How to mitigate Panorama certificate expiry post-April 7th for Firewall in HA managed by Panorama in HA

• Panorama in High Availability
• NGFW Firewalls in High Availability.
• PAN-OS 9.1 or above

• Confirm that the firewall is connected to both Panorama HA Peers.
• To verify this, execute the following command from the firewall CLI below:

admin@PA-VM(active)> show panorama-status 

Panorama Server 1 : 10.124.158.175
    Connected     : yes
    HA state      : Active
Panorama Server 2 : 10.124.158.160
    Connected     : yes
    HA state      : Passive

• If the new content is already installed and updated on the panorama HA pair, go directly to step 5.

1. Download the latest content on the Primary-Active Panorama under Panorama > Dynamic Updates. If 'sync to HA' is chosen during download, this action will also download the content on the Secondary-Passive Panorama.

2. Install the content on the Primary-Active Panorama under Panorama > Dynamic Updates. If you select 'sync to HA' during the installation, it will also be installed on the Secondary-Passive Panorama.

3. On both Panorama HA peers, go to Panorama > High Availability and disable the preemptive election settings from both of them. This would ensure that when Primary-Active is rebooted, it doesn’t return as Primary-Active.

4. Reboot Primary-Active Panorama
5. On Secondary-Active Panorama, Go to Panorama > Device Deployment > Dynamic Updates, and Download the latest content.
6. On Secondary-Active Panorama, Go to Panorama > Device Deployment > Dynamic Updates. Select the content to be installed. All the managed FWs including the ones that are in HA will be listed here. The HA firewalls can be selected via “Group HA Peers” available at the bottom. Both HA Peers (Active and Passive) need to be explicitly selected while installing the content. Once installation is over the following message are seen.

7. Reboot the Passive firewalls from Secondary-active Panorama.
8. Once the Primary-active Panorama is back online as Primary-passive, validate via the CLI if the certificate has been updated via the system log

admin@panorama-ha1(primary-active)> show log system direction equal backward | match "Panorama"
00:05:32 info     general        general 0  MGMTPANHA1      Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033

9. Once all managed Passive firewalls are back online, the certificate on all the Passive Firewalls will be updated. To validate the certificate use the CLI command below:

admin@PA-VM> show log system direction equal backward receive_time in last-15-minutes | match "Panorama"
01:39:14 info     general        general 0  Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033.

• Also, Validate the connection between Passive firewalls and Primary-passive Panorama is established.
• Note: If the firewalls do not establish the connection back to Panorama, they need to be investigated locally.

10. Reboot the active firewalls from the Secondary-active Panorama. Upon reboot of the active firewalls, the passive firewall would take over the active firewall.
11. Once Active Firewalls are back online, the certificate on all the active firewalls is updated, validate via the CLI if the certificate has been updated via the system log.

• Ensure to also validate that the connection between Active Firewalls and Primary-Passive Panorama is in an established state and Firewall HA pairs are in sync.
• Note: If the firewalls don’t connect back to the Panorama, they need to be investigated locally.

12. Reboot the Secondary-active Panorama.
13. Once the Secondary-Passive Panorama is back online, validate the certificate in system log.

admin@panorama-ha2(secondary-passive)> show log system direction equal backward | match "Panorama"
00:43:30 info     general        general 0  MGMTPANHA2      Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033.

14. Verify the connection between Secondary-Passive and all managed Firewalls. They should be in "established" state.