Renew WEC Certificates

Renewing your WEC certificates in Cortex® XDR™ includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate.
Renewing your WEC certificates in Cortex® XDR™ includes renewing your Windows Event Forwarding (WEF) client certificate and your WEC server certificate. You must install the WEF certificate on every Windows server, whether a Domain Controller (DC) or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
Cortex XDR displays a notification for any tenant with an active WEC applet containing a Certificate Authority (CA) certificate that expires in less than 90 days. You will see these notifications in the following places until the WEC certificates are replaced.
After you receive a notification for renewing your WEC CA certificate, we recommend that you do not add any new WEF clients until the WEC certification renewal process is complete. Events from these WEF clients that are added afterwards will not be collected by the server until the WEC certificates are renewed.
  • In the
    Broker VMs
    page, the health status of the Windows Event Collector applet is yellow. When your mouse hovers over the health status, a warning message is displayed indicating that
    Your Windows Event Collector server certificate expires in X days
    .
  • Until you renew your broker VM WEC server certificate, a warning message is displayed in the
    Windows Event Forwarder Configurations
    window.
  • A new notification entitled
    WEC Certificate Authority Expiration
    is displayed in the notification area until the certificates are renewed.
In addition, Cortex XDR manages the renewal of your WEC certificates by implementing the following time limits.
  • The WEC CA certificate is increased for an extended period of time for a maximum of 20 years.
  • The broker VM applet includes an automatic renewal mechanism for a WEC server certificate, which has a lifespan of 12 months.
  • The WEC client certificate after the renewal is issued with a lifespan of 5 years.
To renew your WEC certificates.
  1. Renew your WEF client certificate in Cortex XDR.
    1. In Cortex XDR, select
      Settings ( )
      Configurations
      Broker VM
      , and locate your broker VM.
    2. Right-click and select
      Windows Event Collector
      Configure Forwarder
      .
    3. In the
      Windows Event Forwarder Configuration
      window:
      1. (copy) the
        Subscription Manage URL
        . This will be used when you configure the subscription manager in the GPO (Global Policy Object) on your domain controller.
      2. Define Client Certificate Export Password
        used to secure the downloaded WEF certificate used to establish the connection between your DC/WEF and the WEC. You will need this password when the certificate is imported to the events forwarder.
      3. Download
        the WEF certificate in a PFX format to your local machine.
    4. Install your WEF Certificate on the WEF to establish connection.
      You must install the WEF certificate on every Windows Server, whether DC or not, for the WEFs that are supposed to forward logs to the Windows Event Collector applet on the broker VM.
      1. Locate the PFX file you downloaded from the Cortex XDR console and double-click to open the
        Certificate Import Wizard
        .
      2. In the
        Certificate Import Wizard
        :
        1. Select
          Local Machine
          followed by
          Next
          .
        2. Verify the
          File name
          field displays the PFX certificate file you downloaded and select
          Next
          .
        3. In the
          Passwords
          field, enter the Client Certificate Export Password you defined in the Cortex XDR console followed by
          Next
          .
        4. Select
          Automatically select the certificate store based on the type of certificate
          followed by
          Next
          and
          Finish
          .
      3. From a command prompt, run
        certlm.msc
        .
      4. In the file explorer, navigate to
        Certificates
        and verify the following for each of the folders:
        • In the
          Personal
          Certificates
          folder, ensure the certificate
          forwarder.wec.paloaltonetworks.com
          appears.
        • In the
          Trusted Root Certification Authorities
          Certificates
          folder, ensure the CA
          ca.wec.paloaltonetworks.com
          appears.
        You can see more than one
        ca.wec.paloaltonetworks.com
        and
        forwarder.wec.paloaltonetworks.com
        file from a previous installation in the directory, so select the file with the most extended
        Expiration Date
        . You can verify that you are using the correct certificate:
        • To verify the client certificate in the
          Personal
          Certificates
          folder is related to the CA, you can select your
          forwarder.wec.paloaltonetworks.com
          file and from the
          Certification Path
          tab, double-click
          ca.wec.paloaltonetworks.com
          . In the
          Details
          tab,
          Show: Properties only
          , and verify the
          Thumbprint
          matches the
          ca.wec.paloaltonetworks.com
          file
          Thumbprint
          .
        • For the Trusted Root Certificate (i.e. CA certificate), you can verify the
          Thumbprint
          of your
          ca.wec.paloaltonetworks.com
          file matches the Subscription Manage URL by double-clicking the file and from the
          Details
          tab verifying the
          Thumbprint
          .
      5. Navigate to
        Certificates
        Personal
        Certificates
        .
      6. Right-click the certificate and navigate to
        All tasks
        Manage Private Keys
        .
      7. In the
        Permissions
        window, select
        Add
        and in the
        Enter the object name
        section, enter
        NETWORK SERVICE
        followed by
        Check Names
        to verify the object name. The object name is displayed with an underline when valid. and then
        OK
        .
      8. Select
        OK
        , verify the
        Group or user names
        appear, and then
        Apply
        Permissions for privet keys
        .
    5. Configure the subscription manager.
      Navigate to
      Computer Configuration
      Policies
      Administrative Templates: Policy definitions
      Windows Components
      Event Forwarding
      , right-click
      Configure target Subscription Manager
      and select
      Edit
      .
      In the
      Configure target Subscription Manager
      window:
      1. Mark
        Configure target Subscription Manager
        as
        Enabled
        .
      2. In the
        Options
        section, select
        Show
        , and in the
        Show Contents
        window, paste the Subscription Manage URL that you copied from the Cortex XDR console followed by
        OK
        .
      3. Select
        Apply
        and
        OK
        to save your changes.
    6. Complete the WEF Client certificate renewal.
      On every WEF DC, perform the following from a command prompt.
      1. Run
        gpupdate /force
        to update the group policy.
      2. Restart-Service WinRM
        to apply the configurations.
  2. Renew your WEC server certificate in Cortex XDR.
    You should only perform this step under the following conditions.
    • You have completed the WEF certification renewal process for ALL clients in your environment. Otherwise, events from the WEFs that you did not install the new client certificate will not be collected by the WEC.
    • You are approaching the WEC server CA certificate expiration date, which is 2 years after the
      Windows Event Collector
      applet activation, and receive a notification in the Cortex XDR console.
    1. In Cortex XDR, select
      Settings ( )
      Configurations
      Broker VM
      , and locate your broker VM.
    2. Right-click and select
      Windows Event Collector
      Renew WEC Server Certificate
      .
    3. Click
      Renew
      .
      Once Cortex XDR renews the WEC server certificate, the status of the
      Windows Event Collector
      on the
      Broker VMs
      machine is
      Active, Connected
      indicating the applet is running. In addition, the health status of the Windows Event Collector applet is now green instead of yellow and the warning message that appeared when you hovered over the health status no longer appears. Your WEC server certificate is issued with a lifespan of 12 months.
      We also suggest that in XQL Search that you run the following query to verify that your event logs are being captured.
      dataset = xdr_data | filter _product = "Windows" | fields _vendor,_product,action_evtlog_level,action_evtlog_event_id | sort desc _time | limit 20
      If this query does not display results with a timestamp from after the renewal process, it could indicate that the renewal process is not complete, so wait a few minutes before running another query. If you are still having a problem, contact Technical Support.

Recommended For You