FYI: Panorama Certificate Expiration! June 16, 2017

by on ‎04-10-2017 02:23 PM - last edited 3 weeks ago (4,062 Views)

We interrupt this normally scheduled Discussion of the Week to bring you an important message. 

 

Just in case you have not seen the "Customer Notice" at the top of the screen, I wanted to bring your attention to the fact that the certificate that Panorama uses to communicate to PAN-OS devices and to Log Collectors is going to be expiring on June 16, 2017.  

 

When the certificate expires, PAN-OS devices will loose communication to Panorama, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure.

 

Good news, we have a solution in place to prevent this from being a real problem. It does not require you to upgrade to a different version of PAN-OS, but it does require you to install a newer version of Panorama 6.1, 7.0 and 7.1.

If you are already on Panorama 8.0, PAN-OS 8.0, using WF-500 or M-500 hardware in PAN-DB mode, then you do not have to do anything, as these are not affected by this.

 

To read the full details, including an FAQ about this, please visit the link below.

 

Panorama Certificate Expiration on June 16, 2017

 

Thanks for reading. 

 

As always, we welcome all comments and feedback in the comments section below.

Don't forget to like this if it has helped you in any way.

 

Stay Secure!

Joe Delio

Comments
by enyuan.wu
on ‎04-24-2017 04:37 AM

Hello jdelio,

 

what is the CLI to verify this on the Panorama?

 

This issue should have existed since years, right?  Why does it become noticed just two months before expration date?

 

Kind regard

Enyuan

 

 

by
on ‎04-24-2017 12:26 PM

@enyuan.wu, I cannot comment on how long this has been like this or why it wasn't noticed until now.

But I can comment and say that the "CLI" command to verify would be to see what version that you are on now. 

You can use the following command "show system info"

> show system info

 

If you are not on PAN-OS 7.1.9, 7.0.15 or 6.1.17, then you will experience the issue.

 

by enyuan.wu
on ‎04-25-2017 01:45 AM

Hello jedlio,

 

Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?

 

The CLI "show system info" doesn't reveal any information about the expiring internal CA? beside the release.

 

"hostname: <hostname>
ip-address: <x.x.x.x>
netmask: 255.255.255.0
default-gateway: x.x.x.x
ipv6-address: unknown
ipv6-link-local-address: fe80::160d:4fff:fe07:a140/64
ipv6-default-gateway:
mac-address: 14:0d:4f:07:a1:40
time: Tue Apr 25 10:43:45 2017
uptime: 30 days, 3:35:42
family: m
model: M-100
serial: 009201001100
sw-version: 7.1.8
app-version: 690-3977
app-release-date: 2017/04/23  20:33:28
av-version: 2223-2710
av-release-date: 2017/04/24  04:00:49
wf-private-version: 0
wf-private-release-date: unknown
url-db: brightcloud
logdb-version: 7.0.9
platform-family: m
system-mode: panorama
operational-mode: normal"

 

Thank you for your deep information as requested.

 

Kind regards

Enyuan

by
on ‎04-25-2017 09:07 AM

@enyuan.wu, Let me try to address your questions.. 

"Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?"

 

Yes. I work for Palo Alto Networks.

I cannot comment because I do not have the information to comment on this. 

This certificate in question is an Internal Certificate that is used to communicate between Panorama and the Firewall devices. There is no command that I am aware of that would show this information.  

 

All I know is that this is an issue that will become a problem if you are not on the versions listed below.  It is that simple. 

The following info was from the link detailing all of this:

 

"The certificate upgrade will be handled automatically when installing a maintenance release equal to or greater than the releases noted below:

  • Panorama / Log Collector version 7.1.9 (available now)
  • Panorama / Log Collector version 7.0.15 (available now)
  • Panorama / Log Collector version 6.1.17 (Estimated release week of May 1, 2017)

NOTE: Panorama and log collectors running 8.0 are not affected by this certificate expiration issue. Firewalls, WF-500 devices, and M-500’s running in PAN-DB mode are also not affected by this issue and do not require software updates."

 

I hope this helps you understand this a little more.

by ibrahim-mds
a month ago

Hi,

 

we do not have Panorama integration but this warning is showing, what can be dine to remove it?

Appreciate your feedback.

 

Regards

by
a month ago

@ibrahim-mds

Please explain, what warning are you talking about? Where are you seeing this "Warning"? 

If you are talking about on this page.. then this is a general notice to everyone, not customized for you.

 

If this is not the same message, please get a screenshot for us.

by diburaj
4 weeks ago

@jdelio when i am logging to the paloalto firewall  i am getting the similar error . I dont have any Panorama installed till now . 

Do i need to take any action on this .

 

Any one else have faced this issue 

 

by
4 weeks ago

To @diburaj  and others.

If you are now running/using Panorama in any sense, then you WILL NEED to upgrade to the versions listed above, otherwise you will not be able to use Panorama properly after 16 June 2017.

 

by RobinVarghese
3 weeks ago

How to disable this pop-up

by sylvia
3 weeks ago

Hello,

 

I know about a case where a customer is getting a notification message when he logs into the WebUI of his PANW Firewall - even though there is no Panorama installed. 2017-05-04_09h46_05[1].png

 

When reading through the information provided in the Knowledge Base - there is nothing to do on this firewall, but why is the customer getting this information?

 

I know you can simply disable this message by checking "Do not show again" - even though it is very, very confusing for the customer...

 

Sylvia

by
3 weeks ago

@sylvia @RobinVarghese and others. 

This message was pushed through a content update, and it was decided that even if you did not have Panorama, this message would still show up to make sure that everyone was aware of this happening.

 

Of course if you do not have Panorama, then you have nothing to worry about.

by eranng
3 weeks ago

I am already at the right content 694-4000 but still popup this form 

by
3 weeks ago

@eranng, have you tried clicking on the "Do  not show again" box?

by enyuan.wu
3 weeks ago

Hi there,

It ( the CA replace content ) was first introduced in content update: version 693-3991. It should be already installed on the panorama on 29.04.2017 ( Saturday ) if it is scheduled daily. we suffered webUI unstable issue after that even though after the reboot, the seach 000 in the policy /device group will crash the configd on panorama as PA PS confirmed via SR.

I "guess" it has higher corelationship between the content-update and search 000 issue.

what do you think?

by Konishi
Wednesday

I upgraded Panorama and all firewalls to version 7.1.9 and I still receive the alert...

Ask Questions Get Answers Join the Live Community
Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >