If you have seen the following popup when accessing your Palo Alto Networks hardware? It is a notice of a highly important Panorama Certificate update that may be needed to prevent any performance interruptions on your Palo Alto investments.
Palo Alto Networks firewalls communicate with Panorama and log collectors over a secure channel. For Panorama versions prior to PAN-OS 8.0, the signing CA certificate used to issue the server certificate on Panorama and log collectors that authenticates this communication will expire on Friday, June 16, 2017. After the signing CA expires, PAN-OS devices will no longer be able to authenticate the Panorama connection, which will cause communication with Panorama to fail. To mitigate the impact of this issue, customers should upgrade their Panorama/log collector software to the maintenance releases listed below before Friday, June 16, 2017. This will allow an update of the validity period of that root CA.
- Do I need to upgrade Panorama and the log collectors, or is there a workaround?
- Customers must upgrade Panorama and the log collectors to the release versions listed in the above post before Friday, June 16, 2017 in order to mitigate this issue.
- Do I need to upgrade my firewalls?
- No, you do not need to upgrade the PAN-OS version on your firewalls; only Panorama and log collectors need to be upgraded. The Panorama version should be higher than or equal to the highest version of PAN-OS deployed in your environment. Please note: although the PA-7000 Series behaves like a log collector, it is not affected by this issue.
- Does this certificate expiration affect all types of Panorama and log collectors?
- Yes, it impacts appliance-based (M-100 and M-500) Panorama and log collectors, as well as the virtual Panorama. Please note, M-500 appliances running in PAN-DB mode are not affected.
- What actions do I need to take?
- Please upgrade your Panorama devices and the log collectors in your environment to the maintenance release versions listed in the above post before Friday, June 16, 2017.
- Can CentraComm handle this for me?
- As a Palo Alto CPSP (Certified Professional Services Provider) we have the engineering talent necessary to handle these upgrades for you. Please click here to contact us and learn more.
- What would happen if I didn’t upgrade?
- Without upgrading to a maintenance release where the certificate expiration issue is resolved, your firewalls will cease to communicate with Panorama and the log collectors on Friday, June 16, 2017. As a result, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure. To mitigate this, please upgrade your Panorama/log collector software to the maintenance releases listed above, which have resolved this certificate expiration issue, before Friday, June 16, 2017.