affect your firewalls, Panorama devices, or connected services based on the considerations below, and take the necessary actions as applicable.

Scenario 1

If you are a customer with data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and/or quarantine list), you must perform one of the following two actions: (1a) update your affected firewalls and Panorama (management modes and log collector Deploy Custom Certificates on the affected firewalls and Panorama (management modes and log collector ).


If you are a Private Cloud URL PAN-DB (M-Series) customer or a Private Cloud WildFire (WF500/B) device , you must take the following action: (1a) update your affected firewalls, WF-500, M-Series, and Panorama (management modes and log collector ).

  • 1a) Update your affected firewalls, WF-500, M-Series, and Panorama
    1. If you do not have custom certificates installed, you must update all your firewalls, WF-500, M-Series, and Panoramas (management modes and log collector ) that participate in data redistribution (User-ID, IP tag, tag, GlobalProtect HIP, and/or quarantine list), Private Cloud PAN-DB URL (M-Series), and/or Private Cloud WildFire (WF500/B) to one of the PAN-OS versions in the previous target update version table.
    2. Customers must update their WF-500/B device to the versions listed below:
      1. Published: 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1
    3. Customers must update their Private Cloud PAN-DB URL (M-Series) devices to the versions listed below:
      1. Published: 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1
  • 1b) Deploy Custom Certificates on your affected firewalls and Panorama
    • Data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and quarantine list) : if all the firewalls and Panorama devices in your network are running PAN-OS version 10.0 or later and do not redistribute data from Prisma Access, you can switch to custom certificates instead of using root certificates for data redistribution. 
    • All firewalls and Panorama devices involved as clients and servers for data redistribution must be provisioned with the custom certificate.
    • All Windows User-ID agents connected to the firewalls and Panorama devices involved in data redistribution must be provisioned with the custom certificate.
    • For information on configuring custom certificates for data redistribution, see the instructions in the PAN-OS Administrator’s Guide (steps 8 and 9).

      Important       :
      • Upgrade Planning: it is essential to carefully plan any update after the certificate expiration. An update to a redistribution agent may affect connected clients; therefore, we recommend updating all devices (clients) connected to the same agent.
      • Ongoing Session Risks: after December 31, 2023, it is important to note that there are no timeouts in redistribution sessions that could cause them to fail. All sessions running with expired certificates will continue but are at risk of failing due to network interruptions, process restarts, related configuration changes that are committed, or PAN-OS upgrades; therefore, we recommend performing device updates during a maintenance window.
      • You must switch to custom certificates on both the data redistribution agent and the client for secure communications between the server and the client.
      • You must switch to custom certificates on Windows User-ID agents for secure communications with the client.
      • When switching to custom certificates, there will be a period during which the User-ID agent will not be able to communicate with the connected firewall or Panorama. To minimize this downtime, ensure that the service account on the Windows Server running the User-ID agent service has the appropriate permissions before migrating to custom certificates.
      • Follow this KB article for more information on the preparation steps and how to apply custom certificates.
      • If you use data redistribution between firewalls and Prisma Access, you must also apply a maintenance release or upgrade your affected firewalls, as Prisma Access does not support custom certificates. You do not need to make any changes to Prisma Access; you only need to update your firewalls to a specific target release version.
  • Private Cloud WildFire (WF500/B) : custom certificates are not an option.
  • Private Cloud PAN-DB URL (M-Series) : custom certificates are not an option.

Scenario 2

If you are a Public Cloud WildFire customer, the Public Cloud Advanced WildFire , URL Filtering, Advanced URL Filtering , DNS Security , Threat Vault or AutoFocus , you must take one of the following three actions now that the certificate has expired: (2a) install a specific content update on your affected firewalls and Panorama devices, OR (2b) upgrade your affected firewalls and Panorama devices, OR (2c) enable device certificates on your affected firewalls and Panorama devices.

  • 2a) Install a specific content update on your affected firewalls and Panorama devices .
    You must install the following content update version (8776-8390 or later) on your firewalls and Panorama.
    • If you have automatic content configured, this update will be applied automatically.
    • If you update your content manually, update it to the previous content version.
  • 2b) Upgrade your affected firewalls and Panorama
    Upgrade your firewall and Panorama to one of the PAN-OS versions listed in the previously mentioned target update versions.
     
  • 2c) Enable the Device Certificate on your affected firewalls and Panorama.
    • If you have firewalls and Panorama devices running PAN-OS 8.1, PAN-OS 9.0, or PAN-OS 9.1, this option is not recommended.
    • If you have firewalls and Panorama devices running PAN-OS 10.0.5, PAN-OS 10.1.10, PAN-OS 10.2.5, or PAN-OS 11.0.2—or any later version or release—follow the instructions to enable the device. Certificate. .


PAN-OS 9.1 will reach end-of-support on December 12, 2023. Will PAN-OS still be supported after that date?
For customers with PAN-OS 9.1, which has an end-of-life (EoL) support date of December 13, 2023, we will extend support for all customers until March 31, 2024. This is now reflected in our end-of-life schedule. Summary Page. .

ChatGPT dijo: Is my Prisma Access deployment affected by this emergency update?
If you use data redistribution between firewalls and Prisma Access, you must apply a maintenance release or upgrade the affected firewalls. No changes are required on Prisma Access; you only need to update your firewalls to a specific target release version because this customer advisory does not impact the Prisma Access service.

What will be the impact on my network if I do not upgrade my firewalls and Panorama to one of the versions listed above before December 31, 2023?

For Scenario 1:

  • If you do not upgrade your affected firewalls and Panorama devices before December 31, 2023, your firewalls and Panorama devices will no longer be able to establish new connections for data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, or quarantine list),
  • Private Cloud PAN-DB URL Devices (M-Series) or Private Cloud WildFire Devices (WF-500 or WF-500-B) : if your existing connections end (for example, when you make network or configuration changes or experience an unexpected network event), you will experience a disruption of the affected services if they cannot reconnect due to expired certificates.

For Scenario 2:

If you do not complete the recommended actions above before December 31, 2023, your Public Cloud WildFire services, Public Cloud Advanced WildFire , URL Filtering, Advanced URL Filgering , DNS Security , Threat Vault and AutoFocus will no longer be able to establish new connections after that date.

How can I check my firewalls and Panorama to ensure they have the new root certificate that expires on January 1, 2032?
There is no direct way to view the actual certificate. According to the scenarios described above, if your firewalls and Panorama are running any of the specific PAN-OS versions listed above (or a later version), or are running the required content version, then the new root and default certificate will be installed.

Which PAN-OS version should I select in the table for the Target Update Version?
We recommend that you upgrade to the latest maintenance release for the specific major/minor PAN-OS version you are currently running. For example, if you are currently using 9.1.11, select 9.1.11-h4 or the next closest higher version (current: 9.1.5 to target 9.1.11-h4). It is neither necessary nor recommended to upgrade to a new major version just to update certificates; for instance, you do not need to upgrade from 10.1.X to 10.2.Y, but should select a 10.1.X maintenance release.

How can I determine if my firewalls and Panorama devices are configured with custom certificates?
Custom certificates for data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and/or quarantine list) are supported starting with PAN-OS 10.0 and later versions. You can check whether you are using default or custom certificates for data redistribution using the following commands.

Redistribution Agent

admin@10.0-New-AFW> show redistribution service status

Redistribution info: 
        Redistribution service:                     up
        listening port:                           5007
        SSL config:                    Custom certificates
        back pressure is:                          off
        number of clients:                           2

Redistribution Client

admin@10.0-New-CFW> show redistribution agent state all

Agent: 92-uid-Agent(vsys: vsys1) Host: 10.46.196.49(10.46.196.49):5007
        Status                                            : conn:idle
        Version                                           : 0x6
        SSL config:                                       : Custom certificates
        num of connection tried                           : 1

Custom certificates for Private Cloud WildFire (WF-500 or WF-500-B) are available starting with PAN-OS 8.1 and all later versions.

Certificate Verification from PAN-OS CLI:

dmin@sjc-bld-smk01-esx13-t2-pavm02> show wildfire status channel private
… 

Secure Connection: Custom Trusted CA, Custom Client Certificate

…

For data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and/or quarantine list), in what order should I perform the updates?

  • Until December 31, 2023, the redistribution agent and redistribution client can run different versions and still connect and communicate properly. 
  • You do not need to update all your firewalls and Panorama devices simultaneously, but you should start with updating your Panorama devices and then proceed to update your firewalls.  
  • By December 31, 2023, all your firewalls and Panorama devices must be running one of the specified versions for your network to continue connecting and communicating successfully, and to share assignments and tags as expected.

Does the expiration of this certificate affect communication between firewalls and Windows User-ID or Terminal Server agents, or between firewalls and Panorama devices?
If you choose to remediate Scenario 1 by using custom certificates, you must add those custom certificates to the Windows User-ID agent. This does not affect Terminal Server agents. See Scenario 1, Solution b for more information.

In the remediation for Scenario 1 and in all remediations for Scenario 2, there is no impact on communication between the firewalls and the User-ID and Terminal Server agents.

Why am I seeing a pop-up notification even though I have taken the necessary steps to prevent this issue?
The message is sent to all devices regardless of version or actions taken and will continue to appear until you click the checkbox in the lower-left corner of the pop-up window that says  Don't show again  (This checkbox is saved per user, not per system, so each administrator must select it for their own account using their own credentials). 

If all corrective actions have been properly taken, it is safe to ignore the notification.


Is there a tool I can use to determine if this certificate issue affects me?
Use the Self Impact Discovery tool at: https://github.com/PaloAltoNetworks/redist-check/tree/main  If you encounter any issues with the tool, report them on GitHub here:  https://github.com/PaloAltoNetworks/ redist-check/problemas 

Related Posts