This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Updates on Certificates for GlobalProtect App Log Collection Feature

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Audit
Last Reviewed: 08-10-2023 06:29 AM
Audited By: kiwi

Updates on Certificates for GlobalProtect App Log Collection Feature

vathreya
L4 Transporter

on ‎03-09-2022 09:16 AM - edited on ‎07-11-2022 11:31 PM by

0% helpful (0/2)

certificates-globalprotect-log_livecommunity.jpg

 

The certificates and the chain used for GlobalProtect App Log Collection and ADEM are expiring as of June 3, 2022. Please be sure to update the certificates for GlobalProtect App Log Collection and ADEM after April 20, 2022 and before June 3, 2022, when the certificate expires. Read the steps below to renew the certificate used for GlobalProtect App Log Collection and ADEM now. 

Steps to renew the certificate used for GlobalProtect App Log Collection and ADEM:

 

If you are using Panorama to manage Prisma Access and/or NGFW performing the following steps:

    • Click on Panorama -> Cloud Services -> Configuration
    • Under “GlobalProtect App Log Collection and Autonomous DEM” section Click on “Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM” to renew the certificate
    • Once the new certificate is generated, administrator has to push the new certificate under Portal ->  Agent -> Configs -> Client Certificate
    • Once the new certificate is generated, it overwrites the old certificate and the certificate name remains the same i.e. globalprotect_app_log_cert.
    • The new certificate will be pushed to the GlobalProtect app upon portal configuration refresh either manually by the end user or at default portal configuration refresh interval, which is 24 hours by default unless changed by the admin.
    • First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GP 5.2.11 . Existing ADEM endpoints already connected to ADEM Cloud Service will be auto-upgraded with latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11 

If you are using Cloud Managed Prisma Access performing the following steps:

  • Navigate to Configuration -> Objects -> Certificate Management -> Shared -> GP_Log_Certificate
    • Administrators have to manually update the certificate by performing the below steps:
    • Once the new certificate is generated, administrator has to push the new changes by clicking on Push Config -> Push -> Mobile Users - GlobalProtect and select “Push”
    • The new certificate will be pushed to the GlobalProtect app upon portal configuration refresh either manually by the end user or at default portal configuration refresh interval, which is 24 hours by default unless changed by the admin.
    • First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GP 5.2.11 . Existing ADEM endpoints already connected to ADEM Cloud Service will be auto-upgraded with latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11 

Note: Customers are advised to renew the certificate only after April 20 2022 and before June 3 2022 when the certificate expires. If certificate renewal is performed before April 20 2022 then you will still get the old certificate which is due to expire on June 3 2022.

Rate this article:
Comments
jasonwald
L2 Linker
‎03-16-2022 12:55 PM

You say "If you are using Panorama to manage Prisma Access and NGFW"

So it makes me think it applies to me because I manage my NGFW's with Panorama however I do not use Prisma Access. You should state in BOLD if you are not using Prisma Access this does not apply to your organization.

Please correct me if I am wrong.

FranCote
L0 Member
‎03-16-2022 01:29 PM

Hello,

Similar situation to Jasonwald's question above... We do not use Panorama or Prisma with our firewalls, so does this not apply to us at all? We do use GlobalProtect, but I'm not seeing any certs related to that in the system.

Thank you!

 

Steven.Villanueva
L0 Member
‎03-16-2022 03:08 PM

Is this related to only those that are pointing their global protect clients to Prima ADEM service?  https://www.paloaltonetworks.com/sase/adem

 

 

CoAAdmin
L0 Member
‎03-16-2022 10:44 PM

Palo support... please clarify if this does NOT apply to those users that have deployed Global Protect but are not using NOT Panorama or Prisma.

aabozaid
L1 Bithead
‎03-17-2022 12:56 AM

please clarify if this apply to only those users that are using Panorama or Prisma ? 

 

 

T_Wojtasinski
L2 Linker
‎03-17-2022 02:40 AM

Exactly - what about clients  that have deployed Global Protect on physical or VM FW's but are not using Panorama or Prisma.

 

 
JKoss
L2 Linker
‎03-17-2022 10:44 AM

Lurking here to get confirmation this is not an issue for physical firewalls....

GlobalProtect

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
jonwest1
L0 Member
‎03-18-2022 08:43 AM

Same, I need clarification as well

 

GlobalProtect 

GlobalProtect
Thumbnail of GlobalProtect
Palo Alto Networks
GlobalProtect
Network Security
View on Product Page
sarao
L3 Networker
‎03-18-2022 11:31 AM

Hello everyone,

The GlobalProtect App Log Collection feature is available for both NGFW GP Subscription and Prisma Access Customers. 

 

NGFW GP Subscription based customer require Panorama with the Cloud Plug-in and a CDL License to use this feature. More details are available in the tech docs at: https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-rele...

 

If your customer does not use the GP App Log Collection feature or ADEM, this article will not be applicable to them. 

 

jasonwald
L2 Linker
‎03-18-2022 11:44 AM

Thank you. Also learned something new that I was aware of, NGFW GP Logging to Cortex DL.

matt-sarich
L0 Member
‎03-18-2022 01:49 PM

This seems to be a PAN OS 10 related feature. 

 

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-app-log-colle...

 

apazmino
L1 Bithead
‎04-13-2022 02:51 PM

Its not clear.. Please, could you be more clear, due to more than one customer ask to me for this announcement because they use GP client for NGFW.  tks

Brett.Hoshaw
L2 Linker
‎04-25-2022 12:18 PM

My rep told me that this only applies to those using ADEM.

Oblagonte
L2 Linker
‎05-29-2022 09:49 PM

Hi All,

 

We don't have option to renew but only have option "Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM".

 

Should we generate new one or just ignored it.

 

 

Brooks_Hassinger
L1 Bithead
‎05-31-2022 06:10 AM

Hello,

After clicking "Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM" I get a message saying that the cert was successfully renewed. However, after I click OK, I can see that the ADEM cert is still slated to expire on 6/4/2022.

jgreen1280
L0 Member
‎05-31-2022 08:32 AM

@Brooks_Hassinger 

 

I was having this issue as well.

 

Today, I modified all my portal configs, removing this cert, then exported the cert with private key, just incase. 

 

Next, I deleted the cert. After deleting I performed a commit-push, after push completed, I clicked the option "Renew Certificate...." from the Cloud Services plugin. This time, it generated a new cert with an expiration of:

May 31 15:15:10 2023 GMT

 

Now I am reconfiguring my portal agent configs to push that cert.

 

Hope this heps!

Brooks_Hassinger
L1 Bithead
‎05-31-2022 08:44 AM

@jgreen1280 Thanks, that did the trick! 

  • 40249 Views
  • 17 comments
  • 1 Likes
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎07-11-2022 11:31 PM
Updated by:
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks