https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cngfw-plugin-vm-auth-key-faqs/ta-p/996111 <DIV class="lia-message-template-content-zone"> <P><STRONG>Overview:</STRONG></P> <P>&nbsp;</P> <P><SPAN>Today, Cloud NGFW deployed in Azure requires validation when being managed by Panorama. This is done through VM Auth-key. The Auth-key has an expiration date of maximum up to 1 year. Up until now, Customers were required to make sure the auth-key is not expired. However, Cloud NGFW being a Service, we would like to take care of the auth-key renewal also. Hence for the customers who have VM Auth-key expired, we need one time help to get it regenerated. Post which this will no longer be a requirement for the customers. The following FAQ can clarify more on this topic and what needs to be done in order to take advantage of this improvement.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>FAQ:</STRONG></P> <P>&nbsp;</P> <OL> <LI><STRONG>Why is the customer authkey showing either expired or not matching?</STRONG></LI> </OL> <P><SPAN>The original vm-auth-key created for azure CNGFW is of maximum possible lifetime which is 365 days. Once this time elapses that specific key gets expired. And thus shows expired. Before the azure-5.2.0 plugin, SRE had to manually update the backend with a new auth-key that was generated. Additionally, before the azure-5.2.0 plugin implementation, a new registration key was getting generated on clicking the ‘generate’ button. Hence every time a new auth-key was generated, the customer would have not known that this key has to be manually updated in our backend. Hence the mismatch status.</SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN>2.&nbsp;</SPAN><STRONG>What is the consequence of not updating the auth-key?</STRONG></P> <P>&nbsp;</P> <P><SPAN>VM-auth-key is used only once during FW boot-up. Once the firewall is up and running, even if the auth-key expires, there is no harm for existing FWs. But for new scale-out instances, this will be a problem as registration to Panorama will fail due to VM-auth-key expiry. (Scale out happens when there can be more traffic on the customer end, this can also occur during upgrades/rolling upgrades initiated by our SRE).&nbsp;</SPAN></P> <P>&nbsp;</P> <OL start="3"> <LI><STRONG> Since the auth-key generated under panorama is not perpetual, is this considered on-going issue for customers with the lower Azure plugin version?</STRONG></LI> </OL> <P><SPAN>Yes for VM-auth key auto-remediation, we need panorama Azure plugin 5.2.0 or above. Also instances should be running with PanOS 10.2.7-c51 and above. The recommended panorama version is 11.1.0 and above. This is the ideal combination for VM-auth-key auto-remediation to take place else manual intervention is required.</SPAN></P> <P>&nbsp;</P> <OL start="4"> <LI><STRONG> What will upgrading Azure plugin 5.2.1 do with respect to expiry/renewal issues?</STRONG></LI> </OL> <P><SPAN>With the new Azure 5.2.0/5.2.1 plugin, there is a proactive check done by the plugin to see whether there is a valid VM-auth-key present. If not, it regenerates the VM-auth-key. Newly scaled-out instances will pick up the new VM-auth-key. If the key is due for expiry, the plugin will generate a new VM-auth-key before 7 days of its expiry. Azure plugin 5.2.0/5.2.1 would not be able to help environments in which the key has already expired. That would still need manual intervention.</SPAN></P> <P>&nbsp;</P> <OL start="5"> <LI><STRONG> Do customers still have to provide a new auth-key even after the 5.2.1 upgrade? If yes, why?</STRONG></LI> </OL> <P><SPAN>No, if they are running on 10.2.7-c51. Panorama version should be 11.1.0 and above</SPAN></P> <P><BR /><BR /></P> </DIV> Wed, 04 Dec 2024 19:57:13 GMT ssyed 2024-12-04T19:57:13Z https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cngfw-plugin-vm-auth-key-faqs/ta-p/996111 <DIV class="lia-message-template-content-zone"> <P><STRONG>Overview:</STRONG></P> <P>&nbsp;</P> <P><SPAN>Today, Cloud NGFW deployed in Azure requires validation when being managed by Panorama. This is done through VM Auth-key. The Auth-key has an expiration date of maximum up to 1 year. Up until now, Customers were required to make sure the auth-key is not expired. However, Cloud NGFW being a Service, we would like to take care of the auth-key renewal also. Hence for the customers who have VM Auth-key expired, we need one time help to get it regenerated. Post which this will no longer be a requirement for the customers. The following FAQ can clarify more on this topic and what needs to be done in order to take advantage of this improvement.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>FAQ:</STRONG></P> <P>&nbsp;</P> <OL> <LI><STRONG>Why is the customer authkey showing either expired or not matching?</STRONG></LI> </OL> <P><SPAN>The original vm-auth-key created for azure CNGFW is of maximum possible lifetime which is 365 days. Once this time elapses that specific key gets expired. And thus shows expired. Before the azure-5.2.0 plugin, SRE had to manually update the backend with a new auth-key that was generated. Additionally, before the azure-5.2.0 plugin implementation, a new registration key was getting generated on clicking the ‘generate’ button. Hence every time a new auth-key was generated, the customer would have not known that this key has to be manually updated in our backend. Hence the mismatch status.</SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN>2.&nbsp;</SPAN><STRONG>What is the consequence of not updating the auth-key?</STRONG></P> <P>&nbsp;</P> <P><SPAN>VM-auth-key is used only once during FW boot-up. Once the firewall is up and running, even if the auth-key expires, there is no harm for existing FWs. But for new scale-out instances, this will be a problem as registration to Panorama will fail due to VM-auth-key expiry. (Scale out happens when there can be more traffic on the customer end, this can also occur during upgrades/rolling upgrades initiated by our SRE).&nbsp;</SPAN></P> <P>&nbsp;</P> <OL start="3"> <LI><STRONG> Since the auth-key generated under panorama is not perpetual, is this considered on-going issue for customers with the lower Azure plugin version?</STRONG></LI> </OL> <P><SPAN>Yes for VM-auth key auto-remediation, we need panorama Azure plugin 5.2.0 or above. Also instances should be running with PanOS 10.2.7-c51 and above. The recommended panorama version is 11.1.0 and above. This is the ideal combination for VM-auth-key auto-remediation to take place else manual intervention is required.</SPAN></P> <P>&nbsp;</P> <OL start="4"> <LI><STRONG> What will upgrading Azure plugin 5.2.1 do with respect to expiry/renewal issues?</STRONG></LI> </OL> <P><SPAN>With the new Azure 5.2.0/5.2.1 plugin, there is a proactive check done by the plugin to see whether there is a valid VM-auth-key present. If not, it regenerates the VM-auth-key. Newly scaled-out instances will pick up the new VM-auth-key. If the key is due for expiry, the plugin will generate a new VM-auth-key before 7 days of its expiry. Azure plugin 5.2.0/5.2.1 would not be able to help environments in which the key has already expired. That would still need manual intervention.</SPAN></P> <P>&nbsp;</P> <OL start="5"> <LI><STRONG> Do customers still have to provide a new auth-key even after the 5.2.1 upgrade? If yes, why?</STRONG></LI> </OL> <P><SPAN>No, if they are running on 10.2.7-c51. Panorama version should be 11.1.0 and above</SPAN></P> <P><BR /><BR /></P> </DIV> Wed, 04 Dec 2024 19:57:13 GMT https://live.paloaltonetworks.com/t5/cloud-ngfw-for-azure-articles/cngfw-plugin-vm-auth-key-faqs/ta-p/996111 ssyed 2024-12-04T19:57:13Z