02-05-2024 12:54 PM
Regarding the Certificate advisory for April 2024 and November 2024, if doing option 1, have content update and doing a reboot.
This being good enough for the April 2024 deadline. How can you verify on the Panorama or NGFW that you are valid? The commands in the advisory FAQ 9, only work if you do Option 2 and upgrade to the recommended hotfix.
If there is no method for the user to verify they can safely pass the April 2024 deadline, then i would assume you would have to call TAC to go into root to confirm that your NGFW is patched to pass the April 2024 deadline, otherwise its wishful thinking the day after April 7, 2024
02-05-2024 02:23 PM
Hello @RussellYan - if you're taking Option 1, being the content update and reboot, there is no specific command that you can use to confirm you've completed remediation. As you've correctly identified, this new command is available after a hotfix or upgrade per Option 2.
The best advice I can give is that you should check to see that the most recent reboot time is more recent than the installation time of the content update.
03-12-2024 03:53 PM
Hello @WilsonWu - if you haven't rebooted, you may lose Panorama management of any affected devices, and any Panorama log collectors may also cease to collect logs from affected devices. Firewalls will continue to forward traffic.
Installing the content update & rebooting after that date will remediate the issue.
03-12-2024 04:07 PM
Hello @WilsonWu - you will need to take the remediation steps as described in the advisory.
That means you will need to at least apply Option 1 - content update + reboot, or alternatively Option 2 - hotfix release.
If you do not do this before April 7 you may lose Panorama and log collector connectivity. If you do not do this before April 7 you will need to take the steps described briefly above, and in more detail in the advisory, in order to reconnect.
04-05-2024 08:39 AM - edited 04-05-2024 08:39 AM
02-05-2024 02:23 PM
Hello @RussellYan - if you're taking Option 1, being the content update and reboot, there is no specific command that you can use to confirm you've completed remediation. As you've correctly identified, this new command is available after a hotfix or upgrade per Option 2.
The best advice I can give is that you should check to see that the most recent reboot time is more recent than the installation time of the content update.
02-05-2024 03:30 PM
Thank you lain. Am i to also assume, a TAC engineer with root access would also NOT be able to confirm before (remediation is installed besides the Content Version number) or after a reboot, that i have the remediation activated?
Russ
02-05-2024 06:37 PM
Hi @RussellYan - I can't confirm that I'm afraid, I'm not aware of any commands that TAC might be able to run to validate. In turn it would be safer to assume there exists no such commands.
03-12-2024 02:26 PM
Hi Everyone,
May I know if we haven’t reboot Palo Alto device before 7 April, what is the consequence? What can we do to fix it after 7 April?
Thank you.
03-12-2024 03:53 PM
Hello @WilsonWu - if you haven't rebooted, you may lose Panorama management of any affected devices, and any Panorama log collectors may also cease to collect logs from affected devices. Firewalls will continue to forward traffic.
Installing the content update & rebooting after that date will remediate the issue.
03-12-2024 04:01 PM
Hi Larobertson,
So if I really haven’t reboot my Palo Alto before 7 April. Can I understand that I just need to reconnect my Palo Alto to panorama and reconnect any log collectors then it will be resume normal right?
Thank you.
03-12-2024 04:05 PM
Provided that you have remediated the expired root certificate, yes.
As a reminder, you have 3 options:
1. upgrade to the correct PAN-OS version (see link below)
2. update the content to at least 8795 and then reboot
3. install custom certificates
More details here https://live.paloaltonetworks.com/t5/customer-advisories/additional-pan-os-certificate-expirations-a...
Regards
--Richard
03-12-2024 04:07 PM
Hello @WilsonWu - you will need to take the remediation steps as described in the advisory.
That means you will need to at least apply Option 1 - content update + reboot, or alternatively Option 2 - hotfix release.
If you do not do this before April 7 you may lose Panorama and log collector connectivity. If you do not do this before April 7 you will need to take the steps described briefly above, and in more detail in the advisory, in order to reconnect.
03-15-2024 03:24 AM - edited 03-17-2024 09:52 PM
thanks for sharing.... NC Cloud
03-17-2024 07:54 PM
Dear all,
Thank you for everyone.
04-05-2024 08:29 AM
Hi @iarobertson,
I noticed that option 3 refers to a custom certificate. Is there a way to verify if the custom certificate has been successfully installed and working properly on Panorama and NGFW, aside from being 'deployed' status under panorama > manage device > summary and certificate column?
Here is the link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wo5WCAQ
04-05-2024 08:39 AM - edited 04-05-2024 08:39 AM
04-05-2024 09:03 AM
Hi @rdumoulin ,
Item 1 and 3 commands are working, except 'show high-availability management-connection. It appears that this command is not supported by our device.
Appreciate this information👌.
Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
