{"id":511,"date":"2024-02-23T15:02:55","date_gmt":"2024-02-23T15:02:55","guid":{"rendered":"https:\/\/ngeek.net\/?p=511"},"modified":"2024-03-18T17:24:48","modified_gmt":"2024-03-18T17:24:48","slug":"caducidad-del-certificado-raiz-de-pan-os","status":"publish","type":"post","link":"https:\/\/ngeek.net\/en\/2024\/02\/caducidad-del-certificado-raiz-de-pan-os\/","title":{"rendered":"PAN-OS Root Certificate Expiration"},"content":{"rendered":"<h3 class=\"wp-block-heading\" id=\"toc-hId-1539621373\">\u00bf<strong>What\u2019s Changing<\/strong>?<\/h3>\n\n\n\n<p>On December 31, 2023, the root certificate and the default certificate for Palo Alto Networks firewalls and devices running PAN-OS expired. If your certificates were not renewed before this date, your firewalls and Panorama devices will no longer be able to establish new connections to Palo Alto Networks cloud services, which may impact network traffic and potentially cause disruptions when existing connections end and attempt to reconnect.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"750\" height=\"500\" src=\"https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/advertencia-con-firewall.webp\" alt=\"\" class=\"wp-image-692\" srcset=\"https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/advertencia-con-firewall.webp 750w, https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/advertencia-con-firewall-300x200.webp 300w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Certificate Type<\/td><td>Current Expiration Date<\/td><td>Expiration Date After Update<\/td><\/tr><tr><td>Root<\/td><td>31-dic-2023 a las 14:47:47 2023 GMT<\/td><td>01-ene-2032 a las 05:14:57 2032 GMT<\/td><\/tr><tr><td>Default<\/td><td>31-dic-2023 a las 20:14:14 2023 GMT<\/td><td>01-ene-2032 a las 07:30:33 2032 GMT<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId--1012535588\"><strong><br>Target Update Versions<\/strong><\/h3>\n\n\n\n<p>The following table contains the target update versions for Scenario 1a and Scenario 2b.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Current PAN-OS Version<\/strong><\/td><td><strong>Update to Target Version<\/strong><\/td><\/tr><tr><td>8.1<\/td><td>8.1.21-h28.1.25-h1 o mayor<\/td><\/tr><tr><td>9.0<\/td><td>9.0.16-h5 o mayor<\/td><\/tr><tr><td>9.1<\/td><td>9.1.11-h49.1.12-h69.1.13-h49.1.14-h79.1.16-h3&nbsp;9.1.17 o superior<\/td><\/tr><tr><td>10.0<\/td><td>10.0.8-h1010.0.11-h310.0.12-h3 o mayor<\/td><\/tr><tr><td>10.1<\/td><td>10.1.3-h210.1.5-h310.1.6-h710.1.8-h610.1.9-h310.1.10 o superior<\/td><\/tr><tr><td>10.2<\/td><td>10.2.3-h910.2.4 o superior<\/td><\/tr><tr><td>11.0<\/td><td>11.0.0-h111.0.1-h211.0.2 o superior<\/td><\/tr><tr><td>11.1<\/td><td>11.1.0 o superior<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>All maintenance release versions have been published for Private Cloud (M-Series) Firewalls, Panorama, WF500\/B, and URL Pan-DB. For Private Cloud (M-Series) WF500\/B and URL Pan-DB devices specifically, use the following maintenance release versions:&nbsp;&nbsp;<strong>8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1 y 11.1.0-h1<br><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId-730274747\"><strong>Required Action:<\/strong><\/h3>\n\n\n\n<p>You must complete the appropriate actions as described in one or both of the following scenarios, depending on the services you are using. Assess whether these expiring certificates affect your firewalls, Panorama devices, or connected services based on the considerations below, and take the necessary actions as applicable.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId--1821882214\">Scenario 1<\/h3>\n\n\n\n<p>If you are a customer with&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/user-id\/deploy-user-id-in-a-large-scale-network\/redistribute-user-mappings-and-authentication-timestamps\/configure-user-id-redistribution\" target=\"_blank\" rel=\"noreferrer noopener\">data redistribution<\/a>&nbsp;(User-ID, IP tag, user tag, GlobalProtect HIP, and\/or quarantine list), you must perform one of the following two actions: (1a) update your affected firewalls and Panorama (management&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\">modes<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\">log collector<\/a>&nbsp;Deploy&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/11-1\/panorama-admin\/set-up-panorama\/set-up-authentication-using-custom-certificates\" target=\"_blank\" rel=\"noreferrer noopener\">Custom Certificates<\/a>&nbsp;on the affected firewalls and Panorama (management&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\">modes<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\">log collector<\/a>&nbsp;).<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-admin\/user-id\/deploy-user-id-in-a-large-scale-network\/redistribute-user-mappings-and-authentication-timestamps\/configure-user-id-redistribution\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/11-1\/panorama-admin\/set-up-panorama\/set-up-authentication-using-custom-certificates\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p><br>If you are a&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\/pan-db-private-cloud-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Private Cloud URL PAN-DB (M-Series) customer<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/subscriptions\/wf-500-wildfire-appliance\" target=\"_blank\" rel=\"noreferrer noopener\">a Private Cloud WildFire (WF500\/B) device<\/a>&nbsp;, you must take the following action: (1a) update your affected firewalls, WF-500, M-Series, and Panorama (management&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\">modes<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\">log collector<\/a>&nbsp;).<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1a) Update your affected firewalls, WF-500, M-Series, and Panorama<br>\n<ol class=\"wp-block-list\">\n<li>If you do not have custom certificates installed, you must update all your firewalls, WF-500, M-Series, and Panoramas (management&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-firewalls\" target=\"_blank\" rel=\"noreferrer noopener\">modes<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/9-1\/panorama-admin\/manage-log-collection\/configure-a-managed-collector\" target=\"_blank\" rel=\"noreferrer noopener\">log collector<\/a>&nbsp;) that participate in data redistribution (User-ID, IP tag, tag, GlobalProtect HIP, and\/or quarantine list), Private Cloud PAN-DB URL (M-Series), and\/or Private Cloud WildFire (WF500\/B) to one of the PAN-OS versions in the previous target update version table.<br><\/li>\n\n\n\n<li>Customers must update their WF-500\/B device to the versions listed below:\n<ol class=\"wp-block-list\">\n<li><strong>Published<\/strong>: 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1<br><\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Customers must update their Private Cloud PAN-DB URL (M-Series) devices to the versions listed below:\n<ol class=\"wp-block-list\">\n<li><strong>Published<\/strong>: 8.1.25-h2, 9.0.16-h6, 9.1.16-h4, 10.0.12-h4, 10.1.11-h3, 10.2.7-h1, 11.0.3-h1, 11.1.0-h1<br><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>1b) Deploy&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/panorama\/11-1\/panorama-admin\/set-up-panorama\/set-up-authentication-using-custom-certificates\" target=\"_blank\" rel=\"noreferrer noopener\">Custom Certificates<\/a>&nbsp;on your affected firewalls and Panorama<br>\n<ul class=\"wp-block-list\">\n<li><strong>Data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and quarantine list)&nbsp;<\/strong>: if all the firewalls and Panorama devices in your network are running PAN-OS version 10.0 or later and do not redistribute data from Prisma Access, you can switch to custom certificates instead of using root certificates for data redistribution.&nbsp;<br><\/li>\n\n\n\n<li>All firewalls and Panorama devices involved as clients and servers for data redistribution must be provisioned with the custom certificate.<br><\/li>\n\n\n\n<li>All Windows User-ID agents connected to the firewalls and Panorama devices involved in data redistribution must be provisioned with the custom certificate.<br><\/li>\n\n\n\n<li>For information on configuring custom certificates for data redistribution, see the&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-0\/pan-os-admin\/user-id\/deploy-user-id-in-a-large-scale-network\/redistribute-user-mappings-and-authentication-timestamps\/configure-user-id-redistribution\" target=\"_blank\" rel=\"noreferrer noopener\">instructions in the PAN-OS Administrator\u2019s Guide<\/a>&nbsp;(steps 8 and 9).<strong><em><br><br>Important<\/em><\/strong><em>&nbsp;:<\/em>\n<ul class=\"wp-block-list\">\n<li><strong>Upgrade Planning:<\/strong>&nbsp;it is essential to carefully plan any update after the certificate expiration. An update to a redistribution agent may affect connected clients; therefore, we recommend updating all devices (clients) connected to the same agent.<\/li>\n\n\n\n<li><strong>Ongoing Session Risks:<\/strong>&nbsp;after December 31, 2023, it is important to note that there are no timeouts in redistribution sessions that could cause them to fail. All sessions running with expired certificates will continue but are at risk of failing due to network interruptions, process restarts, related configuration changes that are committed, or PAN-OS upgrades; therefore, we recommend performing device updates during a maintenance window.<\/li>\n\n\n\n<li>You must switch to custom certificates on both the data redistribution agent and the client for secure communications between the server and the client.<\/li>\n\n\n\n<li>You must switch to custom certificates on Windows User-ID agents for secure communications with the client.<\/li>\n\n\n\n<li>When switching to custom certificates, there will be a period during which the User-ID agent will not be able to communicate with the connected firewall or Panorama. To minimize this downtime, ensure that the service account on the Windows Server running the User-ID agent service has the appropriate permissions before migrating to custom certificates.<\/li>\n\n\n\n<li>Follow&nbsp;<a href=\"https:\/\/knowledgebase.paloaltonetworks.com\/KCSArticleDetail?id=kA14u0000008WCYCA2\" target=\"_blank\" rel=\"noreferrer noopener\">this KB article<\/a>&nbsp;for more information on the preparation steps and how to apply custom certificates.<\/li>\n\n\n\n<li>If you use data redistribution between firewalls and Prisma Access, you must also apply a maintenance release or upgrade your affected firewalls, as Prisma Access does not support custom certificates. You do not need to make any changes to Prisma Access; you only need to update your firewalls to a specific target release version.<br><em><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Private Cloud WildFire (WF500\/B)<\/strong>&nbsp;: custom certificates are not an option.<br><\/li>\n\n\n\n<li><strong>Private Cloud PAN-DB URL (M-Series)<\/strong>&nbsp;: custom certificates are not an option.<br><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-hId--79071879\">Scenario 2<\/h3>\n\n\n\n<p>If you are a Public Cloud WildFire customer,&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-wildfire\/administration\/advanced-wildfire-overview\/advanced-wildfire-deployments\/advanced-wildfire-global-cloud\" target=\"_blank\" rel=\"noreferrer noopener\">the Public Cloud Advanced WildFire<\/a>&nbsp;, URL Filtering,&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noreferrer noopener\">Advanced URL Filtering<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/dns-security\" target=\"_blank\" rel=\"noreferrer noopener\">DNS Security<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/threatvault.paloaltonetworks.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Vault<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/autofocus\" target=\"_blank\" rel=\"noreferrer noopener\">AutoFocus<\/a>&nbsp;, you must take one of the following three actions now that the certificate has expired: (2a) install a specific content update on your affected firewalls and Panorama devices, OR (2b) upgrade your affected firewalls and Panorama devices, OR (2c) enable device certificates on your affected firewalls and Panorama devices.<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>2a) Install a specific content update on your affected firewalls and Panorama devices<\/strong>&nbsp;.<br>You must<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/9-1\/pan-os-admin\/software-and-content-updates\/install-content-and-software-updates\" target=\"_blank\" rel=\"noreferrer noopener\">&nbsp;install the following&nbsp;<\/a>content update version (8776-8390 or later) on your firewalls and Panorama.\n<ul class=\"wp-block-list\">\n<li>If you have automatic content configured, this update will be applied automatically.<\/li>\n\n\n\n<li>If you update your content manually, update it to the previous content version.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>2b) Upgrade your affected firewalls and Panorama<\/strong><br>Upgrade your firewall and Panorama to one of the PAN-OS versions listed in the previously mentioned target update versions.<br>&nbsp;<\/li>\n\n\n\n<li><strong>2c) Enable the Device Certificate on your affected firewalls and Panorama.<\/strong>\n<ul class=\"wp-block-list\">\n<li>If you have firewalls and Panorama devices running PAN-OS 8.1, PAN-OS 9.0, or PAN-OS 9.1, this option is not recommended.<\/li>\n\n\n\n<li>If you have firewalls and Panorama devices running PAN-OS 10.0.5, PAN-OS 10.1.10, PAN-OS 10.2.5, or PAN-OS 11.0.2\u2014or any later version or release\u2014follow the&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-2\/pan-os-admin\/certificate-management\/obtain-certificates\/device-certificate\" target=\"_blank\" rel=\"noreferrer noopener\">instructions to enable the device. Certificate.<\/a>&nbsp;.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong><br>PAN-OS 9.1 will reach end-of-support on December 12, 2023. Will PAN-OS still be supported after that date?<\/strong><br>For customers with PAN-OS 9.1, which has an end-of-life (EoL) support date of December 13, 2023, we will extend support for all customers until March 31, 2024. This is now reflected in our end-of-life schedule.&nbsp;<a href=\"https:\/\/www.paloaltonetworks.com\/services\/support\/end-of-life-announcements\/end-of-life-summary#pan-os-panorama\">Summary Page.<\/a>&nbsp;.<\/p>\n\n\n\n<p><strong>ChatGPT dijo:\nIs my Prisma Access deployment affected by this emergency update?<\/strong><br>If you use data redistribution between firewalls and Prisma Access, you must apply a maintenance release or upgrade the affected firewalls. No changes are required on Prisma Access; you only need to update your firewalls to a specific target release version because this customer advisory does not impact the Prisma Access service.<\/p>\n\n\n\n<p><strong>What will be the impact on my network if I do not upgrade my firewalls and Panorama to one of the versions listed above before December 31, 2023?<\/strong><\/p>\n\n\n\n<p>For Scenario 1:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you do not upgrade your affected firewalls and Panorama devices before December 31, 2023, your firewalls and Panorama devices will no longer be able to establish new connections for data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, or quarantine list),<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-url-filtering\/administration\/pan-db-private-cloud-overview\" target=\"_blank\" rel=\"noreferrer noopener\">Private Cloud PAN-DB URL Devices (M-Series)<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/subscriptions\/wf-500-wildfire-appliance\" target=\"_blank\" rel=\"noreferrer noopener\">Private Cloud WildFire Devices (WF-500 or WF-500-B)<\/a>&nbsp;: if your existing connections end (for example, when you make network or configuration changes or experience an unexpected network event), you will experience a disruption of the affected services if they cannot reconnect due to expired certificates.<\/li>\n<\/ul>\n\n\n\n<p>For Scenario 2:<\/p>\n\n\n\n<p>If you do not complete the recommended actions above before December 31, 2023, your Public Cloud WildFire services,&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-wildfire\/administration\/advanced-wildfire-overview\/advanced-wildfire-deployments\/advanced-wildfire-global-cloud\" target=\"_blank\" rel=\"noreferrer noopener\">Public Cloud Advanced WildFire<\/a>&nbsp;, URL Filtering,&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noreferrer noopener\">Advanced URL Filgering<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/dns-security\" target=\"_blank\" rel=\"noreferrer noopener\">DNS Security<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/threatvault.paloaltonetworks.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Vault<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/docs.paloaltonetworks.com\/autofocus\" target=\"_blank\" rel=\"noreferrer noopener\">AutoFocus<\/a>&nbsp;will no longer be able to establish new connections after that date.<\/p>\n\n\n\n<p><strong>How can I check my firewalls and Panorama to ensure they have the new root certificate that expires on January 1, 2032?<\/strong><br>There is no direct way to view the actual certificate. According to the scenarios described above, if your firewalls and Panorama are running any of the specific PAN-OS versions listed above (or a later version), or are running the required content version, then the new root and default certificate will be installed.<\/p>\n\n\n\n<p><strong>Which PAN-OS version should I select in the table for the Target Update Version?<br><\/strong>We recommend that you upgrade to the latest maintenance release for the specific major\/minor PAN-OS version you are currently running. For example, if you are currently using 9.1.11, select 9.1.11-h4 or the next closest higher version (current: 9.1.5 to target 9.1.11-h4). It is neither necessary nor recommended to upgrade to a new major version just to update certificates; for instance, you do not need to upgrade from 10.1.X to 10.2.Y, but should select a 10.1.X maintenance release.<\/p>\n\n\n\n<p><strong>How can I determine if my firewalls and Panorama devices are configured with custom certificates?<\/strong><br>Custom certificates for data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and\/or quarantine list) are supported starting with PAN-OS 10.0 and later versions. You can check whether you are using default or custom certificates for data redistribution using the following commands.<\/p>\n\n\n\n<p><strong>Redistribution Agent<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>admin@10.0-New-AFW&gt; show redistribution service status\n\nRedistribution info: \n        Redistribution service:                     up\n        listening port:                           5007\n        SSL config:                    Custom certificates\n        back pressure is:                          off\n        number of clients:                           2\n<\/code><\/pre>\n\n\n\n<p><strong>Redistribution Client<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>admin@10.0-New-CFW&gt; show redistribution agent state all\n\nAgent: 92-uid-Agent(vsys: vsys1) Host: 10.46.196.49(10.46.196.49):5007\n        Status                                            : conn:idle\n        Version                                           : 0x6\n        SSL config:                                       : Custom certificates\n        num of connection tried                           : 1<\/code><\/pre>\n\n\n\n<p>Custom certificates for Private Cloud WildFire (WF-500 or WF-500-B) are available starting with PAN-OS 8.1 and all later versions.<\/p>\n\n\n\n<p>Certificate Verification from PAN-OS CLI:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>dmin@sjc-bld-smk01-esx13-t2-pavm02&gt; show wildfire status channel private\n\u2026 \n\nSecure Connection: Custom Trusted CA, Custom Client Certificate\n\n\u2026<\/code><\/pre>\n\n\n\n<p><strong>For data redistribution (User-ID, IP tag, user tag, GlobalProtect HIP, and\/or quarantine list), in what order should I perform the updates?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Until December 31, 2023, the redistribution agent and redistribution client can run different versions and still connect and communicate properly.&nbsp;<\/li>\n\n\n\n<li>You do not need to update all your firewalls and Panorama devices simultaneously, but you should start with updating your Panorama devices and then proceed to update your firewalls.&nbsp;&nbsp;<\/li>\n\n\n\n<li>By December 31, 2023, all your firewalls and Panorama devices must be running one of the specified versions for your network to continue connecting and communicating successfully, and to share assignments and tags as expected.<\/li>\n<\/ul>\n\n\n\n<p><strong>Does the expiration of this certificate affect communication between firewalls and Windows User-ID or Terminal Server agents, or between firewalls and Panorama devices?<\/strong><br>If you choose to remediate Scenario 1 by using custom certificates, you must add those custom certificates to the Windows User-ID agent. This does not affect Terminal Server agents. See Scenario 1, Solution b for more information.<\/p>\n\n\n\n<p>In the remediation for Scenario 1 and in all remediations for Scenario 2, there is no impact on communication between the firewalls and the User-ID and Terminal Server agents.<\/p>\n\n\n\n<p><strong>Why am I seeing a pop-up notification even though I have taken the necessary steps to prevent this issue?<\/strong><br>The message is sent to all devices regardless of version or actions taken and will continue to appear until you click the checkbox in the lower-left corner of the pop-up window that says&nbsp;&nbsp;<strong>Don't show again<\/strong>&nbsp;&nbsp;(This checkbox is saved per user, not per system, so each administrator must select it for their own account using their own credentials).&nbsp;<\/p>\n\n\n\n<p>If all corrective actions have been properly taken, it is safe to ignore the notification.<\/p>\n\n\n\n<p><strong><br>Is there a tool I can use to determine if this certificate issue affects me?<\/strong><br>Use the Self Impact Discovery tool at:&nbsp;<a href=\"https:\/\/github.com\/PaloAltoNetworks\/redist-check\/tree\/main\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/PaloAltoNetworks\/redist-check\/tree\/main<\/a>&nbsp;&nbsp;If you encounter any issues with the tool, report them on GitHub here:&nbsp;&nbsp;<a href=\"https:\/\/github.com\/PaloAltoNetworks\/redist-check\/issues\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/PaloAltoNetworks\/ redist-check\/problemas<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"750\" height=\"196\" src=\"https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/logo-ngeek-y-palo-alto.webp\" alt=\"\" class=\"wp-image-696\" srcset=\"https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/logo-ngeek-y-palo-alto.webp 750w, https:\/\/ngeek.net\/wp-content\/uploads\/2024\/03\/logo-ngeek-y-palo-alto-300x78.webp 300w\" sizes=\"(max-width: 750px) 100vw, 750px\" \/><\/figure>","protected":false},"excerpt":{"rendered":"<p>\u00bfQu\u00e9 est\u00e1 cambiando? El 31 de diciembre de 2023, el certificado ra\u00edz y el certificado predeterminado para los firewalls y [&hellip;]<\/p>\n","protected":false},"author":135490468664,"featured_media":603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[16,17],"tags":[],"post_folder":[13],"class_list":["post-511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-es","category-palo-alto"],"_links":{"self":[{"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/users\/135490468664"}],"replies":[{"embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":7,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"predecessor-version":[{"id":698,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/posts\/511\/revisions\/698"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/media\/603"}],"wp:attachment":[{"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/tags?post=511"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/ngeek.net\/en\/wp-json\/wp\/v2\/post_folder?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}