The option for provide a Device Certificate appears in a new section on the Device > Setup > Management page.
This option is part of an enhancement to the telemetry system and will be documented in the next major release of the software. As of today (2020 June 17), you need to be part of the 9.2 beta program to find this documented in the "New Features Guide". Since the feature does appear in the already released 9.1.2, I want to explain what it is here.
By default, all telemetry data is collected and stored locally on your device for a limited period of time. Going forward, this data can not be shared with Palo Alto Networks unless your organization has a Cortex Data Lake license or a device certificate is configured for your firewall.
So, why suddenly is there a Device Certificate option in PAN-OS 9.1.2? Ans: To support connections back to Palo Alto Networks to transfer telemetry data to the Data Lake.
Is a Device Certificate required? Will the operation of my firewall change if I do not supply one? Ans: The Device Certificate is required only to send telemetry data and if you are not already running Panorama and sending logs to the Cortex Data Lake.
Telemetry options are configured on the Device > Setup > Telemetry page.
Hope this helps!
Thank you the explanation.
Is there any ramifications when we enter OTP into the configuration page (eg, will we have to reboot the FW / will there be any downtime, etc)?
After you enter the OTP, the task may take a minute or two to complete. You can/should monitor it in the Task Manager (click Tasks in the bottom right of the web interface). Download and installation of the certificate does not even require a commit. You should see no interruption of services or data flow.
I still don't completely understand this.
We upgraded to 9.1.4 and now we're required to allow telemetry data to PA?
Or accept a constant high alert in the system logs: no valid device certificate found.
Why not allow customers to opt-in to this kind of functionality or at least explain this in a popup screen like a reminder:
"you need to configure this post-upgrade, etc. or opt-out see: "explanation here and here"
You are not required to allow telemetry.
You can turn it all off on the Device > Setup > Telemetry page.
Telemetry does provide some significant security benefits to individual organizations, and collectively back to the community as a whole.
One use case: In the escalating arms race of automation on the attacker side of the equation and as we, in turn, continue to work on the practical applications of automation and AI, your telemetry data can, for example, enable us, the vendor, to initiate immediate, focused, and direct outreach in the event of corner-case configurations that are discovered to be uniquely vulnerable and/or actively in the spotlight of bad actors. Without individual and community-wide participation, certain kinds of detections, assessments, and mitigations, of course, become impossible to make. Hand in hand, the ability to process, store, and apply intelligence to such telemetry data requires data-lake-scale solutions, but not at the expense of assurances of the integrity of the connections to that resource and the integrity and context of the data itself. Thus, the additional requirement for connecting to the data-lake service with the added certificate.
I hope this makes some sense.
I understand I am not required to allow telemetry. That is not my concern in this.
After the upgrade to 9.1.2+ a high/red alert is repeatedly shown in the system logs that telemetry is simply not configured and cannot be used until, according to the procedure, the certificates are in place.
If anyone is not required to allow telemetry why didn't they choose to:
- Make enabling telemetry participation an opt-in feature, or
- Add a more intuitive notification AND alert (informational): "Telemetry is not configured. Please see manual how to enable it."
Just adding a high alert to the system logs, because a new feature is not configured is unnecessary and created some confusion.
Missing/faulty/expired certificates is typically a bad thing and often does need immediate attention. In this case it does not.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!