: Install the Device Certificate for a Dedicated Log Collector
Focus
Focus

Install the Device Certificate for a Dedicated Log Collector

Table of Contents

Install the Device Certificate for a Dedicated Log Collector

Install the device certificate on a Dedicated Log Collector to leverage Palo Alto Networks cloud services.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama)
  • Device management license
  • Support license
  • Outbound internet access
  • Customer Support Portal (CSP) account with one of the following user roles:
    Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
  • Panorama superuser role
You must install the device certificate on the Dedicated Log Collector to use Device Telemetry. You only need to install a device certificate once. The device certificate has a 90-day lifetime. The Dedicated Log Collector reinstalls the device certificate 15 days before the certificate expires. In the event the Dedicated Log Collector is unable to reinstall the device certificate on its own, you may need to manually restore an expired device certificate.
To successfully install the device certificate, the Dedicated Log Collector must have an outbound internet connection and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
You must manually install the device certificate on each Dedicated Log Collector individually. Installing the device certificate from the Panorama™ management server is not supported.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • http://apitrusted.paloaltonetworks.com
  • https://certificatetrusted.paloaltonetworks.com
  • https://certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443
M-300 and M-700 appliances automatically install the device certificate when they first connect to the Palo Alto Networks CSP during the initial registration process. You do not need to manually install the device certificate for these M-Series appliances.
  1. Log in to the Dedicated Log Collector CLI as a Superuser.
    An admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.
  2. View the current device certificate status on the Dedicated Log Collector.
    admin>show device-certificate status
    The Dedicated Log Collector displays one of the following responses:
    • Device certificate was never installedNo device certificate found
    • Device certificate expiredCurrent device certificate status: Expired
      The response also displays the lifetime of the previous device certificate and the date and time the last device certificate fetch was attempted.
    • Device certificate fetch failed—Response displays the last time the device certificate fetch was attempted.
  3. Generate the One Time Password (OTP).
    An OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
    The Dedicated Log Collector may only attempt to retrieve the OTP from the CSP one time. If the Dedicated Log Collector fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
    2. Select ProductsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Panorama and click Next.
    4. Select the Panorama Device serial number and Generate OTP.
    5. Generate OTP and copy the OTP.
  4. Configure the Network Time Protocol (NTP) server.
    An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Log in to the Dedicated Log Collector CLI as a Superuser.
      An admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.
    2. configure the NTP server.
      admin>configure
      admin#set deviceconfig system ntp-servers primary-ntp-server ntp-server-address <ip_address>
      admin#set deviceconfig system ntp-servers secondary-ntp-server ntp-server-address <ip_address>
      admin>commit
      admin>exit
  5. Install the device certificate.
    admin>request certificate fetch otp <otp_value>
  6. Verify the device certificate successfully installed.
    admin> show device-certificate status
    A successful device certificate installation displays the following response:
    Device Certificate information: Current device certificate status: Valid Not valid before: 2022/11/30 15:17:47 PST Not valid after: 2023/02/28 15:17:47 PST Last fetched timestamp: 2022/11/30 15:29:42 PST Last fetched status: success Last fetched info: Successfully fetched Device Certificate