Palo Alto Customers need to act as soon as possible:
Palo Alto Networks are currently facing an expiration issue with a Palo Alto Networks certificate set to expire on April 7th, which affects the cloud security functionality of Next-Generation Firewalls (NGFW) and Panorama MGMT. This expiration will also disrupt communication between Panorama and firewalls, affecting Panorama both as a management device and log collector. Following this update, future certificate management will be automated, eliminating the need for manual certificate renewals.
Action Required:
If you are using any of the Palo Alto Networks products listed below, you must act before April 7th 2024:
- Next-Generation Firewalls (NGFW)
- Panorama for NGFW management
- Security Services, including WildFire, DNS Security, URL Filtering, and the URL PAN-DB Private Cloud
- User-ID or Terminal Server agents
You will need to update your certificates and enroll in our certificate management process to ensure your NGFWs, Panorama, and Security Services products continue to function correctly due to the impending certificate expiration.
Please carefully review this entire article to prepare for a smooth upgrade.
Option 1 Steps: Updating Only the NGFW/Panorama Management Certificate
The instructions in this section apply only if you cannot install one of the hotfixes before 07-Apr-2024 and will update the NGFW/Panorama Management Certificate ONLY. You must still deploy Option 2 before the corresponding expiration date for all other certificates. This is a 2-step process and not the most efficient method.
1: Install a dynamic content update(8795-8489 or higher) on all your NGFWs, Panorama, and Log Collectors. For WF500/B install dynamic content update (2438-2654 or higher).
2: Restart the NGFWs, Panorama, WF500/B, and Log Collector. You will receive a system log message prompting a restart. You must then reboot the device.
Note:
- The NGFW/Panorama Management Certificate will be overwritten if you downgrade or upgrade to a PAN-OS software image that doesn’t include the updated certificate. You must re-apply the content update. Please see Table 2: NGFW and Panorama Hotfixes and Updated Agents for the list of versions that contain the updated certificates.
- If custom certificates are installed (or if you decide to install them now) on all NGFWs, Panoramas, and Log Collectors, you do not need to install the dynamic content update.
Option 2 Steps: Update your NGFW, Panorama, Log Collector, User-ID agents, WF500/B, and M-Series appliances (Recommended)
1: Deploy the hotfix listed in Table 2: NGFW and Panorama Hotfixes and Updated Agents to each NGFW, Panorama, Log Collector, WF500/B appliance, and M-Series appliance (Recommended).
Note:
For VM-Series and CN-Series, see the FAQ section below.
If custom certificates are installed (or if you decide to install them now) on all NGFWs, Panoramas, and Log Collectors, you do not need to install a hotfix update.
2: Complete the Device Certificate for CDSS onboarding steps for all affected devices:
a. For Panorama
b. For Log Collectors
c. For NGFWs
i. For standalone NGFWs
ii.For Panorama-managed NGFWs
Note:
If you have previously installed Device Certificates on your PAN-OS devices (NGFWs and Panoramas), you only need to apply the hotfix.
This hotfix improves the automated renewal of device certificates every 90 days. You can verify the onboarding status of device certificates on your PAN-OS devices (NGFWs and Panorama) using the verification steps in the FAQ below.
All devices must have a valid certificate by November 18th, 2024
3. User-ID and Terminal Server (TS) agent Self-signed Certificate
a. Install the hotfix listed in Table 2: NGFW and Panorama Hotfixes above on all NGFWs and Panoramas. It is important to perform this step before updating the agents; these two steps are in sequence. See FAQ below for further details.
b. Deploy updated User-ID and TS agents.
Table 2: NGFW and Panorama Hotfixes and Updated Agents
+ Applying the hotfix version corresponding to your current NGFW and Panoramas is recommended to mitigate the certificate expiration issue. Major version upgrades should be planned separately per your established upgrade procedures.
| Current NGFW and Panorama Versions | Target Upgrade Versions+ |
| 8.1 | 8.1.21-h3,8.1.25-h3, 8.1.26 (including future releases) |
| 9.0 | 9.0.16-h7, 9.0.17-h5 |
| 9.1 | 9.1.11-h5, 9.1.12-h7, 9.1.13-h5, 9.1.14-h8,9.1.16-h5, 9.1.17 (including future releases) |
| 10.0 | 10.0.8-h11, 10.0.11-h4, 10.0.12-h5 |
| 10.1 | 10.1.3-h3, 10.1.4-h6,10.1.5-h4, 10.1.6-h8, 10.1.7-h1, 10.1.8-h7,
10.1.9-h8, 10.1.10-h5, 10.1.11-h5, 10.1.12* (including future releases) |
| 10.2 | 10.2.0-h2, 10.2.1-h1, 10.2.2-h4, 10.2.3-h11, 10.2.4-h10, 10.2.6-h1, 10.2.7-h3, 10.2.8* (including future releases) |
| 11.0 | 11.0.0-h2, 11.0.1-h3, 11.0.2-h3, 11.0.3-h3, 11.0.4* (including future releases) |
| 11.1 | 11.1.0-h2, 11.1.1 (including future releases) |
| M-Series for PAN-DB URL Filtering private cloud | 8.1.26-h1*, 9.0.17-h5, 9.1.17-h1, 10.0.12-h5,10.1.12*, 10.2.8*, 11.0.4*, 11.1.1 (including future releases) |
| User-ID agent and
Terminal Server (TS) agent version |
9.0.6, 9.1.5, 10.0.7, 10.1.2, 10.2.2, 11.0.1 |
| WF-500 | 8.1.26-h1*, 9.0.17-h5, 9.1.17-h1, 10.0.12-h5,10.1.12*, 10.2.8*, 11.0.4*, 11.1.1 |
* will be released prior to the Panorama Management certificate expiry.
Link to view live updates regarding the hotfix and certificate renewal:
