topic Re: How check NGFW valid for April 2024 Cert Advisory in Next-Generation Firewall Discussions

How check NGFW valid for April 2024 Cert Advisory

RussellYan — Mon, 05 Feb 2024 20:54:41 GMT

Regarding the Certificate advisory for April 2024 and November 2024, if doing option 1, have content update and doing a reboot.

This being good enough for the April 2024 deadline. How can you verify on the Panorama or NGFW that you are valid? The commands in the advisory FAQ 9, only work if you do Option 2 and upgrade to the recommended hotfix.

If there is no method for the user to verify they can safely pass the April 2024 deadline, then i would assume you would have to call TAC to go into root to confirm that your NGFW is patched to pass the April 2024 deadline, otherwise its wishful thinking the day after April 7, 2024

Re: How check NGFW valid for April 2024 Cert Advisory

iarobertson — Mon, 05 Feb 2024 22:23:40 GMT

Hello @RussellYan - if you're taking Option 1, being the content update and reboot, there is no specific command that you can use to confirm you've completed remediation. As you've correctly identified, this new command is available after a hotfix or upgrade per Option 2.

The best advice I can give is that you should check to see that the most recent reboot time is more recent than the installation time of the content update.

Re: How check NGFW valid for April 2024 Cert Advisory

RussellYan — Mon, 05 Feb 2024 23:30:19 GMT

Thank you lain. Am i to also assume, a TAC engineer with root access would also NOT be able to confirm before (remediation is installed besides the Content Version number) or after a reboot, that i have the remediation activated?

Russ

Re: How check NGFW valid for April 2024 Cert Advisory

iarobertson — Tue, 06 Feb 2024 02:37:17 GMT

Hi @RussellYan - I can't confirm that I'm afraid, I'm not aware of any commands that TAC might be able to run to validate. In turn it would be safer to assume there exists no such commands.

Re: How check NGFW valid for April 2024 Cert Advisory

WilsonWu — Tue, 12 Mar 2024 21:26:51 GMT

Hi Everyone,

May I know if we haven’t reboot Palo Alto device before 7 April, what is the consequence? What can we do to fix it after 7 April?

Thank you.

Re: How check NGFW valid for April 2024 Cert Advisory

iarobertson — Tue, 12 Mar 2024 22:53:34 GMT

Hello @WilsonWu - if you haven't rebooted, you may lose Panorama management of any affected devices, and any Panorama log collectors may also cease to collect logs from affected devices. Firewalls will continue to forward traffic.

Installing the content update & rebooting after that date will remediate the issue.

Re: How check NGFW valid for April 2024 Cert Advisory

WilsonWu — Tue, 12 Mar 2024 23:01:07 GMT

Hi Larobertson,

So if I really haven’t reboot my Palo Alto before 7 April. Can I understand that I just need to reconnect my Palo Alto to panorama and reconnect any log collectors then it will be resume normal right?

Thank you.

Re: How check NGFW valid for April 2024 Cert Advisory

rdumoulin — Tue, 12 Mar 2024 23:05:27 GMT

Provided that you have remediated the expired root certificate, yes.

As a reminder, you have 3 options:

1. upgrade to the correct PAN-OS version (see link below)

2. update the content to at least 8795 and then reboot

3. install custom certificates

More details here https://live.paloaltonetworks.com/t5/customer-advisories/additional-pan-os-certificate-expirations-and-new-comprehensive/ta-p/572158

Regards

--Richard

Re: How check NGFW valid for April 2024 Cert Advisory

iarobertson — Tue, 12 Mar 2024 23:07:46 GMT

Hello @WilsonWu - you will need to take the remediation steps as described in the advisory.

That means you will need to at least apply Option 1 - content update + reboot, or alternatively Option 2 - hotfix release.

If you do not do this before April 7 you may lose Panorama and log collector connectivity. If you do not do this before April 7 you will need to take the steps described briefly above, and in more detail in the advisory, in order to reconnect.

Re: How check NGFW valid for April 2024 Cert Advisory

Sanchez78 — Mon, 18 Mar 2024 04:52:05 GMT

thanks for sharing.... NC Cloud

Re: How check NGFW valid for April 2024 Cert Advisory

WilsonWu — Mon, 18 Mar 2024 02:54:56 GMT

Dear all,

Thank you for everyone.

Re: How check NGFW valid for April 2024 Cert Advisory

JPatrickMillado — Fri, 05 Apr 2024 15:29:58 GMT

Hi @iarobertson,

I noticed that option 3 refers to a custom certificate. Is there a way to verify if the custom certificate has been successfully installed and working properly on Panorama and NGFW, aside from being 'deployed' status under panorama > manage device > summary and certificate column?

Here is the link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wo5WCAQ

Re: How check NGFW valid for April 2024 Cert Advisory

rdumoulin — Fri, 05 Apr 2024 15:39:54 GMT

@JPatrickMillado

from Panorama:

show devices connected | match yes\|Custom\|Certificate

2. show high-availability management-connection
3. show log-collector all

1st commands is going to tell us if the Pano <-> FWs connections are using custom cert.... !get this output from Panorama and LCs
2nd command is to confirm the Pano HA (Pano <-> Pano) is using the Custom Certs.
3rd Command will tell us if the Pano <-> LCs connections are using the Custom Certs.

Regards

--Richard

Re: How check NGFW valid for April 2024 Cert Advisory

JPatrickMillado — Fri, 05 Apr 2024 16:03:21 GMT

Hi @rdumoulin ,

Item 1 and 3 commands are working, except 'show high-availability management-connection. It appears that this command is not supported by our device.

Appreciate this information👌.

Thank you!