How to mitigate Panorama certificate expiry post-April 7th for non-HA firewalls managed by HA Panorama

• Panorama in High Availability
• Non-HA Firewalls.
• PAN-OS 9.1 or above

• Confirm that the firewall is connected to both Panorama HA Peers. To verify this, execute the following command from the firewall CLI below:

admin@PA-VM(active)> show panorama-status 

Panorama Server 1 : 10.124.158.175
    Connected     : yes
    HA state      : Active
Panorama Server 2 : 10.124.158.160
    Connected     : yes
    HA state      : Passive

• If the new content is already installed and updated on the panorama HA pair, go directly to step 5.

1. Download the latest content on the Primary-Active Panorama under Panorama > Dynamic Updates. If 'sync to HA' is chosen during download, this action will also download the content on the Secondary-Passive.

2. Install the content on the Primary-Active Panorama under Panorama > Dynamic Updates. If you select 'sync to HA' during the installation, it will also be installed on the Secondary-Passive Panorama.

3. On both Panorama HA peers, go to Panorama > High Availability and disable the preemptive election settings from both of them. This would ensure that when Primary-Active is rebooted, it doesn’t return as Primary-Active.

4. Reboot Primary-Active Panorama.
5. On Secondary-Active Panorama, Go to Panorama > Device Deployment  > Dynamic Updates, and Download the latest content.
6. On Secondary-Active Panorama, Go to Panorama > Device Deployment > Dynamic Updates, and Install the latest content by selecting the managed Firewalls.

7. Once the content is successfully installed on all the non-HA firewalls, reboot the firewalls from the Secondary-Active Panorama via CLI:  

admin@panorama-ha2(secondary-active)> request batch reboot devices 007099000021287,012001076865
All devices rebooted
007099000021287
PA-VM
Successfully rebooted
012001076865
PA-820
Successfully rebooted
admin@panorama-ha2(secondary-active)>

8. Once Primary-Passive Panorama is back online, validate that the certificate on Primary-Passive Panorama is updated via CLI.

admin@panorama-ha1(primary-active)> show log system direction equal backward | match "Panorama"
00:05:32 info     general        general 0  MGMTPANHA1      Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033

9. Once all the Firewalls are back online, validate the certificate on all the firewalls. They should be updated now.

admin@PA-VM> show log system direction equal backward receive_time in last-15-minutes | match "Panorama"
01:39:14 info     general        general 0  Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033.

10. Check the connections between Primary-passive Panorama and all the firewalls to ensure the connection state is established.

11. Now Proceed to reboot the Secondary-Active Panorama.
12. Once the Secondary-Passive Panorama is back online, ensure the certificates are updated with the CLI command below.

admin@panorama-ha2(secondary-passive)> show log system direction equal backward | match "Panorama"
00:43:30 info     general        general 0  MGMTPANHA2      Panorama certificate for Managing NGFW and log collectors has been successfully extended until 19-Nov-2033.

13. Check the connections between Secondary-passive Panorama and all the firewalls to ensure the connection state is established.