How to identify and re-onboard Dedicated Log Collectors that are using legacy certificates prior to 11.1 upgrade

To identify Dedicated Log Collectors that are using legacy certificates for Panorama communication and re-onboard them. 

This is a pre-requisite for upgrading Panorama and Log Collectors to PAN-OS 11.1 and above.

1. Identify Dedicated log collectors that were onboarded to Panorama on 10.0 or earlier and are currently using legacy certificates for Panorama communication.
2. Re-onboard affected Dedicated Log Collectors using an Auth Key to migrate to current certificates.
3. Verify re-onboarding is successful.

• Panorama
  • 11.0 or lower
  • Planning upgrade to 11.1 or higher
• Log Collector
  • 11.0 or lower 
  • Onboarded to Panorama on 10.0 or lower

1. Identify the Log Collectors using legacy certificates for securing Panorama communication 
   1. On Panorama CLI, issue the command:
      

      > show log-collector all

   2. Under each Log Collector entry, check the "Certificate subject Name" for one of three possible formats:
      • Serial number of LC
        • Format: Decimal number XXXXXXXXXXXX
        • Example output:
          

          012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
          Certificate subject Name: 012345678910

          Result: Legacy certificate in use. Must re-onboard.
      • UUID
        • Format: Hexadecimal number XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
        • Example output:
          

          012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
          Certificate subject Name: 01234567-89ab-cdef-0123-456789abcdef

          Result: New certificate in use.  No action required.
      • Blank
        • Example output:
          

          012345678901 2 log-collector1  yes In Sync 10.2.10-h9 10.1.1.1 - unknown
          Certificate subject Name:

          Result: This is the local log collector.  No action required.
           
2. Re-onboard Log Collectors that have been identified as using legacy certificate
   1. On Panorama generate a new Auth Key
      1. Navigate to: Panorama -> Device Registration Auth Key
      2. Click Add
         1. Enter a name
         2. Set the "Lifetime" to a value greater than the default 1 minute. eg. 1 day
         3. Set the "Count" to the number of Log Collectors to re-onboard
         4. Set the "Device Type" to Log Collector
         5. Enter the the serial numbers of the Log Collectors to re-onboard
         6. Click OK
      3. Click Copy Auth Key
   2. On each Log Collector to re-onboarded
      1. Set the new Auth Key
         

         > request authkey set <authkey>

      2. Restart the Management Server
         

         > debug software restart process management-server

          
3. Verify that Log Collectors have re-onboarded successfully
   1. For each log collector that has been re-onboarded, on Panorama issue the command:
      

      > show log-collector <serial_number_of_log_collector>

   2. Check the "Certificate subject Name" is now in UUID format
      • Format: Hexadecimal number XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
      • Example output:
        

        012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
        Certificate subject Name: 01234567-89ab-cdef-0123-456789abcdef

This procedure is a pre-requisite for upgrading Panorama and Log Collectors to 11.1 as per the Upgrade/Downgrade Considerations document.