{"id":494,"date":"2026-04-22T07:41:31","date_gmt":"2026-04-22T07:41:31","guid":{"rendered":"https:\/\/12p.no\/wp\/?p=494"},"modified":"2026-04-22T08:11:25","modified_gmt":"2026-04-22T08:11:25","slug":"automating-globalprotect-certificate-renewal-on-a-palo-alto-firewall","status":"publish","type":"post","link":"https:\/\/12p.no\/wp\/?p=494","title":{"rendered":"Automating GlobalProtect Certificate Renewal on a Palo Alto Firewall"},"content":{"rendered":"\n

Disclaimer: This text is highly AI generated<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Keeping SSL\/TLS certificates updated for a GlobalProtect portal is one of those tasks that sounds simple until you account for validation, firewall policy, certificate import, profile updates, and commits. This project automates that entire workflow with a single Python script.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Get it here: https:\/\/github.com\/skadevare\/PaloAlto-Letsencrypt-Certificate-Auto-Updater<\/a><\/p>\n\n\n\n

Details<\/h2>\n\n\n\n

The script is designed for Palo Alto firewalls and handles both automated Let\u2019s Encrypt renewal and manual certificate import. Its main purpose is to keep a GlobalProtect SSL\/TLS Service Profile updated with the correct certificate without requiring repeated manual work every few months.
What Problem This Solves<\/p>\n\n\n\n

<\/p>\n\n\n\n

A GlobalProtect portal needs a valid public certificate. If that certificate expires, users will see certificate warnings or lose trust in the portal entirely. Renewing the certificate manually every time is tedious and error-prone.
This script automates the full lifecycle:<\/p>\n\n\n\n

    \n
  • opening HTTP access temporarily for ACME validation<\/li>\n\n\n\n
  • running Certbot<\/li>\n\n\n\n
  • closing the temporary firewall access<\/li>\n\n\n\n
  • importing the new certificate into PAN-OS<\/li>\n\n\n\n
  • updating the SSL\/TLS Service Profile<\/li>\n\n\n\n
  • committing the configuration
    It also supports a manual mode for cases where you already have a certificate and private key and only want to push them to the firewall.
    <\/li>\n<\/ul>\n\n\n\n

    How the Automated Mode Works<\/strong><\/h2>\n\n\n\n

    In normal mode, the script performs the following steps:<\/p>\n\n\n\n

      \n
    1. It connects to the Palo Alto firewall API.<\/li>\n\n\n\n
    2. It checks the current state of a predefined NAT rule and an optional predefined security rule.<\/li>\n\n\n\n
    3. If those rules are disabled, it enables them.<\/li>\n\n\n\n
    4. It commits the firewall configuration so inbound TCP port 80 is reachable.<\/li>\n\n\n\n
    5. It runs Certbot in standalone mode.<\/li>\n\n\n\n
    6. Certbot temporarily hosts the HTTP-01 validation response on the local machine.<\/li>\n\n\n\n
    7. After validation, the script restores the original rule state and commits again.<\/li>\n\n\n\n
    8. It builds a temporary PKCS#12 bundle from the certificate and private key.<\/li>\n\n\n\n
    9. It uploads that bundle to the firewall.<\/li>\n\n\n\n
    10. It updates the configured SSL\/TLS Service Profile to use the matching certificate object.<\/li>\n\n\n\n
    11. It commits the change.
      This gives you a repeatable certificate renewal process with minimal manual intervention.
      <\/li>\n<\/ol>\n\n\n\n

      Why It Uses Existing Firewall Rules<\/strong>
      <\/h2>\n\n\n\n

      The script does not try to create NAT or security rules from scratch. Instead, it toggles rules that already exist on the firewall.
      That is intentional.
      NAT and security rules depend on details that are different in every environment, such as:<\/p>\n\n\n\n

        \n
      • interface names<\/li>\n\n\n\n
      • zones<\/li>\n\n\n\n
      • public IP addresses<\/li>\n\n\n\n
      • translated addresses<\/li>\n\n\n\n
      • existing policy structure
        Because of that, the safer design is to create the required rules once in PAN-OS, keep them disabled, and let the script enable and disable them only when needed.
        Security Rule Handling
        If a security rule is configured, the script handles it just like the NAT rule.
        That means:<\/li>\n\n\n\n
      • if the security rule is disabled, it gets enabled before Certbot validation<\/li>\n\n\n\n
      • after validation, it is disabled again<\/li>\n\n\n\n
      • if it was already enabled, the script leaves it enabled
        This makes the workflow cleaner and avoids leaving temporary access open longer than necessary.

        <\/li>\n<\/ul>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        \"\"<\/figure>\n\n\n\n

        Manual Certificate Import Mode<\/strong><\/h2>\n\n\n\n
          \n
        • The script also supports a manual import mode.<\/em><\/strong>
          This is useful when:<\/li>\n\n\n\n
        • you already received a certificate from another source<\/li>\n\n\n\n
        • you want to test certificate import without running Certbot<\/li>\n\n\n\n
        • you want to update the GlobalProtect profile directly from a certificate and key file
          Example command:
          python3 renew_globalprotect_cert.py –manual-cert –incert \/path\/to\/fullchain.pem –inkey \/path\/to\/privkey.pem
          In manual mode, the script:<\/li>\n\n\n\n
        • skips Certbot entirely<\/li>\n\n\n\n
        • does not touch NAT or security rules<\/li>\n\n\n\n
        • builds the PKCS#12 file<\/li>\n\n\n\n
        • uploads it to the firewall<\/li>\n\n\n\n
        • updates the SSL\/TLS profile<\/li>\n\n\n\n
        • commits the change<\/li>\n<\/ul>\n\n\n\n

          How Certificate Naming Works<\/h2>\n\n\n\n

          The script derives the PAN-OS certificate object name from the certificate fingerprint.
          That gives two benefits:<\/p>\n\n\n\n

          the same local certificate can be reused cleanly<\/p>\n\n\n\n

          the script can avoid creating unnecessary duplicate certificate objects
          If the firewall already has the matching certificate object and the SSL\/TLS profile already points to it, the script skips the update.<\/p>\n\n\n\n

          Scheduling<\/strong>
          <\/h2>\n\n\n\n

          Manual mode works best with real certificate files or proper Let\u2019s Encrypt paths.<\/p>\n\n\n\n

          The intended use case is periodic execution through systemd, for example every three months.
          A quarterly timer matches the original renewal idea, but in practice monthly execution is safer for 90-day Let\u2019s Encrypt certificates. Certbot usually does nothing until a renewal is actually needed, so running more often reduces the risk of missing the renewal window.
          Important Operational Notes
          A few things matter in production:<\/p>\n\n\n\n

          The script performs full PAN-OS commits.<\/p>\n\n\n\n

          If unrelated candidate changes already exist on the firewall, those should be considered before running it.<\/p>\n\n\n\n

          <\/p>\n\n\n\n

          Final Thoughts<\/strong><\/h2>\n\n\n\n

          This script turns certificate renewal for a Palo Alto GlobalProtect portal into a predictable workflow instead of a manual maintenance task. It reduces the chance of expired certificates, keeps the firewall changes temporary, and makes it easier to manage both automatic and manual certificate updates from one place.
          If you manage GlobalProtect in an environment where certificate rotation has been a recurring headache, this kind of automation can remove a lot of unnecessary operational friction<\/p>\n","protected":false},"excerpt":{"rendered":"

          Disclaimer: This text is highly AI generated Keeping SSL\/TLS certificates updated for a GlobalProtect portal is one of those tasks that sounds simple until you account for validation, firewall policy, certificate import, profile updates, and commits. This project automates that entire workflow with a single Python script. Get it here: https:\/\/github.com\/skadevare\/PaloAlto-Letsencrypt-Certificate-Auto-Updater Details The script is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-494","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=494"}],"version-history":[{"count":8,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/494\/revisions"}],"predecessor-version":[{"id":507,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=\/wp\/v2\/posts\/494\/revisions\/507"}],"wp:attachment":[{"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/12p.no\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}