: Certificate Renewal for ADEM before June 3, 2022
Focus
Focus

Certificate Renewal for ADEM before June 3, 2022

Table of Contents

Certificate Renewal for ADEM before June 3, 2022

If you are using the Strata Cloud Manager user interface, see the AI-Powered ADEM Administrator's Guide.
The certificates and the chain used for GlobalProtect App Log Collection and ADEM expire on June 3, 2022. If you are a current ADEM customer, please be sure to renew the certificates for GlobalProtect App Log Collection and ADEM,
after
April 20, 2022 but
before
June 3, 2022. The updated certificate will be available for renewal starting on April 20th, 2022.
If you renew the certificates on or before April 20, 2022, you will get the old certificates which will expire on June 3, 2022. If you do not renew the certificates before June 3, 2022, once the certificate expires, new and existing clients will not be able to connect to ADEM and the GlobalProtect App Log Collection service.
Also, if you deploy new ADEM endpoints, make sure that you are running GlobalProtect client version 5.2.11 or later in order to continue to successfully register new clients on ADEM portal. If you already have ADEM or App Log Collection rolled out on an earlier version of GlobalProtect you will be able to renew the certificate without changing the version of your current GlobalProtect clients.
What you need to do:
New ADEM customers starting April 20, 2022-
Upgrade GlobalProtect to 5.2.11 to successfully deploy ADEM.
Existing ADEM customers looking to roll out ADEM on new endpoints starting April 20, 2022-
Upgrade GlobalProtect to 5.2.11 and renew certificate to successfully deploy ADEM.
Existing ADEM customers with ADEM already deployed on their endpoints -
ADEM endpoints will automatically be upgraded once already connected to ADEM, however please renew the certificate before expiry.
The GlobalProtect 5.2.11 requirements are for ADEM functionality only for new ADEM endpoint deployments starting April 20, 2022. App Log Collection functionality doesn’t have the newer GlobalProtect client version requirement with the renewal of the certificate.
To renew the certificates follow these steps:
On Panorama:
  1. On Panorama, select
    Cloud Services
    Configuration
  2. Under the
    GlobalProtect App Log Collection and Autonomous DEM
    , section, click
    Generate Certificate for GlobalProtect App Log Collection and Autonomous DEM
    to renew the certificate.
  3. After the new certificate is generated, the administrator must push the new certificate under
    Portal
    Agent
    Configs
    Client Certificate
    . The newly generated certificate overwrites the old certificate. Hence, the certificate name (globalprotect_app_log_cert) does not change. The new certificate gets pushed to the GlobalProtect app when the portal configuration is refreshed either manually by the end user or during the default portal configuration refresh interval (which is 24 hours by default unless changed by the admin). First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GlobalPotect 5.2.11. Existing ADEM endpoints that are already connected to ADEM Cloud Service will be auto-upgraded with the latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11.
On Cloud Managed Prisma Access:
  1. In the Prisma Access App, navigate to
    Configuration
    Objects
    Certificate Management
    Shared
    GP_Log_Certificate
  2. Once the new certificate is generated, the administrator must push the new changes by going to
    Push Config
    Push
    Mobile Users
    GlobalProtect
    and select
    Push
    . The new certificate gets pushed to the GlobalProtect app when the portal configuration is refreshed either manually (by the end user) or during the default portal configuration refresh interval (which is 24 hours by default unless changed by the admin). First time ADEM endpoint deployments will be able to successfully register to ADEM service only if they upgrade to the new version of GlobalProtect 5.2.11. Existing ADEM endpoints that are already connected to ADEM Cloud Service will be auto-upgraded with the latest ADEM endpoint version and need not migrate to GlobalProtect 5.2.11.

Recommended For You