Install a Device Certificate
Focus
Focus

Install a Device Certificate

Table of Contents

Install a Device Certificate

Install a device certificate from the firewall.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
  • Support license
  • Outbound internet access
  • Customer Support Portal (CSP) account with one of the following user roles:
    Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
  • Superuser privileges to the firewall
You must install the device certificate on your Next-Generation Firewall to use one or more cloud services. You only need to install a device certificate once. The device certificate has a 90-day lifetime. The firewall re-installs the device certificate 15 days before the certificate expires.
To successfully install the device certificate on a firewall, the firewall must have outbound internet access and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network in order to reach to the CSP.
For Panorama-managed firewalls, you can install the device certificate for managed firewalls from the Panorama management server. This allows you to install the device certificate for multiple managed firewalls at once.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • https://apitrusted.paloaltonetworks.com
  • https://certificatetrusted.paloaltonetworks.com
  • https://certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443
The following Palo Alto Networks Next-Generation firewall models install the device certificate when they first connect to the CSP during the initial registration process. You do not need to manually install the device certificate for these firewall models.
  • PA-400 Series firewalls
  • PA-1400 Series firewalls
  • PA-3400 Series firewalls
  • PA-5400 Series firewalls
  • PA-5450 firewall
  • PA-7500 Series firewalls
  1. Generate the One Time Password (OTP).
    An OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
    Firewall may only attempt to retrieve the OTP from the CSP one time. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
    2. Select ProductsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Next-Gen Firewall and click Next.
    4. Select your PAN OS Device serial number and Generate OTP.
    5. Download OTP or Copy to Clipboard.
  2. Log in to the firewall web interface as a Superuser.
    An admin with Superuser access privileges is required to apply the OTP used to install the device certificate.
  3. Configure the Network Time Protocol (NTP) server.
    An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select DeviceSetupServices and edit the Services section.
    2. Select NTP and enter the hostname or IP address of the Primary NTP Server.
    3. (Optional) Enter a the hostname or IP address of the Secondary NTP Server.
    4. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
      • None (default)—Disables NTP authentication.
      • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID—Enter the Key ID (1-65534)
        • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
    5. Click OK to save your configuration changes.
    6. Commit.
  4. Select DeviceSetupManagementDevice Certificate and Get certificate.
    You can also install the device certificate from the firewall CLI using the command:
    admin>request certificate fetch otp <otp_value>
  5. Paste the One-time Password you generated and click OK.
  6. Your next-generation firewall successfully retrieves and installs the certificate.
    You may need to refresh the page to verify that device certificate installation was successful.
  7. (WildFire and Advanced WildFire) Log in to the firewall CLI and refresh the firewall settings to establish a connection to the Advanced WildFire cloud with the updated device certificate.
    admin>request wildfire registration channel public