: Install the Device Certificate for a Managed Firewall
Focus
Focus

Install the Device Certificate for a Managed Firewall

Table of Contents
End-of-Life (EoL)

Install the Device Certificate for a Managed Firewall

Install the device certificate for managed firewalls from the Panorama™ management server.
In PAN-OS 10.0 and later releases, you must install the device certificate for a managed firewall from the Panorama management server. The managed firewall must have internet access to successfully install the device certificate.
  1. Register Panorama and managed firewalls with the Palo Alto Networks Customer Support Portal (CSP).
  2. Log in to the Panorama Web Interface as an admin user.
  3. Configure the Network Time Protocol (NTP) server.
    An NTP server is required validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select DeviceSetupServices and select the Template.
    2. Select one of the following depending on your platform:
      • For multi-virtual system platforms, select Global and edit the Services section.
      • For single virtual system platforms, edit the Services section.
    3. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter the IP address of your primary NTP server.
    4. (Optional) Enter a Secondary NTP Server address.
    5. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
      • None (default)—Disables NTP authentication.
      • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID—Enter the Key ID (1-65534)
        • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
    6. Click OK to save your configuration changes.
    7. Select Commit and Commit and Push your configuration changes to your managed firewalls.
  4. Select PanoramaManaged DevicesSummary and select a managed firewall.
  5. Select Request OTP From CSPCustom selected devices.
  6. Copy the entire OTP request token.
  7. Generate the One Time Password (OTP) for managed firewalls.
    1. Log in to the Customer Support Portal.
    2. Select AssetsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Panorama managed firewalls.
    4. Paste the OTP request you copied in the previous step and Generate OTP.
    5. Click Done and wait a few minutes for the OTP to successfully generate. You can refresh the page if the new OTP does not display.
    6. Copy to Clipboard or Download the OTP.
  8. Log in to the Panorama Web Interface as an admin user.
  9. Select PanoramaManaged DevicesSummary and Upload OTP.
  10. Paste the OTP you generated and click Upload.
  11. Verify that the Device Certificate column displays as Valid and that the Device Certificate Expiry Date displays an expiration date.