Synopsis

Required License

Details

Correlated Alerts

Remediation

• Renew a GlobalProtect Portal certificate in Strata Cloud Manager
  Import the certificate provisioned for the custom domain portal address.
  1. Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructure and edit Infrastructure Settings.
  2. Import the certificate you provisioned for your custom domain portal address.
     1. Select the format for the certificate you're importing:
        • Encrypted Private Key and Certificate (PKCS12)—The key and certificate are in a single container (Certificate File). Click Choose File and browse to the PKCS12 file to import.
        • Base64 Encoded Certificate (PEM)—If you select this option, you must import the Key File separately from the certificate. To import the PEM certificate and Key File, click Choose File.
  3. Enter the Passphrase to encrypt the key, and Confirm Passphrase. Save your changes.
• Renew a GlobalProtect Portal certificate in Panorama
  1. Go to DeviceCertificate ManagementSSL/TLS Service Profile.
  2. Click Add at the bottom of the screen.
     1. Enter a Name for the profile.
     2. Select the server Certificate.
     3. Select the minimum and maximum SSL/TLS versions for the SSL transaction between client and server.

  3. Reference this SSL/TLS profile in the portal or gateway, as needed.
• Renew an ADEM/GP Log Certificate
  Prerequisites—Users in either a Strata Cloud Manager or Panorama environment must have an AI-Powered ADEM license.
  • Renew an ADEM/GP Log Certificate in Strata Cloud Manager

    1. In Strata Cloud Manager, ensure the scope is Prisma Access.
    2. Navigate to ManageConfigurationNGFW and Prisma Access.
    3. Select ObjectsCertificate ManagementCertificates.
    4. Under Palo Alto Networks Issued Certificates, select the certificate, and click Renew.

    5. Push Config.
  • Renew an ADEM/GP Log Certificate in Panorama
  • 1. Go to Mobile_User_TemplateDeviceCertificate ManagementCertificates, and delete the globalprotect_app_log_cert certificate.
    2. Go to the Panorama tab, and select Cloud ServicesConfiguration.
    3. In the GlobalProtect App Log Collection and Autonomous DEM section, click Renew Certificate for GlobalProtect App Log Collection and Autonomous DEM to renew the certificate.
    4. Commit and Push.

• Renew an SSL Decryption Certificate
  • Renew an SSL Decryption Certificate in Strata Cloud Manager
    1. Renew a locally generated certificate
       1. Go to ManageConfiguration NGFW and Prisma Access.
       2. Click ObjectsCertificate Management.
       3. Under the Palo Alto Networks Certificate, select the certificate, and Renew.
       4. Push to Config.
    2. Generate a certificate signing request (CSR)
       1. Go to ManageConfiguration NGFW and Prisma Access.
       2. Click ObjectsCertificate Management, and select Generate.
       3. Enter the Certificate Name (be sure to note this name for later use) and the Common Name (usually the FQDN). For Signed By, select External Authority (CSR).
          Don't select Certificate Authority.
       4. Complete the remaining details, such as Country and Organization.
          Check with the Certificate Authority about their requirements for Certificate Attribute formatting and criteria.
       5. Click Generate to create the CSR.
       6. Push Config for the new certificate to take effect. The confirmation window appears when the CSR is generated.
    3. Import the signed certificate.
       1. Enter the name (this is the Certificate Name you entered previously) of the certificate to import.
       2. Click Import.
       3. Click Choose File to select the signed certificate from the Certificate Authority, and click OK.
          Don't click the Import Private Key check box, as the private key is already on the firewall.
       4. Depending on the Certificate Authority used, you may need to chain the intermediate certificate with the server certificate and import it before completing this step. For more information, see How to Install a Chained Certificate Signed by a Public CA.
       5. Click OK. The certificate now appears as valid, and the key check box is selected. Use the new third-party certificate for GlobalProtect or any other function.
  • Renew an SSL Decryption Certificate in Panorama
    1. Renew a locally generated certificate
       1. Select the certificate to be renewed under GUI: Device Certificate ManagementCertificates.
       2. Select Renew, enter the New Expiration Interval in days, and click OK. The system modifies the expiration date to reflect the change.
       3. Commit and Push your changes.
    2. Generate a CSR
       1. Go to DeviceCertificate ManagementCertificates.
       2. Click Generate at the bottom of the screen.
       3. Enter the Certificate Name (be sure to note this name for later use) and the Common Name (usually the FQDN). For Signed By, select External Authority (CSR).
          Don't select Certificate Authority.
       4. Complete the remaining details, such as Country and Organization.
          Check with the Certificate Authority about their requirements for Certificate Attribute formatting and criteria.
       5. Click Generate to create the CSR.
       6. Commit and Push again for the new certificate to take effect.
       7. You'll see the confirmation window when the CSR is generated.
    3. Import the signed certificate
       1. Enter the name (this is the Certificate Name you entered previously) of the certificate to import.
       2. Click Import at the bottom of the screen.
       3. Click Browse to select the signed certificate received from the Certificate Authority, and click OK.
          Don't click the Import Private Key check box, as the private key is already on the firewall.
       4. Depending on the Certificate Authority used, you may need to chain the intermediate certificate with the server certificate and import it before completing this step. For more information, see How to Install a Chained Certificate Signed by a Public CA.
       5. Click OK. The certificate now appears as valid, and the key check box is selected. A new third-party certificate can now be used for GlobalProtect or any other function.