Updates on Certificates for GlobalProtect App Log Collection Feature

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Audit
Last Reviewed: 08-10-2023 06:29 AM
Audited By: kiwi
L4 Transporter
0% helpful (0/2)

certificates-globalprotect-log_livecommunity.jpg

 

The certificates and the chain used for GlobalProtect App Log Collection and ADEM are expiring as of June 3, 2022. Please be sure to update the certificates for GlobalProtect App Log Collection and ADEM after April 20, 2022 and before June 3, 2022, when the certificate expires. Read the steps below to renew the certificate used for GlobalProtect App Log Collection and ADEM now. 

Steps to renew the certificate used for GlobalProtect App Log Collection and ADEM:

 

If you are using Panorama to manage Prisma Access and/or NGFW performing the following steps:

    • Click on Panorama -> Cloud Services -> Configuration
    • Under “GlobalProtect App Log Collection and Autonomous DEM” section Click on “Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM” to renew the certificate
    • Once the new certificate is generated, administrator has to push the new certificate under Portal ->  Agent -> Configs -> Client Certificate
    • Once the new certificate is generated, it overwrites the old certificate and the certificate name remains the same i.e. globalprotect_app_log_cert.
    • The new certificate will be pushed to the GlobalProtect app upon portal configuration refresh either manually by the end user or at default portal configuration refresh interval, which is 24 hours by default unless changed by the admin.
    • First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GP 5.2.11 . Existing ADEM endpoints already connected to ADEM Cloud Service will be auto-upgraded with latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11 

If you are using Cloud Managed Prisma Access performing the following steps:

  • Navigate to Configuration -> Objects -> Certificate Management -> Shared -> GP_Log_Certificate
    • Administrators have to manually update the certificate by performing the below steps:
    • Once the new certificate is generated, administrator has to push the new changes by clicking on Push Config -> Push -> Mobile Users - GlobalProtect and select “Push”
    • The new certificate will be pushed to the GlobalProtect app upon portal configuration refresh either manually by the end user or at default portal configuration refresh interval, which is 24 hours by default unless changed by the admin.
    • First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GP 5.2.11 . Existing ADEM endpoints already connected to ADEM Cloud Service will be auto-upgraded with latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11 

Note: Customers are advised to renew the certificate only after April 20 2022 and before June 3 2022 when the certificate expires. If certificate renewal is performed before April 20 2022 then you will still get the old certificate which is due to expire on June 3 2022.

Rate this article:
Comments
L2 Linker

You say "If you are using Panorama to manage Prisma Access and NGFW"

So it makes me think it applies to me because I manage my NGFW's with Panorama however I do not use Prisma Access. You should state in BOLD if you are not using Prisma Access this does not apply to your organization.

Please correct me if I am wrong.

L0 Member

Hello,

Similar situation to Jasonwald's question above... We do not use Panorama or Prisma with our firewalls, so does this not apply to us at all? We do use GlobalProtect, but I'm not seeing any certs related to that in the system.

Thank you!

 

Is this related to only those that are pointing their global protect clients to Prima ADEM service?  https://www.paloaltonetworks.com/sase/adem

 

 

L0 Member

Palo support... please clarify if this does NOT apply to those users that have deployed Global Protect but are not using NOT Panorama or Prisma.

L1 Bithead

please clarify if this apply to only those users that are using Panorama or Prisma ? 

 

 

L2 Linker

Exactly - what about clients  that have deployed Global Protect on physical or VM FW's but are not using Panorama or Prisma.

 

 
L2 Linker

Lurking here to get confirmation this is not an issue for physical firewalls....

GlobalProtect

L0 Member

Same, I need clarification as well

 

GlobalProtect 

L3 Networker

Hello everyone,

The GlobalProtect App Log Collection feature is available for both NGFW GP Subscription and Prisma Access Customers. 

 

NGFW GP Subscription based customer require Panorama with the Cloud Plug-in and a CDL License to use this feature. More details are available in the tech docs at: https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

If your customer does not use the GP App Log Collection feature or ADEM, this article will not be applicable to them. 

 

L2 Linker

Thank you. Also learned something new that I was aware of, NGFW GP Logging to Cortex DL.

L0 Member
L1 Bithead

Its not clear.. Please, could you be more clear, due to more than one customer ask to me for this announcement because they use GP client for NGFW.  tks

L2 Linker

My rep told me that this only applies to those using ADEM.

L2 Linker

Hi All,

 

We don't have option to renew but only have option "Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM".

 

Should we generate new one or just ignored it.

 

 

L1 Bithead

Hello,

After clicking "Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM" I get a message saying that the cert was successfully renewed. However, after I click OK, I can see that the ADEM cert is still slated to expire on 6/4/2022.

L0 Member

@Brooks_Hassinger 

 

I was having this issue as well.

 

Today, I modified all my portal configs, removing this cert, then exported the cert with private key, just incase. 

 

Next, I deleted the cert. After deleting I performed a commit-push, after push completed, I clicked the option "Renew Certificate...." from the Cloud Services plugin. This time, it generated a new cert with an expiration of:

May 31 15:15:10 2023 GMT

 

Now I am reconfiguring my portal agent configs to push that cert.

 

Hope this heps!

L1 Bithead

@jgreen1280 Thanks, that did the trick! 

  • 34842 Views
  • 17 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎07-11-2022 11:31 PM
Updated by: