Secure communication certificate between Palo Alto firewall and Panorama expiring in 3 months
5435
Created On 05/17/24 03:20 AM - Last Modified 07/11/25 19:58 PM
Question
After successfully onboarding the Palo Alto firewall to Panorama using the Authentication Key , it is seen that the secure communication certificate is only valid for 3 months.
Will the connection be disconnected after 3 months?
Panorama > show devices connected
Serial Hostname IPv4 IPv6 Connected
--------------------------------------------------------------------------
969856780331 PA-820 1.2.3.4 unknown yes
Wildfire Real-time Stream Disabled VPN Disable Mode: no
Operational Mode: normal
HA Cluster State: cluster-unknown
Certificate Status:
Certificate subject Name: 2dd89c4a-54c2-43cb-869e-2dd89c4aafe
Certificate expiry at: 2024/08/05 08:12:14 <-- certificate valid for 3 months
Connected at: 2024/05/04 17:12:45
Custom certificate Used: no
Virtual Systems:
vsys1(vsys1) shared policy md5sum:()
shared policy version:
Last masterkey push status: Unknown
Last masterkey push timestamp: none
Express mode: no
Device cert present : None
Device cert expiry date : N/A
Total Connected Devices: 1
Environment
PANOS-10.1
Answer
The secure communication certificate is valid for 3 months.
2 weeks prior to expiry, the firewall will create a new CSR and send this to panorama for signing, hence renewing the certificate.
Sample Firewall Log (configd.log):
2024-07-20 04:02:02.025 +0530 SC3: Certificate change notification (0->1)
2024-07-20 04:02:02.512 +0530 Warning: _cex_panos(sc3_utils.c:436): SC3: Device CSR set to '7a2f80b3-5706-4a4f-1234-e71b1b128baf'
2024-07-20 04:02:02.954 +0530 SC3: Device: '969856780331' will use SNI: '888d715d-1234-4e1b-aa54-1serf3e72ccae'
2024-07-20 04:02:02.955 +0530 Warning: sc3_processCerts(sc3_register.c:611): SC3: clearing CC
2024-07-20 04:02:03.112 +0530 SC3: Using new device cert: '7a2f80b3-5706-4a4f-1234-e71b1b128baf'