: Install a Device Certificate on the VM-Series Firewall
Focus
Focus

Install a Device Certificate on the VM-Series Firewall

Table of Contents

Install a Device Certificate on the VM-Series Firewall

Get the device certificate to activate the site licenses on the VM-Series firewalls.
Where Can I Use This?What Do I Need?
  • VM-Series
  • VM-Series License
  • Customer Support Portal (CSP) account with one of the following user roles:
    Super User, Standard User, Limited User, Threat Researcher, AutoFocus Trial Role, Group Super User, Group Standard User, Group Limited User, Group Threat Researcher, Authorized Support Center (ASC) User, and ASC Full Service User.
  • Superuser access to the VM-Series firewall
The firewall requires a device certificate to retrieve the site license entitlements and securely access cloud services such as WildFire, AutoFocus, and Strata Logging Service. There are three methods for applying a site license to your VM-Series firewall—One-time password, autoregistration PIN, and through Panorama for managed firewalls. Each password or PIN is generated on the Customer Support Portal and unique to your Palo Alto Networks support account. The method you use depends on the license type used to deploy your firewall and if your firewalls are managed by Panorama. To successfully install the device certificate, the VM-Series firewall requires an outbound internet connection, and the following fully qualified domain names (FQDN) and ports must be allowed on your network.
  • One-time password (OTP)—For VM-Series firewalls previously registered with the Palo Alto Networks licensing server, you must generate a one-time password on the Customer Support Portal and apply it to your VM-Series firewall. Use this method for VM-Series firewalls with a BYOL or ELA license in small-scale, unmanaged deployments and manually deployed VM-Series firewalls managed by Panorama.
  • Registration PIN—This method allows you to apply a site license to your VM-Series firewall at initial startup. Use this method for VM-Series firewalls with usage-based licenses (PAYG), that you bootstrap at launch or with any type of automated deployment, regardless of license type. The autoregistration PIN enables you to automatically register your usage-based firewalls at launch with the Customer Support Portal and retrieve site licenses.
  • If you're using Panorama to manage the VM-Series firewall, see Install the device certificate on a managed firewall.
For the VM-Series firewall on NSX-T, you can add the autoregistration PIN to your service definition configuration so the device certificate is fetched by the firewall upon initial boot up. See the service definition configuration for NSX-T (North-South) and NSX-T (East-West) for more information. If you upgrade previously-deployed firewalls to PAN-OS version that supports device certificates, you can apply a device certificate to those firewalls individually using a one-time password.
Use one-time passwords and autoregistration PINs before they expire. If you don't, you must return to the Customer Support Portal to generate a new one.
FQDN
Ports
  • http://ocsp.paloaltonetworks.com
  • http://crl.paloaltonetworks.com
  • http://ocsp.godaddy.com
TCP 80
  • https://api.paloaltonetworks.com
  • http://apitrusted.paloaltonetworks.com
  • https://certificatetrusted.paloaltonetworks.com
  • https://certificate.paloaltonetworks.com
TCP 443
  • *.gpcloudservice.com
TCP 444 and TCP 443

Retrieve Licenses Automatically at Launch

The firewall requires the device certificate to get the license entitlements and securely access the cloud services. To retrieve the site licenses when you launch the firewall, you must include the auto registration PIN ID and value in the bootstrap parameters. The auto registration PIN ID and value can be used with either the basic or complete bootstrap methods. See Choose a Bootstrap Method for more details about the bootstrap options and configuration.
The auto registration PIN is valid only for the specified time period. For fully automated environments, such as auto scaling VM-Series deployments, the auto registration PIN should be regenerated before the expiration date and the new PIN ID and Value updated in the bootstrap parameters.
  1. Log in to the Palo Alto Networks Customer Support Portal with your account credentials.
  2. Generate the VM-Series registration PIN.
    1. Select AssetsDevice Certificates and Generate Registration PIN.
    2. Enter a Description and a PIN Expiration time period.
    3. Click Generate Registration PIN.
    4. Save the PIN ID and value.
    5. Make sure to launch the firewall before the PIN expires.
  3. Add the registration PIN ID and value in the init-cfg.txt file.
  4. In addition to the required parameters, you must include:
    vm-series-auto-registration-pin-id=
    vm-series-auto-registration-pin-value=
  5. Verify that the device certificate is fetched and that you can see the expected licenses on the firewall.

Manually Retrieve a Device Certificate

  1. Generate the one-time password (OTP).
    OTP lifetime is 60 minutes and expires if not used within the 60-minute lifetime.
    Firewall attempts to retrieve the OTP from the Customer Support Portal once. If the firewall fails for any reason to fetch the OTP, the OTP expires and you must generate a new OTP.
    1. Log in to the Customer Support Portal with a user role that has permission to generate an OTP.
      Register your VM-Series firewall, if you have not already.
    2. Select AssetsDevice Certificates and Generate OTP.
    3. For the Device Type, select Generate OTP for Next-Gen Firewall and click Next.
    4. Select your PAN OS Device serial number and Generate OTP.
    5. Download OTP or Copy to Clipboard.
  2. Log in to the firewall web interfaceas a superuser.
    An admin with Superuser access privileges is required to apply the OTP used to install the device certificate.
  3. Configure the network time protocol (NTP) server for your firewalls.
    An NTP server is required to validate the device certification expiration date, ensure the device certificate does not expire early or become invalid.
    1. Select DeviceSetupServices and select the Template.
    2. Select one of the following depending on your platform:
      • For multi-virtual system platforms, select Global and edit the Services section.
      • For single virtual system platforms, edit the Services section.
    3. Select NTP and enter the hostname or IP address of the Primary NTP Server.
    4. (Optional) Enter a hostname or IP address of the Secondary NTP Server.
    5. (Optional) To authenticate time updates from the NTP server(s), for Authentication Type, select one of the following for each server.
      • None (default)—Disables NTP authentication.
      • Symmetric Key—Firewall uses symmetric key exchange (shared secrets) to authenticate time updates.
        • Key ID—Enter the Key ID (1-65534)
        • Algorithm—Select the algorithm to use in NTP authentication (MDS or SHA1)
    6. Click OK to save your configuration changes.
    7. Select Commit and Commit and Push your configuration changes to your managed firewalls.
  4. Select SetupManagementDevice Certificate and Get Certificate.
  5. Verify that the device certificate is fetched and that you can see the site license on the firewall.