Panorama Certificate Expiration on June 16 2017

Reply
Highlighted
Community Team Member

Panorama Certificate Expiration on June 16 2017

Dear valued Palo Alto Networks customers,

 

Palo Alto Networks firewalls communicate with Panorama managers and Panorama log collectors over a secure channel. For Panorama versions prior to PAN-OS 8.0, the signing CA certificate will expire on Friday, June 16, 2017. This certificate is used to issue the server certificate on Panorama and log collectors, and authenticate communication between the firewalls and Panorama. After the signing CA certificate expires, the firewalls will no longer be able to authenticate the connection with Panorama, which will cause the communication with Panorama to fail.

 

To mitigate this issue, one of the following actions must be taken before Friday, June 16, 2017:

 

Option 1: Upgrade software on Panorama and all log collectors to the maintenance releases listed below:

 

  • Panorama / log collector version 7.1.9
  • Panorama / log collector version 7.0.15
  • Panorama / log collector version 6.1.17

 

Option 2: Update the content on Panorama and all log collectors to content version 700 or later:

 

The content update will need to be applied to the Panorama management server and all Panorama log collectors before the June 16, 2017 expiration date. The Panorama server and the log collectors will then have to be rebooted for the certificate to take effect. Upon successfully installing the content update, a critical severity system log will be generated and indicate that the Panorama server certificate has been extended.

 

Palo Alto Networks firewalls, WF-500 devices, and M-500 appliances running in PAN-DB mode are not affected by this issue and do not require software or content updates.

 

IMPORTANT NOTE: Please do not install software versions 7.1.9, 8.0.0 or 8.0.1 on Panorama or log collectors after Friday, June 16, 2017. Doing so will replace the CA certificate on your Panorama or log collectors, causing firewall communications to fail. We plan to remove these releases (PAN-OS 7.1.9, 8.0.0 or 8.0.1 for Panorama) from our update server during the week of May 29, 2017. For more details, please see the below FAQ.

 

Thank you in advance for your understanding. We sincerely apologize for any inconvenience this may cause. We have taken steps, including implementing additional oversight measures, to prevent this issue from recurring in the future. Should you have any questions, please don’t hesitate to reach out to your support provider or the Palo Alto Networks Support Team at https://support.paloaltonetworks.com.

 

Thank you,

 

Palo Alto Networks

 

************************************************************************************

FAQ

 

Q: What is the exact time of the certificate expiration?

 

  • Saturday, June 17, 2017 at 19:48:41 GMT
  • Saturday, June 17, 2017 at 12:48 p.m. PDT (Daylight Savings Observed)
  • Sunday, June 18, 2017 at 3:48 a.m. SST
  • Sunday, June 18, 2017 at 4:48 a.m. JST
  • Saturday, June 17, 2017 at 21:48:41 CEST (Daylight Savings Observed)

 

Q: Do I need to upgrade or update content on my firewalls?

 

  • No, you do not need to upgrade the software version or update the content version on your firewalls; the software upgrade or content update only needs to be applied to your Panorama and log collectors. Please ensure that the Panorama software version is higher than or equal to the highest version of PAN-OS deployed in your environment. Please note: although the PA-7000 Series behaves like a log collector, it is not affected by this certificate expiration.

 

Q: Does this certificate expiration affect all instances of Panorama managers and log collectors?

 

  • Yes, it impacts appliance-based (M-100 and M-500) Panorama and log collectors, as well as the Panorama virtual appliances. Please note: M-500 appliances running in PAN-DB mode are not affected by the certificate expiration.

 

Q: What would happen if I didn’t upgrade software or update content on my Panorama by Friday, June 16, 2017?

 

  • If you do not complete option 1 or option 2 above by Friday, June 16, 2017, your firewalls will cease to communicate with Panorama and the log collectors as soon as the connection is reset on or after Friday, June 16, 2017. As a result, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure. To mitigate this, please update your Panorama/log collector content to version 700 or later and reboot the affected device(s).

 

Q: What is the difference between the content-based fix and the software-based fix?

 

  • The content-based fix extends the Panorama CA certificate validity period to the year 2027. The software-based fix generates a new server certificate based on a new Panorama CA certificate. The Panorama CA certificate expires in 2024. We’re offering two options to mitigate this issue so you can choose the one that is most convenient for your software and content update qualification processes.

 

  • For customers who have upgraded Panorama and the log collectors to software releases that already have the fix implemented (7.1.9, 8.0.0, or 8.0.1), no action is required as the certificates have already been extended.

 

Q: When should I use the software upgrade vs. the content-based fix to resolve the issue?

 

  • If you do not have a planned maintenance window and cannot qualify a newer maintenance release on your current software version, we recommend the content update option.

 

  • If you can accommodate a new maintenance release upgrade in your maintenance window, we recommend that you deploy the software upgrade-based solution.

If you are transitioning off older releases that are end-of-life or will be end-of-life by June 16, 2017 (Panorama versions 5.0, 5.1, 6.0), we recommend utilizing the content-based fix.

 

Q: How do I check whether the Panorama server certificate has been successfully extended or upgraded?

 

  • You may use one of the following methods to check on the validity period of the CA certificate: 

    • Use OpenSSL (on Linux) with the following command:
      echo | openssl s_client -showcerts -connect <FQDN or IP address of Panorama or log collector>:3978 | sed -nr '/BEGIN CERTIFICATE/H;//,/^done/G;s/\n(\n[^\n]*){2}$//p' |  openssl x509 -noout -dates

    • If the certificate was updated using the content-based solution, a critical System Log will be generated and show the expiration date of the currently installed Panorama CA certificate.

    • You may also capture the SSL communication to Panorama on port 3978 and look at the server certificate validity in a packet capture tool like Wireshark.

    • Lastly, using a Web browser like Chrome, Safari, Firefox or Internet Explorer, you may take the following steps:

      • Connect to the Panorama server on port 3978 (https://<FQDN or IP address of Panorama or log collector>:3978), check the certificate chain and look for validity of the CA certificate.

      • For Firefox: Add Exception > Get Certificate > View Certificate> Details > Certificate at the root of tree. Under “Certificate Fields”, check the “Validity” > “Not After” field.

      • For Chrome: Click on Developer Tools > Security > View Certificate > Certification Path. Click “View Certificate” for the certificate at the top of the tree and look at the “Valid” field.

 

Q: What does a sample system log look like?

 

The log is a critical severity log that is generated after the installation of content and when the extension of the CA certificate is done. This log will be generated for each log collector that is forwarding logs to Panorama and for the Panorama appliance itself. Check the “Device Name” column for the source of the system log. The text of the log is:

 

“Panorama CA certificate extended until April 2027 via content. Please reboot Panorama/log collector for the certificate to be used. Without reboot of Panorama/log collector, firewalls will not connect after June 16, 2017. Additional information in content release notes.”

 

PAN-OS_screenshot.png

 

 

Q: Can I have a mix of the Panorama server with the software upgrade and the log collectors with the content fix?

 

  • Yes, two different server certificates are used across Panorama and log collector connections to the same firewall.

 

  • It is best practice to have the same content version installed across the log collectors, firewalls and Panorama so that the threat IDs and applications are uniformly identified in logs across the deployment.

 

Q: Do I need to re-install content if I upgrade or downgrade to another version of Panorama?

 

  • If the software version you are moving to does not replace the Panorama CA certificate (viz. 7.1.9, 7.0.15, 6.1.17 or above), you will need to install content version 700 or later.

 

  • If you installed the latest content before the upgrade, you may need to revert to the previous version of content you were using prior to the upgrade and reinstall the latest version of content again for the certificate to be extended. This will also ensure you’re on the same content version you were using before the upgrade. In the long term, to avoid installation of content after every software upgrade, you may want to consider moving to a software version that has the certificate expiration fix.

 

  • If you are moving to a software version that replaces the Panorama CA certificate (viz. 7.1.9, 7.0.15, 6.1.17 or above) prior to June 16, 2017, you do not need to install new content for the certificate fix. In fact, the content update will not make any change to the certificates on a Panorama that already has the new certificates loaded on it.

 

Q: After the June 16 expiration date, what happens when a cold spare or new device connects to Panorama?

 

  • If new or cold spare devices have never connected to a Panorama server or log collector before, they will not have a client certificate and therefore will be able to connect to the Panorama or log collectors after June 16, 2017 as they normally would.

 

  • In circumstances where the firewalls present a certificate signed by a past root CA that has expired, the connection to Panorama will fail for Panorama versions 7.1.9, 8.0.0 and 8.0.1. If this occurs, please contact the Palo Alto Networks Support Team for assistance.

 

Q: I have multiple log collectors in a log collector group. What are the best practices associated with preventing CA certificate-related communication failures on my log collection infrastructure after June 16, 2017?

 

  • If you plan to apply the content update to mitigate the signing CA certificate expiration, please apply the content version to all log collectors in the collector group.

 

  • If you are upgrading to the software versions 7.1.9, 8.0.0 or 8.0.1 to mitigate the signing CA certificate expiration, please make sure that all the log collectors in the log collector group are upgraded to one of these versions before June 16, 2017.

 

Q: I am running an HA pair of Panoramas. Do I need to apply the fix to both Panorama servers?

 

  • Yes, you will need to apply either the content-based or software-based fix to both Panorama servers as client certificates on the firewalls are maintained separately for the active and passive Panorama servers.

 

Q: I tried to apply the content-based fix but had to revert to a previous version of content. When I reboot my Panorama/log collector, I noticed that I had applied the new certificate. Is this expected?

 

  • Yes, the content installs the certificate in a boot up directory that remains unchanged when the content is reverted. Hence, on reboot, the new certificate is installed.

 

Q: If am running Panorama version 6.0, 5.1, or 5.0 with my firewalls running PAN-OS version 5.0 or 6.0, is there a different procedure I need to follow to mitigate the issue?

 

  • Yes, please take one of the following actions:

    • For Panorama and log collectors running Panorama versions 6.0 and earlier, maintenance release-based upgrades are not available. Please upgrade the software version on your Panorama and log collectors to 6.1 or later to mitigate the issue.

    • Install content version 700 on your organization’s Panorama, log collectors and firewalls. After installation, please reboot your Panorama and log collectors and restart the management server daemon on your organization’s firewalls using the following CLI command: debug software restart management-server
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!