How To Check the Root Certificate Used for User-id Agent (without custom certificates in use)
Objective
- These steps will allow TAC to verify the firewall's root certificate used to communicate with the User-ID Agent. This is for the default User-ID configuration without the use of custom certificates.
- The default User-ID agent certificate is a self-signed certificate and will get updated when a new certificate is included by Palo Alto in the User-ID Agent software when installed on the Windows server.
- An example of this would be when upgrading the User-ID Agent to a version listed in this document below under the column 'Minimum Target Upgrade Versions for NGFWs, Panorama' within 'Table 1: PAN-OS Hotfixes and Updated Agents'.
- Prior to upgrading the User-ID Agent to one of these 'Minimum Target Upgrade Versions' the expiration date for the User-ID Agent certificate would be: 18-Nov-2024 18:50:33 UTC as seen in the Wireshark capture from a non-patched User-ID Agent taken on the Windows domain server running the User-ID Agent:
- After upgrading the User-ID Agent to one of these 'Minimum Target Upgrade Versions' the expiration date for the User-ID Agent certificate would be: 01-Jan-2032 04:00:00 UTC.
- Refer Procedure section below on details on the updated User-ID certificate looks as well as the steps to verify.
Environment
- Palo Alto Firewalls
- PANOS 10.1 and above
- User ID Agent
Procedure
STEP1
One the Windows server itself setup a Wireshark capture using the filter for 'host <IP>' where the IP is that of the firewall's interface being used to communicate with the User-ID agent. In this example we used the firewall's interface IP of 10.22.3.5 so the Wireshark filter would be 'host 10.22.3.5':
STEP 2
This step is required to force a new TLS handshake as to catch the certificate in the Wireshark capture as the User-ID Agent connects back to the Firewall
NOTE: Restart of the User ID agent service may cause a brief interruption. If required, perform the action during a maintenance window.
Next restart the User-ID Agent to force a new connection to the firewall as to capture the certificate in the TLS/SSL handshake. First click 'Stop' then click 'Start' (while the Wireshark capture is running):
STEP 3
To display the User-ID Agent certificate details on one of the 'Minimum Target Upgrade Versions' in Wireshark, after restarting the User-ID Agent (from Step 2 above) will then be able to locate and display the certificate details as seen below and verify the User-ID Agent certificate has ben updated:
NOTE:
- Notice the Common Name of the new certificate is now named: 'User-ID Agent 1'.
- Notice the expiration date has also been update as seen next to the red arrow above.
- During the Wireshark capture there will be other certificates seen in the flow. An easy way to filter and find all of the certificates in the Wireshark flow can use the filter tls.handshake.type == 11 in Wireshark.
- This will show the multiple lines with certificates. You'll need to check each one of them to find the User-ID Agent 1 certificate:
In the output above we can now verify the time stamp of the User-ID Root Certificate is in fact valid from:
Not Before: Sep 1 05:14:57 2022 GMT
Not After : Jan 1 05:14:57 2032 GMT <<<<< New Expiration Date <<<<<<
NOTE: As a reference the certificate can be exported from the Wireshark by RIGHT-clicking the certificate item in the Packet Details as seen below and click Export Packet Bytes and save the file as a .CER
Now the certificate be displayed by opening the file in Windows file manager: