We are sending this notice on behalf of Palo Alto Networks because we feel that this requires immediate planning for Customers utilizing Panorama.
Palo Alto Networks firewalls communicate with Panorama and log collectors over a secure channel. For Panorama versions prior to PAN-OS 8.0, the signing CA certificate used to issue the server certificate on Panorama and log collectors that authenticates this communication will expire on Friday, June 16, 2017. After the signing CA expires, PAN-OS devices will no longer be able to authenticate the Panorama connection, which will cause communication with Panorama to fail. To mitigate the impact of this issue, customers should upgrade their Panorama/log collector software to the maintenance releases listed below before Friday, June 16, 2017. This will allow an update of the validity period of that root CA.
The certificate upgrade will be handled automatically when installing a maintenance release equal to or greater than the releases noted below:
- Panorama / Log Collector version 7.1.9 (available now)
- Panorama / Log Collector version 7.0.15 (Estimated release week of April 10, 2017)
- Panorama / Log Collector version 6.1.17 (Estimated release week of April 24, 2017)
NOTE: Panorama and log collectors running 8.0 are not affected by this certificate expiration issue. Firewalls, WF-500 devices, and M-500’s running in PAN-DB mode are also not affected by this issue and do not require software updates.
We sincerely apologize for any inconvenience this upgrade may cause and thank you in advance for your understanding. We are actively taking steps to prevent this certificate expiration issue from recurring in the future. Should you have any questions, please don’t hesitate to reach out to your support provider or the Palo Alto Networks Support Team at https://support.paloaltonetworks.com.
- Do I need to upgrade Panorama and the log collectors, or is there a workaround?
- At this time customers must upgrade Panorama and the log collectors to the release versions listed in the above post before Friday, June 16, 2017 in order to mitigate this issue.
- Do I need to upgrade my firewalls?
- No, you do not need to upgrade the PAN-OS version on your firewalls; only Panorama and log collectors need to be upgraded. The Panorama version should be higher than or equal to the highest version of PAN-OS deployed in your environment. Please note: although the PA-7000 Series behaves like a log collector, it is not affected by this issue.
- Does this certificate expiration affect all types of Panorama and log collectors?
- Yes, it impacts appliance-based (M-100 and M-500) Panorama and log collectors, as well as the virtual Panorama. Please note, M-500 appliances running in PAN-DB mode are not affected.
- What actions do I need to take?
- Please upgrade your Panorama devices and the log collectors in your environment to the maintenance release versions listed in the above post before Friday, June 16, 2017.
- What would happen if I didn’t upgrade?
- Without upgrading to a maintenance release where the certificate expiration issue is resolved, your firewalls will cease to communicate with Panorama and the log collectors on Friday, June 16, 2017. As a result, there will be no management of devices from Panorama, pushing of configuration from Panorama or log collection to the Panorama infrastructure. To mitigate this, please upgrade your Panorama/log collector software to the maintenance releases listed above, which have resolved this certificate expiration issue, before Friday, June 16, 2017.