如何在 11.1 升级之前识别并重新加入使用旧证书的专用日志收集器

如何在 11.1 升级之前识别并重新加入使用旧证书的专用日志收集器

3151
Created On 06/05/25 14:58 PM - Last Modified 07/11/25 19:54 PM


Objective


识别使用旧版证书进行 Panorama 通信的专用日志收集器并重新登录它们。这是将 Panorama 和日志收集器升级到 PAN OS 11.1 及更高版本的先决条件。

  1. 识别在 10.0 或更早版本中加入 Panorama 且当前正在使用旧证书进行 Panorama 通信的专用日志收集器。
  2. 使用授权密钥重新加入受影响的专用日志收集器以迁移到当前证书。
  3. 验证重新入职是否成功。

Environment


  • 全景
    • 11.0 或更低版本
    • 计划升级到 11.1 或更高版本
  • 日志收集器
    • 11.0 或更低版本
    • 在 10.0 或更低版本上加入 Panorama

Procedure


  1. Identify the Log Collectors using legacy certificates for securing Panorama communication
    1. On Panorama, issue the command:
      > show log-collector all
    2. Under each Log Collector entry, check the "Certificate subject Name" for one of three possible formats:
      • Serial number of LC
        • Format: Decimal number XXXXXXXXXXXX
        • Example output:
          012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
Certificate subject Name: 012345678910
          Result: Legacy certificate in use. 必須重新登機。
      • UUID
        • Format: Hexadecimal number XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
        • Example output:
          012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
Certificate subject Name: 01234567-89ab-cdef-0123-456789abcdef
          Result: New certificate in use. 无需采取任何行动。
      • Blank
        • Example output:
          012345678901 2 log-collector1  yes In Sync 10.2.10-h9 10.1.1.1 - unknown
Certificate subject Name:
          Result: This is the local log collector. 无需采取任何行动。
  2. Re-onboard Log Collectors that have been identified as using legacy certificate
    1. 在 Panorama 上生成新的 Auth Key
      1. 导航至:Panorama -> 设备注册授权密钥
      2. 单击“添加”
        1. 输入名称
        2. 将“生命周期”设置为大于默认1 分钟的值。例如 1 天
        3. 将“计数”设置为要重新加入的日志收集器的数量
        4. 将“设备类型”设置为日志收集器
        5. 输入要重新登录的日志收集器的序列号
        6. 单击“OK”
      3. 点击复制授权密钥
    2. On each Log Collector to re-onboarded
      1. Set the new Auth Key
        > request authkey set <authkey>
      2. Restart the Management Server
        > debug software restart process management-server
  3. Verify that Log Collectors have re-onboarded successfully
    1. For each log collector that has been re-onboarded, on Panorama issue the command:
      > show log-collector <serial_number_of_log_collector>
    2. Check the "Certificate subject Name" is now in UUID format
      • Format: Hexadecimal number XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
      • Example output:
        012345678901 2 log-collector1 yes In Sync 10.2.10-h9 10.1.1.1 - unknown
Certificate subject Name: 01234567-89ab-cdef-0123-456789abcdef



              
Additional Information

根据升级/降级注意事项文档,此过程是将 Panorama 和日志收集器升级到 11.1 的先决条件。




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000k9oMKAQ&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language