PAN-OS Root and Default Certificate are going to expire on December 31, 2023 which will make Firewalls and Panorama to lose connectivity to Palo Alto Networks cloud services.
This will potentially cause outages and impact network traffic.
If you are using on of the following features on your firewall:
- Data redistribution (User-ID, IP-tag, User-tag, GlobalProtect HIP, and/or quarantine list)
- URL PAN-DB private cloud (M-Series)
- WildFire private cloud appliance (WF500/B)
then you have to update to one of the following versions until end of this year to fix the issue:
| Current PAN-OS Version | Upgrade Target Version |
| 8.1 | 8.1.21-h1 8.1.25-h1 or greater |
| 9.0 | 9.0.16-h5 or greater |
| 9.1 | 9.1.11-h4 9.1.12-h6 9.1.13-h4 9.1.14-h7 9.1.16-h3 9.1.17 or greater |
| 10.0 | 10.0.8-h10 10.0.11-h3 10.0.12-h3 or greater |
| 10.1 | 10.1.3-h2 10.1.5-h3 10.1.6-h9 10.1.8-h6 10.1.9-h3 10.1.10 or greater |
| 10.2 | 10.2.3-h9 10.2.4 or greater |
| 11.0 | 11.0.0-h1 11.0.1-h2 11.0.2 or greater |
| 11.1 | 11.1.0 or greater |
If you are using one of these features:
- WildFire/Advanced WildFire Public Cloud
- URL/Advanced URL Filtering
- DNS Security
- ThreatVault
- Auto Focus
then an firmware update is not absolutely necessary. A content update to version 8776-8390 or later is sufficient to resolve the issue.
Detailed instructions are available at Palo Alto Networks:
