: Install the Panorama Device Certificate
Focus
Focus

Install the Panorama Device Certificate

Table of Contents

Install the Panorama Device Certificate

Install the Panorama device certificate to leverage Palo Alto Networks cloud services.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama)
  • Device management license
  • Support license
  • Outbound internet access
  • Customer Support Portal (CSP) account with one of the following user roles:
    Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
  • Panorama superuser role
You must install the device certificate on the Panorama™ management server to use one or more cloud services. You only need to install a device certificate once. The device certificate has a 90-day lifetime. The firewall reinstalls the device certificate 15 days before the certificate expires. In the event Panorama is unable to reinstall the device certificate on its own, you may need to manually restore an expired device certificate.
To successfully install the device certificate, Panorama must have an outbound internet connection and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • http://apitrusted.paloaltonetworks.com
  • https://certificatetrusted.paloaltonetworks.com
  • https://certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443
M-300 and M-700 appliances automatically install the device certificate when they first connect to the Palo Alto Networks CSP during the initial registration process. You do not need to manually install the device certificate for these M-Series appliances.
  1. Generate the One Time Password (OTP).
    An OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
    Panorama may only attempt to retrieve the OTP from the CSP one time. If Panorama fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
    2. Select ProductsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Panorama and click Next.
    4. Select the Panorama Device serial number and Generate OTP.
    5. Generate OTP and copy the OTP.
  2. Log in to the Panorama Web Interface as a Superuser.
    A Panorama admin with Superuser access privileges is required to required to apply the OTP used to install the device certificate on Panorama.
  3. Configure the Network Time Protocol (NTP) server.
    An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select PanoramaSetupServices.
    2. Select NTP and enter the hostname or IP address of the Primary NTP Server.
    3. (Optional) Enter a the hostname or IP address of the Secondary NTP Server.
    4. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
      • None (default)—Disables NTP authentication.
      • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID—Enter the Key ID (1-65534)
        • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
    5. Click OK to save your configuration changes.
    6. Select Commit and Commit to Panorama.
  4. Select PanoramaSetupManagementDevice Certificate Settings and Get certificate.
  5. Enter the One-time Password you generated and click OK.
  6. Panorama successfully retrieves and installs the certificate.