Panorama Administrator's Guide
    : Install the Device Certificate for All Managed Firewalls Without a Device Certificate
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Install the Device Certificate for Managed Firewalls
    6. Install the Device Certificate for All Managed Firewalls Without a Device Certificate
    Download PDF

    Panorama Administrator's Guide

    Install the Device Certificate for All Managed Firewalls Without a Device Certificate

    Table of Contents

    Install the Device Certificate for All Managed Firewalls Without a Device Certificate

    Install the device certificate for all managed firewalls from the Panorama™ management server without a device certificate installed.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama)
    • Device management license
    • Support license
    • Outbound internet access
    • Customer Support Portal (CSP) account with one of the following user roles:
      Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
    • Panorama superuser role
    Install the device certificate for managed firewalls that do not already have a device certificate installed from the Panorama management server. The device certificate is required to successfully authenticate the managed firewall with the Palo Alto Networks CSP to leverage one or more cloud services. The device certificate has a 90-day lifetime. The firewall reinstalls the device certificate 15 days before the certificate expires. In the event the firewall is unable to reinstall the device certificate on its own, you may need to manually restore an expired device certificate.
    To successfully install the device certificate for a managed firewall, managed firewalls must have outbound internet access and the following Fully Qualified Domain Names (FQDN) and ports must be allowed on your network. Additionally, the managed firewall must belong to the same CSP account as Panorama in order to generate the One Time Password (OTP) used to install the device certificate.
    FQDN
    Ports
    • http://ocsp.paloaltonetworks.com
    • http://crl.paloaltonetworks.com
    • http://ocsp.godaddy.com
    TCP 80
    • https://api.paloaltonetworks.com
    • http://apitrusted.paloaltonetworks.com
    • https://certificatetrusted.paloaltonetworks.com
    • https://certificate.paloaltonetworks.com
    TCP 443
    • *.gpcloudservice.com
    TCP 444 and TCP 443
    The following Palo Alto Networks Next-Generation firewall models install the device certificate when they first connect to the Palo Alto Networks CSP during the initial registration process. You do not need to manually install the device certificate for these firewall models.
    • PA-400 Series firewalls
    • PA-1400 Series firewalls
    • PA-3400 Series firewalls
    • PA-5400 Series firewalls
    • PA-5450 firewall
    1. Log in to the Panorama Web Interface as a Superuser.
      A Panorama admin with Superuser access privileges is required to generate OTP Request Token and apply the OTP used to install the device certificate on managed firewalls.
    2. (Best Practices) Configure the Network Time Protocol (NTP) server for Panorama.
      An NTP server is required validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
      1. Select PanoramaSetupServices.
      2. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter the IP address of your primary NTP server.
      3. (Optional) Enter a Secondary NTP Server address.
      4. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
        • None (default)—Disables NTP authentication.
        • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
          • Key ID—Enter the Key ID (1-65534)
          • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
      5. Click OK to save your configuration changes.
      6. Select Commit and Commit to Panorama.
    3. Configure the Network Time Protocol (NTP) server.
      An NTP server is required validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
      1. Select DeviceSetupServices and select the Template.
      2. Select one of the following depending on your platform:
        • For multi-virtual system platforms, select Global and edit the Services section.
        • For single virtual system platforms, edit the Services section.
      3. Select NTP and enter the hostname pool.ntp.org as the Primary NTP Server or enter the IP address of your primary NTP server.
      4. (Optional) Enter a Secondary NTP Server address.
      5. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
        • None (default)—Disables NTP authentication.
        • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
          • Key ID—Enter the Key ID (1-65534)
          • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
      6. Click OK to save your configuration changes.
      7. Select Commit and Commit and Push your configuration changes to your managed firewalls.
    4. Generate the OTP Request Token on Panorama.
      The OTP Request Token generated on Panorama is used to generate the OTP required to install the device certificate on managed firewalls.
      1. Select PanoramaManaged DevicesSummary.
      2. Select Request OTP From CSPSelect all devices without a certificate.
      3. Copy the entire output in the OTP Request Token field.
    5. Generate the One Time Password (OTP) for managed firewalls.
      An OTP lifetime is 60 minutes and expires if not used within the 60 minute lifetime.
      Firewall may only attempt to retrieve the OTP from the CSP one time. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
      1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
      2. Select ProductsDevice Certificates and Generate OTP.
      3. For the Device Type, select Generate OTP for Panorama managed firewalls and click Next.
      4. Paste the OTP request you copied in the previous step and Generate OTP.
      5. Click Done and wait a few minutes for the OTP to successfully generate.
      6. View OTP History.
      7. In the Current One Time Password History, copy or download the OTP
      8. Copy to Clipboard or Download the OTP.
    6. Install the device certificate on managed firewalls.
      The managed firewall must have an outbound internet connection to successfully install the device certificate. After you upload the OTP from Panorama, the managed firewall connects to the Palo Alto Networks CSP to install the device certificate.
      1. Log in to the Panorama web interface as a Superuser user.
      2. Select PanoramaManaged DevicesSummary and Upload OTP.
      3. Paste the OTP you generated and Upload.
        You must still copy and paste the OTP generated from the Palo Alto Networks CSP even if you downloaded the OTP in the previous step. Uploading the file containing the OTP is not supported.
    7. (WildFire and Advanced WildFire) Log in to the firewall CLI and refresh the firewall settings to establish a connection to the Advanced WildFire cloud with the updated device certificate.
      Repeat this step for each managed firewall with an activate WildFire or Advanced WildFire subscription that is actively communicating with the Advanced WildFire cloud service.
      admin>request wildfire registration channel public
    8. Verify that the Device Certificate column displays as Valid and that the Device Certificate Expiry Date displays an expiration date.

    © 2024 Palo Alto Networks, Inc. All rights reserved.