Focus

Prisma Access

INC_CERTIFICATE_EXPIRY

Table of Contents

Prisma Access Incidents

INC_GP_CLIENT_VERSION_UNSUPPORTED

Learn about the INC_CERTIFICATE_EXPIRY incident.

Synopsis

The system generates the INC_CERTIFICATE_EXPIRY incident before a certificate's expiration date.

Incident Code—INC_CERTIFICATE_EXPIRY

Severity—Warning/Critical

For details about incident severity, see Incidents Distribution Over Time in Incidents and Alerts Overview.

Supported Certificates

ADEM/GP Log (also known as the ADEM certificate)
GlobalProtect Portal
SSL Decryption

The severity becomes Critical when the certificate is due to expire in seven days or less.

Required License

Prisma Access

Details

Feature	Raise Condition	Clear Condition
ADEM/GP Log	The system raises the incident 30 days before the ADEM/GP Log certificate expiration date.	The system clears the incident when the ADEM/GP Log certificate is renewed.
GlobalProtect Portal	The system raises the incident 30 days before the GlobalProtect Portal certificate expiration date.	The system clears the incident when the GlobalProtect Portal certificate is renewed.
SSL Decryption	The system raises the incident 30 days before the SSL decryption certificate expiration date.	The system clears the incident when the SSL decryption certificate is renewed.

Correlated Alerts

AL_CERTIFICATE_EXPIRY

Remediation

Renew a GlobalProtect Portal certificate

Import the certificate provisioned for the custom domain portal address.

Renew a GlobalProtect Portal certificate in Strata Cloud Manager
Import the certificate provisioned for the custom domain portal address.
1. Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructure and edit Infrastructure Settings.
2. Import the certificate you provisioned for your custom domain portal address.
  1. Select the format for the certificate you're importing:
    - Encrypted Private Key and Certificate (PKCS12)—The key and certificate are in a single container (Certificate File). Click Choose File and browse to the PKCS12 file to import.
    - Base64 Encoded Certificate (PEM)—If you select this option, you must import the Key File separately from the certificate. To import the PEM certificate and Key File, click Choose File.
3. Enter the Passphrase to encrypt the key, and Confirm Passphrase. Save your changes.
Renew a GlobalProtect Portal certificate in Panorama
1. Go to DeviceCertificate ManagementSSL/TLS Service Profile.
2. Click Add at the bottom of the screen.
  1. Enter a Name for the profile.
  2. Select the server Certificate.
  3. Select the minimum and maximum SSL/TLS versions for the SSL transaction between client and server.
3. Reference this SSL/TLS profile in the portal or gateway, as needed.
Renew an ADEM/GP Log Certificate
Prerequisites—Users in either a Strata Cloud Manager or Panorama environment must have an AI-Powered ADEM license.
- Renew an ADEM/GP Log Certificate in Strata Cloud Manager
  1. In Strata Cloud Manager, ensure the scope is Prisma Access.
  2. Navigate to ManageConfigurationNGFW and Prisma Access.
  3. Select ObjectsCertificate ManagementCertificates.
  4. Under Palo Alto Networks Issued Certificates, select the certificate, and click Renew.
  5. Push Config.
- Renew an ADEM/GP Log Certificate in Panorama
- 1. Go to Mobile_User_TemplateDeviceCertificate ManagementCertificates, and delete the globalprotect_app_log_cert certificate.
  2. Go to the Panorama tab, and select Cloud ServicesConfiguration.
  3. In the GlobalProtect App Log Collection and Autonomous DEM section, click Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM to renew the certificate.
  4. Commit and Push.

Renew an SSL Decryption Certificate
- Renew an SSL Decryption Certificate in Strata Cloud Manager
  1. Renew a locally generated certificate
    1. Go to ManageConfiguration NGFW and Prisma Access.
    2. Click ObjectsCertificate Management.
    3. Under the Palo Alto Networks Certificate, select the certificate, and Renew.
    4. Push to Config.
  2. Generate a certificate signing request (CSR)
    1. Go to ManageConfiguration NGFW and Prisma Access.
    2. Click ObjectsCertificate Management, and select Generate.
    3. Enter the Certificate Name (be sure to note this name for later use) and the Common Name (usually the FQDN). For Signed By, select External Authority (CSR).
      
      Don't select Certificate Authority.
    4. Complete the remaining details, such as Country and Organization.
      
      Check with the Certificate Authority about their requirements for Certificate Attribute formatting and criteria.
    5. Click Generate to create the CSR.
    6. Push Config for the new certificate to take effect. The confirmation window appears when the CSR is generated.
  3. Import the signed certificate.
    1. Enter the name (this is the Certificate Name you entered previously) of the certificate to import.
    2. Click Import.
    3. Click Choose File to select the signed certificate from the Certificate Authority, and click OK.
      
      Don't click the Import Private Key check box, as the private key is already on the firewall.
    4. Depending on the Certificate Authority used, you may need to chain the intermediate certificate with the server certificate and import it before completing this step. For more information, see How to Install a Chained Certificate Signed by a Public CA.
    5. Click OK. The certificate now appears as valid, and the key check box is selected. Use the new third-party certificate for GlobalProtect or any other function.
- Renew an SSL Decryption Certificate in Panorama
  1. Renew a locally generated certificate
    1. Select the certificate to be renewed under GUI: Device Certificate ManagementCertificates.
    2. Select Renew, enter the New Expiration Interval in days, and click OK. The system modifies the expiration date to reflect the change.
    3. Commit and Push your changes.
  2. Generate a CSR
    1. Go to DeviceCertificate ManagementCertificates.
    2. Click Generate at the bottom of the screen.
    3. Enter the Certificate Name (be sure to note this name for later use) and the Common Name (usually the FQDN). For Signed By, select External Authority (CSR).
      
      Don't select Certificate Authority.
    4. Complete the remaining details, such as Country and Organization.
      
      Check with the Certificate Authority about their requirements for Certificate Attribute formatting and criteria.
    5. Click Generate to create the CSR.
    6. Commit and Push again for the new certificate to take effect.
    7. You'll see the confirmation window when the CSR is generated.
  3. Import the signed certificate
    1. Enter the name (this is the Certificate Name you entered previously) of the certificate to import.
    2. Click Import at the bottom of the screen.
    3. Click Browse to select the signed certificate received from the Certificate Authority, and click OK.
      
      Don't click the Import Private Key check box, as the private key is already on the firewall.
    4. Depending on the Certificate Authority used, you may need to chain the intermediate certificate with the server certificate and import it before completing this step. For more information, see How to Install a Chained Certificate Signed by a Public CA.
    5. Click OK. The certificate now appears as valid, and the key check box is selected. A new third-party certificate can now be used for GlobalProtect or any other function.

Optional—For both Strata Cloud Manager and Panorama environments, you can refer to Certificate Renewal for Autonomous Digital Experience Management for additional details.

Prisma Access Incidents

INC_GP_CLIENT_VERSION_UNSUPPORTED

Prisma Access Docs

INC_CERTIFICATE_EXPIRY

Prisma Access Docs