How check NGFW valid for April 2024 Cert Advisory

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

How check NGFW valid for April 2024 Cert Advisory

L0 Member

Regarding the Certificate advisory for April 2024 and November 2024, if doing option 1, have content update and doing a reboot.

This being good enough for the April 2024 deadline. How can you verify on the Panorama or NGFW that you are valid?  The commands in the advisory FAQ 9, only work if you do Option 2 and upgrade to the recommended hotfix.

If there is no method for the user to verify they can safely pass the April 2024 deadline, then i would assume you would have to call TAC to go into root to confirm that your NGFW is patched to pass the April 2024 deadline, otherwise its wishful thinking the day after April 7, 2024

4 accepted solutions

Accepted Solutions

L4 Transporter

Hello @RussellYan - if you're taking Option 1, being the content update and reboot, there is no specific command that you can use to confirm you've completed remediation.  As you've correctly identified, this new command is available after a hotfix or upgrade per Option 2. 

 

The best advice I can give is that you should check to see that the most recent reboot time is more recent than the installation time of the content update.  

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

View solution in original post

Hello @WilsonWu - if you haven't rebooted, you may lose Panorama management of any affected devices, and any Panorama log collectors may also cease to collect logs from affected devices.  Firewalls will continue to forward traffic.

Installing the content update & rebooting after that date will remediate the issue.  

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

View solution in original post

Hello @WilsonWu - you will need to take the remediation steps as described in the advisory.

 

That means you will need to at least apply Option 1 - content update + reboot, or alternatively Option 2 - hotfix release.  

 

If you do not do this before April 7 you may lose Panorama and log collector connectivity.  If you do not do this before April 7 you will need to take the steps described briefly above, and in more detail in the advisory, in order to reconnect. 

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

View solution in original post

@JPatrickMillado 

 

from Panorama:
  1. show devices connected | match yes\|Custom\|Certificate    
     2.  show high-availability management-connection
     3.  show log-collector all
 
1st commands is going to tell us if the Pano <-> FWs connections are using custom cert.... !get this output from Panorama and LCs
2nd command is to confirm the Pano HA (Pano <-> Pano) is using the Custom Certs.
3rd Command  will tell us if the Pano <-> LCs connections are using  the Custom Certs.
 
Regards
 
--Richard

View solution in original post

13 REPLIES 13

L4 Transporter

Hello @RussellYan - if you're taking Option 1, being the content update and reboot, there is no specific command that you can use to confirm you've completed remediation.  As you've correctly identified, this new command is available after a hotfix or upgrade per Option 2. 

 

The best advice I can give is that you should check to see that the most recent reboot time is more recent than the installation time of the content update.  

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

L0 Member

Thank you lain. Am i to also assume, a TAC engineer with root access would also NOT be able to confirm before (remediation is installed besides the Content Version number) or after a reboot, that i have the remediation activated?

Russ

Hi @RussellYan - I can't confirm that I'm afraid, I'm not aware of any commands that TAC might be able to run to validate.  In turn it would be safer to assume there exists no such commands. 

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

L1 Bithead

Hi Everyone, 

 

May I know if we haven’t reboot Palo Alto device before 7 April, what is the consequence? What can we do to fix it after 7 April?

 

Thank you.

Hello @WilsonWu - if you haven't rebooted, you may lose Panorama management of any affected devices, and any Panorama log collectors may also cease to collect logs from affected devices.  Firewalls will continue to forward traffic.

Installing the content update & rebooting after that date will remediate the issue.  

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

Hi Larobertson,

 

So if I really haven’t reboot my Palo Alto before 7 April. Can I understand that I just need to reconnect my Palo Alto to panorama and reconnect any log collectors then it will be resume normal right?

 

Thank you.

Provided that you have remediated the expired root certificate, yes. 

As a reminder, you have 3 options:

1. upgrade to the correct PAN-OS version (see link below)

2. update the content to at least 8795 and then reboot

3. install custom certificates

 

More details here https://live.paloaltonetworks.com/t5/customer-advisories/additional-pan-os-certificate-expirations-a...

 

Regards

 

--Richard

Hello @WilsonWu - you will need to take the remediation steps as described in the advisory.

 

That means you will need to at least apply Option 1 - content update + reboot, or alternatively Option 2 - hotfix release.  

 

If you do not do this before April 7 you may lose Panorama and log collector connectivity.  If you do not do this before April 7 you will need to take the steps described briefly above, and in more detail in the advisory, in order to reconnect. 

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

L1 Bithead

thanks for sharing.... NC Cloud

L1 Bithead

Dear all,

 

Thank you for everyone.

Hi @iarobertson,

 

I noticed that option 3 refers to a custom certificate. Is there a way to verify if the custom certificate has been successfully installed and working properly on Panorama and NGFW, aside from being 'deployed' status under panorama > manage device > summary and certificate column?

 

Here is the link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wo5WCAQ

@JPatrickMillado 

 

from Panorama:
  1. show devices connected | match yes\|Custom\|Certificate    
     2.  show high-availability management-connection
     3.  show log-collector all
 
1st commands is going to tell us if the Pano <-> FWs connections are using custom cert.... !get this output from Panorama and LCs
2nd command is to confirm the Pano HA (Pano <-> Pano) is using the Custom Certs.
3rd Command  will tell us if the Pano <-> LCs connections are using  the Custom Certs.
 
Regards
 
--Richard

Hi @rdumoulin ,

 

Item 1 and 3 commands are working, except 'show high-availability management-connection. It appears that this command is not supported by our device.

 

Appreciate this information👌.

 

Thank you!

  • 4 accepted solutions
  • 8120 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!