: Upgrade Panorama and Managed Devices in FIPS-CC Mode
Focus
Focus

Upgrade Panorama and Managed Devices in FIPS-CC Mode

Table of Contents

Upgrade Panorama and Managed Devices in FIPS-CC Mode

Upgrade Panorama and managed firewalls, Log Collectors, and WildFire appliances in FIPS-CC mode.
On successful upgrade to PAN-OS 11.0, all managed devices in FIPS-CC mode and any managed device added to Panorama when the device was running a PAN-OS 10.0 release must be re-onboarded to Panorama management. This requires you to reset the secure connection status for Panorama in FIPS-CC mode and for any managed devices in FIPS-CC mode. After resetting the secure connection status, you must add the firewall, Log Collector, and WildFire appliance added to Panorama using the device registration authentication key back to Panorama management. This procedure is not required for and does not impact managed devices added to Panorama while running PAN-OS 10.0 or earlier release. This is required for all supported Panorama models and Next-Generation firewall hardware and VM-Series models in FIPS-CC mode.
  1. Create a list of your managed devices in FIPS-CC mode and any managed device added to Panorama using the device registration authentication key. This will help you later on to focus your efforts when you re-onboard your managed devices to Panorama management.
  2. Upgrade Panorama and managed devices to PAN-OS 11.0.
  3. After successful upgrade to PAN-OS 11.0, review the system logs on Panorama to identify which managed devices in FIPS-CC mode are unable to connect to Panorama.
  4. Reset the secure connection state on Panorama.
    This step resets connectivity for any managed device added to Panorama management while running a PAN-OS 11.0 release and is irreversible. This step has no impact on the connectivity status of firewalls added when running PAN-OS 10.0 or earlier release that are upgraded to PAN-OS 11.0.
    1. Log in to the Panorama CLI.
    2. Reset the secure connection status.
      admin> request sc3 reset
    3. Restart the management server on Panorama.
      admin> debug software restart process management-server
    4. (HA only) Repeat this step for each peer in the high availability (HA) configuration.
  5. Reset the secure connection state on the managed device in FIPS-CC mode.
    This step resets the managed device connection and is irreversible.
    1. Log in to the managed device CLI.
    2. Reset the secure connection state.
      admin> request sc3 reset
    3. Restart the management server on the managed device.
      admin> debug software restart process management-server
  6. Add the impacted managed devices back to Panorama.
  7. Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.
    On upgrade to PAN-OS 11.0, it is required that all certificates meet the following minimum requirements:
    • RSA 2048 bits or greater, or ECDSA 256 bits or greater
    • Digest of SHA256 or greater
    See the PAN-OS Administrator's Guide or Panorama Administrator's Guide for more information on regenerating or re-importing your certificates.