FYI: Panorama Certificate Expiration! June 16, 2017

by ‎04-10-2017 02:23 PM - edited ‎05-11-2017 07:36 AM (16,006 Views)

We interrupt this normally scheduled Discussion of the Week to bring you an important message. 

 

Just in case you have not seen the "Customer Notice" at the top of the screen, I wanted to bring your attention to the fact that the certificate that Panorama uses to communicate to PAN-OS devices and to Log Collectors is going to be expiring on June 16, 2017.  

 

When the certificate expires, PAN-OS devices will loose communication to Panorama, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure.

 

Good news, we have a solution in place to prevent this from being a real problem. It does not require you to upgrade to a different version of PAN-OS, but it does require you to install a newer version of Panorama 6.1, 7.0 and 7.1.

If you are already on Panorama 8.0, PAN-OS 8.0, using WF-500 or M-500 hardware in PAN-DB mode, then you do not have to do anything, as these are not affected by this.

 

To read the full details, including an FAQ about this, please visit the link below.

 

Panorama Certificate Expiration on June 16, 2017

 

Thanks for reading. 

 

As always, we welcome all comments and feedback in the comments section below.

Don't forget to like this if it has helped you in any way.

 

Stay Secure!

Joe Delio

Comments
by enyuan.wu
on ‎04-24-2017 04:37 AM

Hello jdelio,

 

what is the CLI to verify this on the Panorama?

 

This issue should have existed since years, right?  Why does it become noticed just two months before expration date?

 

Kind regard

Enyuan

 

 

by
on ‎04-24-2017 12:26 PM

@enyuan.wu, I cannot comment on how long this has been like this or why it wasn't noticed until now.

But I can comment and say that the "CLI" command to verify would be to see what version that you are on now. 

You can use the following command "show system info"

> show system info

 

If you are not on PAN-OS 7.1.9, 7.0.15 or 6.1.17, then you will experience the issue.

 

by enyuan.wu
on ‎04-25-2017 01:45 AM

Hello jedlio,

 

Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?

 

The CLI "show system info" doesn't reveal any information about the expiring internal CA? beside the release.

 

"hostname: <hostname>
ip-address: <x.x.x.x>
netmask: 255.255.255.0
default-gateway: x.x.x.x
ipv6-address: unknown
ipv6-link-local-address: fe80::160d:4fff:fe07:a140/64
ipv6-default-gateway:
mac-address: 14:0d:4f:07:a1:40
time: Tue Apr 25 10:43:45 2017
uptime: 30 days, 3:35:42
family: m
model: M-100
serial: 009201001100
sw-version: 7.1.8
app-version: 690-3977
app-release-date: 2017/04/23  20:33:28
av-version: 2223-2710
av-release-date: 2017/04/24  04:00:49
wf-private-version: 0
wf-private-release-date: unknown
url-db: brightcloud
logdb-version: 7.0.9
platform-family: m
system-mode: panorama
operational-mode: normal"

 

Thank you for your deep information as requested.

 

Kind regards

Enyuan

by
on ‎04-25-2017 09:07 AM

@enyuan.wu, Let me try to address your questions.. 

"Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?"

 

Yes. I work for Palo Alto Networks.

I cannot comment because I do not have the information to comment on this. 

This certificate in question is an Internal Certificate that is used to communicate between Panorama and the Firewall devices. There is no command that I am aware of that would show this information.  

 

All I know is that this is an issue that will become a problem if you are not on the versions listed below.  It is that simple. 

The following info was from the link detailing all of this:

 

"The certificate upgrade will be handled automatically when installing a maintenance release equal to or greater than the releases noted below:

  • Panorama / Log Collector version 7.1.9 (available now)
  • Panorama / Log Collector version 7.0.15 (available now)
  • Panorama / Log Collector version 6.1.17 (Estimated release week of May 1, 2017)

NOTE: Panorama and log collectors running 8.0 are not affected by this certificate expiration issue. Firewalls, WF-500 devices, and M-500’s running in PAN-DB mode are also not affected by this issue and do not require software updates."

 

I hope this helps you understand this a little more.

by ibrahim-mds
on ‎05-01-2017 06:06 AM

Hi,

 

we do not have Panorama integration but this warning is showing, what can be dine to remove it?

Appreciate your feedback.

 

Regards

by
on ‎05-01-2017 10:27 AM

@ibrahim-mds

Please explain, what warning are you talking about? Where are you seeing this "Warning"? 

If you are talking about on this page.. then this is a general notice to everyone, not customized for you.

 

If this is not the same message, please get a screenshot for us.

by diburaj
on ‎05-03-2017 06:12 AM

@jdelio when i am logging to the paloalto firewall  i am getting the similar error . I dont have any Panorama installed till now . 

Do i need to take any action on this .

 

Any one else have faced this issue 

 

by
on ‎05-03-2017 01:53 PM

To @diburaj  and others.

If you are now running/using Panorama in any sense, then you WILL NEED to upgrade to the versions listed above, otherwise you will not be able to use Panorama properly after 16 June 2017.

 

by RobinVarghese
on ‎05-07-2017 04:11 AM

How to disable this pop-up

by sylvia
on ‎05-08-2017 06:59 AM

Hello,

 

I know about a case where a customer is getting a notification message when he logs into the WebUI of his PANW Firewall - even though there is no Panorama installed. 2017-05-04_09h46_05[1].png

 

When reading through the information provided in the Knowledge Base - there is nothing to do on this firewall, but why is the customer getting this information?

 

I know you can simply disable this message by checking "Do not show again" - even though it is very, very confusing for the customer...

 

Sylvia

by
on ‎05-08-2017 01:35 PM

@sylvia @RobinVarghese and others. 

This message was pushed through a content update, and it was decided that even if you did not have Panorama, this message would still show up to make sure that everyone was aware of this happening.

 

Of course if you do not have Panorama, then you have nothing to worry about.

by eranng
on ‎05-10-2017 02:24 AM

I am already at the right content 694-4000 but still popup this form 

by
on ‎05-10-2017 12:14 PM

@eranng, have you tried clicking on the "Do  not show again" box?

by enyuan.wu
on ‎05-11-2017 01:22 PM

Hi there,

It ( the CA replace content ) was first introduced in content update: version 693-3991. It should be already installed on the panorama on 29.04.2017 ( Saturday ) if it is scheduled daily. we suffered webUI unstable issue after that even though after the reboot, the seach 000 in the policy /device group will crash the configd on panorama as PA PS confirmed via SR.

I "guess" it has higher corelationship between the content-update and search 000 issue.

what do you think?

by Konishi
on ‎05-24-2017 05:02 AM

I upgraded Panorama and all firewalls to version 7.1.9 and I still receive the alert...

by
on ‎05-30-2017 03:37 PM

To @Konishi and everyone else.

 

This was a blanket message that went out to everyone. 

If you upgrade, we do not know, and that is why you continued to get the notification. 

 

Sorry for the confusion.

by John.Petrucci
on ‎05-31-2017 08:04 AM

"If you upgrade, we do not know"

What?  The message doesn't check your version?  Newer versions can't suppress the message?

 

 

by zsmithtek
on ‎06-06-2017 07:24 AM

Is there a procedure listed for option 2 - updating the content?

by
on ‎06-06-2017 09:55 AM

@John.Petrucci, The message that is sent out is a general broadcast message sent out to everyone, as we wanted everyone to know. That is why it doesn't check your version.  If you choose not to display the message by selecting the "Do not show again", and it still shows up, then that is different.

@zsmithtek, As far as updating the content, it explains it briefly.. 
"The content update will need to be applied to the Panorama management server and all Panorama log collectors before the June 16, 2017 expiration date. The Panorama server and the log collectors will then have to be rebooted for the certificate to take effect. Upon successfully installing the content update, a critical severity system log will be generated and indicate that the Panorama server certificate has been extended."
In short, you just need to ensure that the Dynamuc Update that is pushed from Panorama to the Panorama Log Collectors is past 700. Then it stated that both Panorama and the Log Collectors need to be rebooted and then inside of the system logs it will show that the "Panorama server certificate has been extended". If you do perform this, reboot  and you do not see this message inside your system logs, then you will need to contact support.

Ask Questions Get Answers Join the Live Community