Intermediate Certificate Authority Expiry impacting WF-500 WildFire Private Cloud and URL Filtering Private Cloud appliances
11867
Created On 12/22/21 20:56 PM - Last Modified 12/22/21 23:49 PM
Symptom
An intermediate CA used by PAN-OS to authenticate to the WildFire Private Cloud appliance (WF-500) and the URL Filtering Private Cloud appliances (M-500 and M-600 in Private URL Filtering Cloud mode) expires on Dec 31st 2021. Palo Alto Networks has released Emergency Content Version 8507-7146 in order to update the certificate used by PAN-OS to authenticate to these private cloud appliances.
Customers using either the WF-500 WildFire Private Cloud or URL Filtering Private Cloud appliances MUST TAKE ACTION by Dec 30, 2021, or PAN-OS devices (including hardware firewalls, VM and CN series) will be unable to connect to WF-500 and URL Filtering private cloud appliances, effectively disabling these security appliances.
Note: This is the copy of advisory posted on Live Community
Environment
Impacted products:
- URL Filtering Private Cloud appliances (M-500 and M-600 in URL Filtering Private Cloud mode)
- Private Cloud WildFire appliance (WF-500)
Cause
An intermediate CA used by PAN-OS to authenticate to the WildFire Private Cloud appliance (WF-500) and the URL Filtering Private Cloud appliances (M-500 and M-600 in Private URL Filtering Cloud mode) expires on Dec 31st 2021. This expired certificate causes the above issue.
Resolution
Upgrade to Content Version 8507-7146 or later:
Customers using the WildFire Private Cloud appliance (WF-500) or the URL Filtering Private Cloud appliance (M-500 and M-600 in Private URL Filtering Cloud mode) are impacted and must take action before Dec 30, 2021, in order to avoid service disruption of these private cloud appliances. Palo Alto Networks has released Emergency Content Version 8507-7146 in order to update the certificate used by PAN-OS to authenticate to these private cloud appliances.
PAN-OS devices configured to automatically install content updates will download this content update and address this issue with no further action required. Customers that use an alternate or manual update process will need to ensure that Emergency Content Version 8507-7146 (or later) content is installed on all PAN-OS devices using private cloud WildFire and URL Filtering appliances before Dec 30, 2021.
To confirm you are running the required content version on PAN-OS devices (Emergency Content Version 8507-7146), follow the instructions from this article: Tips for Managing Content Updates.
Customers that use an alternate or manual update process MUST TAKE ACTION to ensure that Emergency Content Version 8507-7146 (or later) is installed on all PAN-OS devices that connect to WildFire Private Cloud appliance (WF-500) or the URL Filtering Private Cloud appliances (M-500 and M-600) in Private URL Filtering Cloud mode) before Dec 30, 2021, to avoid private cloud service disruption. To manually install the required content updates on PAN-OS devices, please follow instruction from the CUSTOMER SUPPORT PORTAL (CSP) section part of the Tips for Managing Content Updates.
Additionally, customers leveraging the global cloud verdict check functionality on their WildFire Private Cloud appliance (WF-500) will have to install WildFire content update version 1902-2114, which is scheduled to be released at 4:00 a.m. PST on Dec 22, 2021. To install this content version automatically from the appliance, please follow the steps here. Customers with a WildFire appliance that does not have direct connectivity to the Palo Alto Networks Update Server can follow the steps here.
Please reach out to Customer Support if you need any support or have questions
Additional Information
Here are the Symptoms seen in Logs:
- Error message "Wildfire-auth-failed: "WildFire registration failed.Authentication or Client Certificate failure." is seen in Logs.
- Checking the Varrcvr.log using ( less mp-log varrcvr.log) displays "SSL certificate error"
- "show wildfire status channel private" displays "Global status: Server busy or error. Retry later."