Renew WEC Certificates

Renewing your WEC certificates in Cortex XDR includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate.

Renewing your WEC certificates in Cortex XDR includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate. You must install the WEF certificate on every Windows server, whether a Domain Controller (DC) or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.

Cortex XDR displays a notification for any tenant with an active WEC applet containing a Certificate Authority (CA) certificate that expires in less than 90 days. You will see these notifications in the following places until the WEC certificates are replaced.

After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.

In the

Broker VMs

page, the health status of the Windows Event Collector applet is yellow. When your mouse hovers over the health status, a warning message is displayed indicating that

Your Windows Event Collector server certificate expires in X days

Until you renew your broker VM WEC server certificate, a warning message is displayed in the

Windows Event Forwarder Configurations

window.

A new notification entitled

WEC Certificate Authority Expiration

is displayed in the notification area until the certificates are renewed.

In addition, Cortex XDR manages the renewal of your WEC certificates by implementing the following time limits.

The WEC CA certificate is increased for an extended period of time for a maximum of 20 years.

The broker VM applet includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.

The WEC client certificate after the renewal is issued with a lifespan of 5 years.

To renew your WEC certificates:

Renew your WEF client certificate in Cortex XDR.

In Cortex XDR, select

Settings

Configurations

Data Broker

Broker VMs

, and locate your broker VM.

Right-click and select

Windows Event Collector

Configure Forwarder

In the

Windows Event Forwarder Configuration

window:

(copy) the

Subscription Manage URL

. This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.

Define Client Certificate Export Password

used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.

Download

the WEF certificate in a PFX format to your local machine.

Install your WEF Certificate on the WEF to establish connection.

You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.

Locate the PFX file you downloaded from the Cortex XDR console and double-click to open the

Certificate Import Wizard

In the

Certificate Import Wizard

Select

Local Machine

followed by

Verify the

File name

field displays the PFX certificate file you downloaded and select

In the

Passwords

field, enter the Client Certificate Export Password you defined in the Cortex XDR console followed by

Select

Automatically select the certificate store based on the type of certificate

followed by

and

Finish

From a command prompt, run

certlm.msc

In the file explorer, navigate to

Certificates

and verify the following for each of the folders:

In the

Personal

Certificates

folder, ensure the certificate

forwarder.wec.paloaltonetworks.com

appears.

In the

Trusted Root Certification Authorities

Certificates

folder, ensure the CA

ca.wec.paloaltonetworks.com

appears.

You can see more than one

ca.wec.paloaltonetworks.com

and

forwarder.wec.paloaltonetworks.com

file from a previous installation in the directory, so select the file with the most extended

Expiration Date

. You can verify that you are using the correct certificate:

To verify the client certificate in the

Personal

Certificates

folder is related to the CA, you can select your

forwarder.wec.paloaltonetworks.com

file and from the

Certification Path

tab, double-click

ca.wec.paloaltonetworks.com

. In the

Details

tab,

Show: Properties only

, and verify the

Thumbprint

matches the

ca.wec.paloaltonetworks.com

file

Thumbprint

For the Trusted Root Certificate (i.e. CA certificate), you can verify the

Thumbprint

of your

ca.wec.paloaltonetworks.com

file matches the Subscription Manage URL by double-clicking the file and from the

Details

tab verifying the

Thumbprint

Navigate to

Certificates

Personal

Certificates

Right-click the certificate and navigate to

All tasks

Manage Private Keys

In the

Permissions

window, select

Add

and in the

Enter the object name

section, enter

NETWORK SERVICE

followed by

Check Names

to verify the object name. The object name is displayed with an underline when valid. and then

Select

, verify the

Group or user names

appear, and then

Apply

Permissions for privet keys

Configure the subscription manager.

Navigate to

Computer Configuration

Policies

Administrative Templates: Policy definitions

Windows Components

Event Forwarding

, right-click

Configure target Subscription Manager

and select

Edit

In the

Configure target Subscription Manager

window:

Mark

Configure target Subscription Manager

Enabled

In the

Options

section, select

Show

, and in the

Show Contents

window, paste the Subscription Manage URL that you copied from the Cortex XDR console followed by

Select

Apply

and

to save your changes.

Complete the WEF Client certificate renewal.

On every WEF DC, perform the following from a command prompt.

Run

gpupdate /force

to update the group policy.

Restart-Service WinRM

to apply the configurations.

Renew your WEC server certificate in Cortex XDR.

You should only perform this step under the following conditions.

You have completed the WEF certification renewal process for ALL clients in your environment. Otherwise, events from the WEFs that you did not install the new client certificate will not be collected by the WEC.

You are approaching the WEC server CA certificate expiration date, which is 2 years after the

Windows Event Collector

applet activation, and receive a notification in the Cortex XDR console.

In Cortex XDR, select

Settings

Configurations

Data Broker

Broker VMs

, and locate your broker VM.

Right-click and select

Windows Event Collector

Renew WEC Server Certificate

Click

Renew

Once Cortex XDR renews the WEC server certificate, the status of the

Windows Event Collector

on the

Broker VMs

machine is

Active, Connected

indicating the applet is running. In addition, the health status of the Windows Event Collector applet is now green instead of yellow and the warning message that appeared when you hovered over the health status no longer appears. Your WEC server certificate is issued with a lifespan of 12 months.

We also suggest that in XQL Search that you run the following query to verify that your event logs are being captured.

dataset = XDR_data 
| filter _product = "Windows" 
| fields _vendor,_product,action_evtlog_level,action_evtlog_event_id 
| sort desc _time | limit 20

If this query does not display results with a timestamp from after the renewal process, it could indicate that the renewal process is not complete, so wait a few minutes before running another query. If you are still having a problem, contact Technical Support.

Document:Cortex® XDR Pro Administrator’s Guide

Renew WEC Certificates

Renew WEC Certificates

Recommended For You

Document:Cortex® XDR Pro Administrator’s Guide

Renew WEC Certificates

Renew WEC Certificates

Recommended For You

Recommended Videos