2024 PAN Cert Expiration: Customer Warning

Published January 9, 2024 | Updated March 4, 2024

NOTE: This article is intended to be supplemental to PAN’s official forum post. We advise that all customers read through our high-level summary and then read the official post.

Customers using PAN-DB Private Cloud or a WildFire Private Cloud Appliance (WF-500) should read the official post for additional information.

Summary

On January 8th, 2024 Palo Alto Networks announced that five additional certificates that secure core services will soon expire. When these certificates expire, their respective services will be affected unless customer action is taken. Here is a summary of the certificates that will expire and the services that will be affected:

Expiration Date Certificate Affected Services
2024-04-07 Panorama Management Connections from devices to Panoramas
2024-09-02 URL PAN-DB Private Cloud Connections to M-Series running PAN-DB Private Cloud
2024-11-18 Device Certificate for Cloud Delivered Security Services All content updates except Threat Prevention / Adv. Threat Protection
2024-11-18 User-ID Agent and Terminal Server Default Certificate Connections from devices to User-ID Agents and Terminal Servers
2026-01-01 WildFire Appliance CA Certificate Connections to WF-500 devices

Remediation

Since there are multiple certificates expiring customers will need to take multiple actions to remediate. We recommend that all customers do ALL of the following:

  1. Upgrade all devices to a hotfix listed in PAN’s announcement
  2. Ensure that Device Certificates are present on ALL devices
  3. Upgrade all User-ID Agents and Terminal Servers to a hotfix listed in PAN’s announcement

Additionally, PAN has provided a fix for the Panorama management certificate expiration in content update versions 8795-8489 and higher. This resolves the issue of the April 7th, 2024 Panorama certificate expiration, but customers will still need to take the above actions to remediate the other certificate expirations. Additionally, after this content update is installed, you must reboot the device in order for the Panorama cert issue to be resolved. Since this requires a reboot, we recommend that customers instead upgrade to a hotfixed version, as it takes care of all the certificate expirations in the same amount of time.

Remediation Flow Chart

Here is a simplified flow chart that applies to most customers:

Remediation Flow Chart

Upgrading Devices

Release Train Fixed Versions
8.1 8.1.21-h3,8.1.25-h3, 8.1.26 (including future releases)
9.0 9.0.16-h7, 9.0.17-h5
9.1 9.1.11-h5, 9.1.12-h7, 9.1.13-h5, 9.1.14-h8,9.1.16-h5, 9.1.17 (including future releases)
10.0 10.0.8-h11, 10.0.11-h4, 10.0.12-h5
10.1 10.1.3-h3, 10.1.4-h6,10.1.5-h4, 10.1.6-h8, 10.1.7-h1, 10.1.8-h7, 10.1.9-h8, 10.1.10-h5, 10.1.11-h4, 10.1.12 (including future releases)
10.2 10.2.0-h2, 10.2.1-h1, 10.2.2-h4, 10.2.3-h11, 10.2.4-h10, 10.2.6-h1, 10.2.7-h3, 10.2.8 (including future releases)
11.0 11.0.0-h2, 11.0.1-h3, 11.0.2-h3, 11.0.3-h3, 11.0.4* (including future releases)
11.1 11.1.0-h2, 11.1.1 (including future releases)

The upgrade to the fixed versions of PAN-OS is no different than any regular PAN-OS update. Consult PAN’s official forum post for the fixed version in your release train.

Before upgrading, we always recommend taking a configuration backup from the device from Device > Setup > Operations > Configuration Management > Export Named Configuration Snapshot and exporting the running-config.xml file. This will allow you to restore the device configuration if there is an issue with the new version.

As always, we recommend failing over an HA pair before performing an upgrade. This ensures that there is no latent issues with the secondary device that could cause an extended outage after the primary devices reboots to perform the upgrade.

Installing Device Certificates

NOTE: This may not apply to you as newer devices ship with a Device Certificate pre-installed. We still recommend reviewing all your devices to ensure that they have device certificates present.

We have observed newer generation firewalls (PA-4XX) that do not have Device Certificates pre-installed from the factory.

See PAN’s documentation:
Installing Device Certificates on Standalone Firewalls (10.2)
Installing Device Certificates on Panorama (10.2)
Installing Device Certificates on Log Collectors (10.2)

Upgrading User-ID Agents and Terminal Servers

Release Train Fixed Versions
9.0 9.0.6
9.1 9.1.5
10.0 10.0.7
10.1 10.1.2
10.2 10.2.2
11.0 11.0.1

Consult PAN’s official forum post for the fixed version of the User-ID Agent and/or Terminal Server. Download the appropriate version from the PAN Support Portal and install it on the User-ID Agent and/or Terminal Server.

After installation, make sure that the User-ID Agent and/or Terminal Server is running and firewalls/Panorama show it as connected.