Certificate Renewal for ADEM before June 3, 2022
The certificates and the chain used for
GlobalProtect App Log Collection and ADEM expire on June 3, 2022.
If you are a current ADEM customer, please be sure to renew the
certificates for GlobalProtect App Log Collection and ADEM, after April
20, 2022 but before June 3, 2022. The updated certificate
will be available for renewal starting on April 20th, 2022.
If you renew the certificates on or before April 20, 2022, you
will get the old certificates which will expire on June 3, 2022.
If you do not renew the certificates before June 3, 2022, once the
certificate expires, new and existing clients will not be able to
connect to ADEM and the GlobalProtect App Log Collection service.
Also, if you deploy new ADEM endpoints, make sure that you are
running GlobalProtect client version 5.2.11 or later in order to
continue to successfully register new clients on ADEM portal. If
you already have ADEM or App Log Collection rolled out on an earlier
version of GlobalProtect you will be able to renew the certificate
without changing the version of your current GlobalProtect clients.
What you need to do:
New ADEM customers starting April 20, 2022- Upgrade GlobalProtect
to 5.2.11 to successfully deploy ADEM.
Existing ADEM customers looking to roll out ADEM on new endpoints
starting April 20, 2022- Upgrade GlobalProtect to 5.2.11 and
renew certificate to successfully deploy ADEM.
Existing ADEM customers with ADEM already deployed on their
endpoints - ADEM endpoints will automatically be upgraded once
already connected to ADEM, however please renew the certificate
before expiry.
The GlobalProtect 5.2.11 requirements are for ADEM functionality
only for new ADEM endpoint deployments starting April 20, 2022.
App Log Collection functionality doesn’t have the newer GlobalProtect
client version requirement with the renewal of the certificate.
To renew the certificates follow these steps:
On Panorama:
On Panorama, select
Under the GlobalProtect App Log Collection and
Autonomous DEM, section, click Generate Certificate
for GlobalProtect App Log Collection and Autonomous DEM to
renew the certificate.
After the new certificate is generated, the administrator
must push the new certificate under . The newly generated certificate
overwrites the old certificate. Hence, the certificate name (globalprotect_app_log_cert)
does not change. The new certificate gets pushed to the GlobalProtect
app when the portal configuration is refreshed either manually by
the end user or during the default portal configuration refresh
interval (which is 24 hours by default unless changed by the admin).
First time ADEM endpoint deployments will be able to successfully
register to ADEM service only if they upgrade to the new version
of GlobalPotect 5.2.11. Existing ADEM endpoints that are already
connected to ADEM Cloud Service will be auto-upgraded with the latest
ADEM endpoint version and need not migrate to GlobalProtect 5.2.11.
On Cloud Managed Prisma Access:
In the Prisma Access App, navigate to
Once the new certificate is generated, the administrator
must push the new changes by going to and select Push.
The new certificate gets pushed to the GlobalProtect app when the
portal configuration is refreshed either manually (by the end user)
or during the default portal configuration refresh interval (which is
24 hours by default unless changed by the admin). First time ADEM
endpoint deployments will be able to successfully register to ADEM
service only if they upgrade to the new version of GlobalProtect
5.2.11. Existing ADEM endpoints that are already connected to ADEM
Cloud Service will be auto-upgraded with the latest ADEM endpoint
version and need not migrate to GlobalProtect 5.2.11.