Community Blog

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

FYI: Panorama Certificate Expiration! June 16, 2017

by 2 weeks ago - last edited 2 weeks ago (537 Views)

We interrupt this normally scheduled Discussion of the Week to bring you an important message. 

 

Just in case you have not seen the "Customer Notice" at the top of the screen, I wanted to bring your attention to the fact that the certificate that Panorama uses to communicate to PAN-OS devices and to Log Collectors is going to be expiring on June 16, 2017.  

 

When the certificate expires, PAN-OS devices will loose communication to Panorama, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure.

 

Good news, we have a solution in place to prevent this from being a real problem. It does not require you to upgrade to a different version of PAN-OS, but it does require you to install a newer version of Panorama 6.1, 7.0 and 7.1.

If you are already on Panorama 8.0, PAN-OS 8.0, using WF-500 or M-500 hardware in PAN-DB mode, then you do not have to do anything, as these are not affected by this.

 

To read the full details, including an FAQ about this, please visit the link below.

 

Panorama Certificate Expiration on June 16, 2017

 

Thanks for reading. 

 

As always, we welcome all comments and feedback in the comments section below.

Don't forget to like this if it has helped you in any way.

 

Stay Secure!

Joe Delio

Comments
by enyuan.wu
yesterday

Hello jdelio,

 

what is the CLI to verify this on the Panorama?

 

This issue should have existed since years, right?  Why does it become noticed just two months before expration date?

 

Kind regard

Enyuan

 

 

by
yesterday

@enyuan.wu, I cannot comment on how long this has been like this or why it wasn't noticed until now.

But I can comment and say that the "CLI" command to verify would be to see what version that you are on now. 

You can use the following command "show system info"

> show system info

 

If you are not on PAN-OS 7.1.9, 7.0.15 or 6.1.17, then you will experience the issue.

 

by enyuan.wu
8 hours ago

Hello jedlio,

 

Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?

 

The CLI "show system info" doesn't reveal any information about the expiring internal CA? beside the release.

 

"hostname: <hostname>
ip-address: <x.x.x.x>
netmask: 255.255.255.0
default-gateway: x.x.x.x
ipv6-address: unknown
ipv6-link-local-address: fe80::160d:4fff:fe07:a140/64
ipv6-default-gateway:
mac-address: 14:0d:4f:07:a1:40
time: Tue Apr 25 10:43:45 2017
uptime: 30 days, 3:35:42
family: m
model: M-100
serial: 009201001100
sw-version: 7.1.8
app-version: 690-3977
app-release-date: 2017/04/23  20:33:28
av-version: 2223-2710
av-release-date: 2017/04/24  04:00:49
wf-private-version: 0
wf-private-release-date: unknown
url-db: brightcloud
logdb-version: 7.0.9
platform-family: m
system-mode: panorama
operational-mode: normal"

 

Thank you for your deep information as requested.

 

Kind regards

Enyuan

by
18m ago

@enyuan.wu, Let me try to address your questions.. 

"Are you from PAN? Why can't you comment it? Is it due to firm policy or business secret?"

 

Yes. I work for Palo Alto Networks.

I cannot comment because I do not have the information to comment on this. 

This certificate in question is an Internal Certificate that is used to communicate between Panorama and the Firewall devices. There is no command that I am aware of that would show this information.  

 

All I know is that this is an issue that will become a problem if you are not on the versions listed below.  It is that simple. 

The following info was from the link detailing all of this:

 

"The certificate upgrade will be handled automatically when installing a maintenance release equal to or greater than the releases noted below:

  • Panorama / Log Collector version 7.1.9 (available now)
  • Panorama / Log Collector version 7.0.15 (available now)
  • Panorama / Log Collector version 6.1.17 (Estimated release week of May 1, 2017)

NOTE: Panorama and log collectors running 8.0 are not affected by this certificate expiration issue. Firewalls, WF-500 devices, and M-500’s running in PAN-DB mode are also not affected by this issue and do not require software updates."

 

I hope this helps you understand this a little more.

Ask Questions Get Answers Join the Live Community
Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >